Comware

Hi Guys,

Looking for some basic advice on how to setup a simple few VLANS using this Web Gui Interface, its very new to me.

So we have the following

Dray Internet Router GW LAN : 192.168.1.253 

HPE 1950 Switch Vlan 1 192.168.1.247

I have created below two Vlans IP Interfaces.

Vlan 10 192.168.10.24 & Vlan 20 192.168.20.247

Vlan 1 is fully working for internet access, however i cant for the life of my get either Vlan10 or 20 Routing out to the internet.

I have a route as follows 

Destination 0.0.0.0 / Mask 0 / next hop 192.168.1.253

 

Can someone please let me know what i'm doing wrong here?

Cheers

#Switch_Router_Interconnect
#Aruba

Hello @rogerp_1,
Are vlans communicating with earth other?
What about the routing on internet router towards HPE 1950 switch?
What is the HPE 1950 switch product number?

Thanks!

Hi

Yes i have Vlans can comminucate with each other, which is not correct so i also need to stop that.  Both laptops can ping each other however none can ping the internet which is on port 1 on the switch.

Its a JH295A

Hello,
It's fine if inter Vlan are working.
Can you share the config or screenshots of the interfaces connecting to internet and Vlan 1 config screenshots?
Also internet router is accessible to you if yes then can you check routing into that?

Thanks!

Sure i can, thanks for your help!.

Port 1 connected to the Draytek router

VLANS

I have full access to the router, nothing configured on it as its a basic wan & lan router, we want to use the 1950 as the routing switch.  Once this switch is working with the Vlans we have anotehr 10 1950 48 port switches which will hang off this switch.

 

 

 

Hi @rogerp_1 !

Couple of questions:

- Could you clarify if VLAN 10 hosts can ping Router GW LAN 192.168.1.253 ?
- What is the IPv4 default gateway assigned to VLAN 10 hosts?
- Did you enable NAT for Vlan 10 192.168.10.0/24 & Vlan 20 192.168.20.0/24 subnets in your Drytek router?
- Did you set static route for Vlan 10 192.168.10.0/24 & Vlan 20 192.168.20.0/24 subnets in Drytek router to be reachable over HP 1950 Switch Vlan 1 192.168.1.247 ?

 

none of any of the vlans can ping the switch gateway of 192.168.1.253

yes all of the vlan members can ping there own gateway, example vlan 10 192.168.10.247

as we do not want to use the draytek router as a router we have not configured anything on the router, it simple has a lan and wan ip address, nothing more. 

the idea is to use the switch as the routing device for the network

hope that helps

 

Hello @rogerp_1 ,

Vlan 1 is able to reach router because its directly connected to uplink but for other vlans routing is required.

I can see default route on HPE 1950 pointing to router but it should get reverse path in order to successful communication.

NAT is required if router is reaching to ISP in order to do private to public ip conversion for communication over itnernet.

Can you try to configure default route in router pointing to HPE 1950 vlan 1 gateway?

Thanks!

Hi 

After adding the routes to the draytek for all the VLan subnets all communication is now working.  Thanks for that!.

I dont under stand why VLans can communicate with each other, how do we disable this ?  i'm trying to create seperate vlans for security so no point leaving this feature on?

I dont under stand why VLans can communicate with each other, how do we disable this ?  i'm trying to create seperate vlans for security so no point leaving this feature on?

Very simple - because it's the primary job of every router - to route between networks. VLAN is a broadcast domain, so in other words it separates hosts on Layer 2. If you need separation on Layer 3, you need firewall. The sort of firewall is packet-filtering ACL applied on Vlan-interface/-s where you need to define what traffic is allowed (permit statements) and what is not allowed (deny statements).

 

Hi

When you say router i presume you mena my 1950.  I'm sure this is a Layer 3 switch.  Can the 1950 not disable intervlan routing?  I'm simply trying to keep the vlans away from each other as we have a Voice lan, Wfi Lan and a few others. no need for them to be able to communicate with each other if that makes sense

Every device that forwards traffic between IP networks is a router, so since you ask about routing functions of 1950 I explain you IP basics using appropriate term and call 1950 a 'router'. Sorry for the confusion. Since 1950 routes between VLANs, it is obvioulsy a router from this perspective. Layer 3 switch is more a marketing term, it describes a device that has many ports, understands VLANs, can route between IPv4 networks, may support some dynamic routing protocol etc. In modern networks the boundary between an L3 switch and a router is somewhat fuzzy. But let's put philosophical disputes aside (-:

The thing is you can't really enable inter-VLAN routing for a part of your VLANs, but keep it for the rest. Actually there is such possibility, but for that you need to delete Vlan-interface, the SVI of respective VLAN that needs to be 'isolated'. But then hosts inside that VLAN won't be able to communicate to the outside world, as they will loose the default gateway. Of course you can say "what if I just pass the traffic of such VLAN over a tagged port to my Drytek router and it will play the role of default gateway?" Sure, but in that case again you will need some kind of a firewall, this time in the Drytek router to tell it what and where can go and what is not allowed.

So, to be honest the only choice to achieve what you want is the following scheme:

1. 1950 has inter-vlan routing enabled and it cannot be disabled. Keep in mind that routing happens only between VLANs which have Vlan-interface (SVI) with IP subnet assigned.
2. Configure VLANs needed (done)
3. Configure respective Vlan-interfaces (done)
4. On the 1950 set the default static route (0.0.0.0/0) with the next-hop IP address of the Drytek in the same subnet (done)
5. Set the reverse route/-s for 1950's subnets in the Drytek router. Next-hop is 1950's address in the same VLAN (done)
6. Enable NAT for the 1950's subnets (not sure if Drytek needs it, some routers, especially small-business or home ones just NAT everything by default)
7. Allow hosts in 1950's VLANs communication with Internet, but at the same time deny them from talking to their 'neighbors' in other local VLANs. (to be done)

Point #7 is the most interesting part. If you want to block local VLANs from talking to other VLANs, then one general ACL will be enough:

rule 10 deny ip souce 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 20 permit ip

This ACL denies all traffic from the hosts in the 192.168.0.0 - 192.168.255.255 range destined to 192.168.0.0 - 192.168.255.255 range (effectively ALL traffic between hots in your VLANs) and allows everything else, like access to the Internet. You need to apply this ACL in the INBOUND direction on all Vlan-interfaces of the 1950. 

If you need more granular permissions, just put something else instead this 'rule 10', but keep in mind one simple, but very important rule - more specific rules should be on the top of the ACL, more general ones should reside at its bottom. And another rule - there is an 'implicit deny' at the end of each ACL, so be sure to have at least one 'permit' statement in your ACL.

I know it may look strange to you, but in fact that's how all routers (and L3 switches) work - routing is routing, and traffic filtering is traffic filtering. Two different features, even really unrelated. That's why routing tables in general have all known networks inside (or routes how to reach them), but Vlan-interfaces than engage firewalling feature (like ACLs) to set proper permissions for traffic forwarding.

 

Hi Ivan,

Thanks for a detailed and very thourgh explaination, all poitns noted.

Cheers