Network Management

Hi. I need to put a 2nd domain on my Lan.

How can I isolate the new domain from the existing domain?

I currently have an s2500 as my router and s1500's @ L2 spread throughout my building.

I created a vlan for the 2nd domain, plugged a laptop in with a static IP to test, but it is able to ping the other vlans and vice versa.

How can I isolate the new vlan from the others?

 

existing domain: 10.0.0.0/8, 192.168.100.0/24

New vlan for 2nd domain 172.60.0.x/24

 

Thanks!

Anyone?

Bump

---

@kmdwrote:

Hi. I need to put a 2nd domain on my Lan.

How can I isolate the new domain from the existing domain?

@I currently have an s2500 as my router and s1500's @ L2 spread throughout my building.

I created a vlan for the 2nd domain, plugged a laptop in with a static IP to test, but it is able to ping the other vlans and vice versa.

How can I isolate the new vlan from the others?

 

existing domain: 10.0.0.0/8, 192.168.100.0/24

New vlan for 2nd domain 172.60.0.x/24

 

Thanks!

---

You do not want connectivity between the two VLANs?

 

Either remove the 172.60.0.x/24 IP address from the VLAN interface on your switch, or set up ACL(s) on the VLAN interface to only permit the required traffic while blocking everything else. 

Yes. I don't want connectivity between them.

So, I should remove the 172.60.x x from the vlan interface on the router, or remove it from the other switches?

Thanks for your help!

---

@kmdwrote:

Yes. I don't want connectivity between them.

So, I should remove the 172.60.x x from the vlan interface on the router, or remove it from the other switches?

Thanks for your help!

---

At least from the router, as that's the device that's currently connecting the two VLANs together. Ideally, any device that can provide layer 3 functionality could do the same as the router and so should probably not have that interface configured either. Start with the router, and see if that addresses your concern.

Hi ,

 

create acl to block intervlan traffic and apply acl iside VLAN 2 .

 

and use same vlan for  testing , AD and client PC should be in this same vlan  .

 

 

Hi Praveen.

I appreciate the help, very much.

Would you happen to be able to provide me with a jumping off point for the ACL that I need to implement? I am doing my homework on ACL's, but it is a bit over my head.

Thank you.

I'm trying this ACL, but it doesn't seem to like it.

Any input is greatly appreciated!

 

ip access-list extended admin-ACL
deny ip 10.0.0.0/8 172.60.0.0/24 log

deny ip 192.168.0.0/23 172.60.0.0/24 log
deny ip 172.60.0.0/22 10.0.0.0/8 log

deny ip 172.60.0.0/22 192.168.0.0/23 log

permit ip any any

 

Here's what i get :

 

(ArubaS1500-12P) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS1500-12P) (config) #ip access-list extended admin-ACL
(ArubaS1500-12P) (config-ext-admin-ACL)#deny ip 10.0.0.0/8 172.60.0.0/24 log
^
% Invalid input detected at '^' marker.

 

 

 

 

---

@kmdwrote:

I'm trying this ACL, but it doesn't seem to like it.

Any input is greatly appreciated!

 

ip access-list extended admin-ACL
deny ip 10.0.0.0/8 172.60.0.0/24 log

deny ip 192.168.0.0/23 172.60.0.0/24 log
deny ip 172.60.0.0/22 10.0.0.0/8 log

deny ip 172.60.0.0/22 192.168.0.0/23 log

permit ip any any

---

Use:

ip access-list extended admin-ACL

deny any 10.0.0.0 255.0.0.0 172.60.0.0 255.255.255.0

etc.

 

The syntax is wrong for the MAS CLI, so it's getting caught up in the IP protocol statement, as well as using the CIDR style subnet mask rather than explicit masks.

 

Thank you CClemmer! 

When I input your suggestion:

deny any 10.0.0.0 255.0.0.0 172.60.0.0 255.255.255.0

I get:
Invalid Source IPv4 address/netmask

 

But, when I input: 

deny any 10.0.0.0 0.0.0.0 172.60.0.0 0.0.0.0

deny any 172.60.0.0 0.0.0.0 10.0.0.0 0.0.0.0

It takes it, but when I run Advanced Port Scanner, it sees the computer 172.60.0.10 from 10.1.10.70.

What version of AOS is on your switch? 

 

Using a netmask of 0.0.0.0 basically invalidates the entry, since it's telling the switch that no bits of the source address are relevant. You could try using:

 

deny any 10.1.0.0 255.255.0.0 172.60.0.0 255.255.255.0

deny any 172.60.0.0 255.255.255.0 10.1.0.0 255.255.0.0

 

That may still miss some subnets in the 10 network, but would pick up your test client of 10.1.10.70.

I'm running version 7.4.1.7

When I try those entries, it tells me:   Invalid Source IPv4 address/netmask

Plus, when I do a show running-config, it shows multiple access lists. Perhaps this is normal, but I thought I would mention it. The attached file is my running-config.

I really appreciate your time on this!

Thank you

 

Apparently I'm running low on coffee this week...

 

On ACLs, the netmask/wildcard bits is the inverse of a typical subnet mask, so you would use the following format:

 

deny any 10.0.0.0 0.255.255.255 172.60.0.0 0.0.0.255

 

That explains why the error was thrown on the source IP mask.

Hi CClemmer.

Sorry. Its been a busy 2 weeks and I have finally gotten around to testing this.

To refresh; I want to prevent 10.0.0.0 255.0.0.0 from seeing 172.60.0.0 255.255.255.0 and vice versa.

 

On my S2500 MAS which is my router, I ran the following commands:   

(Aruba-DataCenter-1) (config-ext-admin-ACL)#deny any 172.60.0.0 0.0.0.255 10.0.0.0 0.255.255.255

 

(Aruba-DataCenter-1) (config-ext-admin-ACL)#deny any 10.0.0.0 0.255.255.255 172.60.0.0 0.0.0.255

But, when I run Advanced Port Scanner, from 172.x.x.x, I can see the IP's, MAC addresses and Manufacturer of the machies on 10.x.x.x.

I'm not sure what is going on.

Any other advice, I will gladly try.

Thank you.

 

Okay, the ACL was created successfully it sounds. Did you apply it to the VLAN interface?

Sorry no. Could you provide me with direction on that...... as well?

I need to buy you a beer.

 

In my case, vlan 11 is my primary user vlan. So to apply the ACL to my user traffic:

 

(ClemmerLabS1500-12P) # conf t

(ClemmerLabS1500-12P) (config) # interface vlan 11

(ClemmerLabS1500-12P) (vlan "11") # ip access-group in <acl-name>

(ClemmerLabS1500-12P) (vlan "11") # end