Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

A5500 EI Inter VLAN Routing

This thread has been viewed 0 times

  • 1.  A5500 EI Inter VLAN Routing

    Posted Sep 15, 2016 06:31 PM
    Hi all,
    First post so please forgive me if it's in the wrong place. I have a small problem with inter vlanning on my a5500.

    It may largely be lack of knowledge so any help would be greatly appreciated.

    In short, my scenario is that I have a fully working network using a single A5500 as the only switch and gateway.

    We have a a few vlans, for easy explaining let's call them "100" and "200".

    The problem we have is that devices attached to these vlans can ping devices on the other vlans. They can also use windows explorer to browse to them with credentials, although granted the user would need to know the ip of the other device and the credentials.

    I believe they can talk to each other because the A5500 is allowing inter vlan traffic.

    My question is, can this be prevented so they cannot talk to each other at all? They would obviously still need to use the A5500 as the gateway.

    I hope that makes sense and is clear enough.
    Thank you.
    #disable
    #a5500
    #Prevent
    #Inter-vlans


  • 2.  RE: A5500 EI Inter VLAN Routing

    Posted Sep 15, 2016 08:28 PM

    The 5500 is a switch, not a firewall.

    If you have two subnets that require a security gateway between them, then you should be trunking those VLANs to the security gateway.

    If the concern is that users on one subnet should not have access to resources on another subnet, then the answer is - as you have pointed out - authentication and authorisation on the actual devices themselves.

    Having said that, if you absolutely have to do it, you can put access lists on the switch.
    Subnet1 --> Subnet2 = Deny
    And vice-versa.



  • 3.  RE: A5500 EI Inter VLAN Routing

    Posted Sep 16, 2016 05:44 AM

    Hi Vince,

    Thanks very much for getting back to me, most appreciated.

    That makes things a little clearer I believe.

    Ideally we would like them to be isolated and just have gateway access and not cross VLAN access. 

    Sounds like we need to do this using ACL configuration.

    Not 100% sure where these settings reside on the switch but I'll do some digging and see if I can locate where this needs to be set etc and do some testing.

    Thank you for your help.

    Kind Regards,

    Boseley



  • 4.  RE: A5500 EI Inter VLAN Routing

    EMPLOYEE
    Posted Sep 16, 2016 01:33 PM

    Howdy,

    Does your internet / WAN gateway live on a third subnet?

    If not, I would segregate the external gateway onto its own network befor eyou do any thing else as that will make the ACL configurations easier and you won't be mixing "end user" and "gateway" nodes in the same subnet

    Thanks

    Ian



  • 5.  RE: A5500 EI Inter VLAN Routing

    Posted Sep 16, 2016 03:29 PM
    Hi Ian,
    We think we've got it mapped in our heads now and will bare in mind the separation advice. Appreciate your input thanks.