Network Management

Reply
kmd
Contributor II

2 domains on 1 lan

Hi. I need to put a 2nd domain on my Lan.

How can I isolate the new domain from the existing domain?

I currently have an s2500 as my router and s1500's @ L2 spread throughout my building.

I created a vlan for the 2nd domain, plugged a laptop in with a static IP to test, but it is able to ping the other vlans and vice versa.

How can I isolate the new vlan from the others?

 

existing domain: 10.0.0.0/8, 192.168.100.0/24

New vlan for 2nd domain 172.60.0.x/24

 

Thanks!

kmd
Contributor II

Re: 2 domains on 1 lan

Anyone?
kmd
Contributor II

Re: 2 domains on 1 lan

Bump
Aruba Employee

Re: 2 domains on 1 lan


@kmdwrote:

Hi. I need to put a 2nd domain on my Lan.

How can I isolate the new domain from the existing domain?

I currently have an s2500 as my router and s1500's @ L2 spread throughout my building.

I created a vlan for the 2nd domain, plugged a laptop in with a static IP to test, but it is able to ping the other vlans and vice versa.

How can I isolate the new vlan from the others?

 

existing domain: 10.0.0.0/8, 192.168.100.0/24

New vlan for 2nd domain 172.60.0.x/24

 

Thanks!


You do not want connectivity between the two VLANs?

 

Either remove the 172.60.0.x/24 IP address from the VLAN interface on your switch, or set up ACL(s) on the VLAN interface to only permit the required traffic while blocking everything else. 


Charlie Clemmer
Aruba Customer Engineering
kmd
Contributor II

Re: 2 domains on 1 lan


Yes. I don't want connectivity between them.

So, I should remove the 172.60.x x from the vlan interface on the router, or remove it from the other switches?

Thanks for your help!
Aruba Employee

Re: 2 domains on 1 lan


@kmdwrote:

Yes. I don't want connectivity between them.

So, I should remove the 172.60.x x from the vlan interface on the router, or remove it from the other switches?

Thanks for your help!

At least from the router, as that's the device that's currently connecting the two VLANs together. Ideally, any device that can provide layer 3 functionality could do the same as the router and so should probably not have that interface configured either. Start with the router, and see if that addresses your concern.


Charlie Clemmer
Aruba Customer Engineering
New Contributor

Re: 2 domains on 1 lan

Hi ,

 

create acl to block intervlan traffic and apply acl iside VLAN 2 .

 

and use same vlan for  testing , AD and client PC should be in this same vlan  .

 

 

kmd
Contributor II

Re: 2 domains on 1 lan

Hi Praveen.

I appreciate the help, very much.

Would you happen to be able to provide me with a jumping off point for the ACL that I need to implement? I am doing my homework on ACL's, but it is a bit over my head.

Thank you.

kmd
Contributor II

Re: 2 domains on 1 lan

I'm trying this ACL, but it doesn't seem to like it.

Any input is greatly appreciated!

 

ip access-list extended admin-ACL
deny ip 10.0.0.0/8 172.60.0.0/24 log

deny ip 192.168.0.0/23 172.60.0.0/24 log
deny ip 172.60.0.0/22 10.0.0.0/8 log

deny ip 172.60.0.0/22 192.168.0.0/23 log

permit ip any any

 

Here's what i get :

 

(ArubaS1500-12P) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS1500-12P) (config) #ip access-list extended admin-ACL
(ArubaS1500-12P) (config-ext-admin-ACL)#deny ip 10.0.0.0/8 172.60.0.0/24 log
^
% Invalid input detected at '^' marker.

 

 

 

 

Aruba Employee

Re: 2 domains on 1 lan


@kmdwrote:

I'm trying this ACL, but it doesn't seem to like it.

Any input is greatly appreciated!

 

ip access-list extended admin-ACL
deny ip 10.0.0.0/8 172.60.0.0/24 log

deny ip 192.168.0.0/23 172.60.0.0/24 log
deny ip 172.60.0.0/22 10.0.0.0/8 log

deny ip 172.60.0.0/22 192.168.0.0/23 log

permit ip any any


Use:

ip access-list extended admin-ACL

deny any 10.0.0.0 255.0.0.0 172.60.0.0 255.255.255.0

etc.

 

The syntax is wrong for the MAS CLI, so it's getting caught up in the IP protocol statement, as well as using the CIDR style subnet mask rather than explicit masks.

 


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: