Comware

Hi all,
i have a procurve 2610 with 24 servers connected to each.

gigabit ports 25 and 26 are in a trunk connected to two ports on the 1800-24.

On the 1800-24 there are two ports connected to a backup server with bonding enabled.

I need to put every ports in a distinct VLAN so that servers can't communicate with each other.

Only backup server needs to communicate with all other.

How can I do this?

2610 and 1800-24 haven't protected ports capabilities so I need to use VLAN.

Thanks in advance.

Hi Alessandro.

On the 2610, you have the source-port filtering function that can solve your issue. You can authorize which port can communicate with another port.

See module 10 on the access and security manual for the 2610.

Here is the link:
http://cdn.procurve.com/training/Manuals/2610-Security-Dec2007-59918642.pdf

HTH... Yan

Thank you very much.
But doing so I can filter only on the 2610.

I need to do something similiar:

all ports on the 2610 needs to be 'protected'. Nobody can communicate with each other.

trk1 is connected to a 1800-24G as a 'core'.

On the 1800-24G port 23 and port 23 are in a trunk connected to a backup server.

ONLY backup server can communicate with all other ports on all other switches.

So,
2610-port1 MUST communicate only with 1800-24G-trk2
2610-port2 MUST communicate only with 1800-24G-trk2
2610-port3 MUST communicate only with 1800-24G-trk2

(trk2 is the trunk with the backupserver)

Source port filtering is usefull only with server connected locally on the switch.
My server is on another switch. I can't filter like this:

2610:
filter source-port 1 drop 1-24 forward trk2

trk2 is on the 1800-24G switch.

Maybe you can follow-up :
filter source-port 1 drop 1-24 forward trk2
on the 2610 with on the 1800 :
filter source-port trk2 drop 1-23 forward 24
? (where port 24 being the backupserver)

is may be an alternative to define on all hosts a static route only to the backupserver?

But doing so I'll drop everything.
If i'll drop ports 1-24 but forward trk1 on the 2610 and i'll drop ports 1-24 but forward trk2 on the 1800, port 1 on the 2610 can't communicate with trk2 because it's dropped by a rule on the 1800...

Yes a static route is an alternative but I prefer drop on the switch, so i don't need to reconfigure all servers.

it is a "source"-port rule.
this is physical port, not vlan!
a trunk is seen as a single port.
so :

filter source-port 1 drop 1-24 forward trk2

on the 2610
allows traffic from port1 to the connected 1800
for all ports on the 2610 you need a seperate
filter source-port 2 drop 1-24 forward trk2
...
filter source-port 24 drop 1-24 forward trk2


on the 1800 side :

filter source-port trk2 drop 1-23 forward 24

1800 forwards only the connection from the 2610 to port 24 (assumed the backupserver)
independant of the port it was on the 2610

for all ports on the 1800 you need a seperate
filter source-port 1 drop 1-23 trk2 forward 24
...
filter source-port 23 drop 1-23 trk2 forward 24

and offcourse from backupserver to any :

filter source-port 24 forward 1-24 trk2

wich is allready implicitly present, but it's mor clear to specify

Can I do the same with only VLANS?
It should be more easy to do and to understand.

Right? How can I do it with VLAN if possibile?

it is a "source"-port rule.
this is physical port or a trunk port, not vlan!


Why do you want to use all different vlan's for a single port ?
i don't think it makes the configuration easier!

VLAN's are to seperate lan's, you must do extra things to make those lan's communicate!
Then again you want this communication very restricted!

if you really want it, it would be something like :
- for each port create a vlan
- put every single port in its own vlan
(except the switch interconnect, that must be trunk)
- for each vlan select a subnet
- assign each vlan its own ip-adress
- assign each server an ip-adress in the same subnet as the used vlan
- configure routing between all vlans
- for each vlan create accesslist to alow only the single destination

But then again you can use access-lists without using vlan's

Thank you.
I don't want routing between vlans.
Servers don't need to communicate with each other.

I'll try with source port filter.

Hey, Procurve 1800-24 is WEB MANAGED.
It hasn't source port filter.

I can filter on 2600, but servers connected to 1800 can communicate with each other and I don't want it.

I think that i must go with vlans.

any hint?

Sorry Allessandro,
I didn't check the capabilities of the 1800, i asumed it was comparable to the 2610.
In the document
ftp://ftp.hp.com/pub/networking/software/1800-MgtCfgGde-Oct2006-59914726.pdf
I read the 1800 supports vlans (that is "vlan-tagged" packets), but i don't really see that it can supply connectivity between them!
So if you keep to the idea of solving this with vlan's, I think you create yourself a tricky situation.
Data from a port on the 1800 must be sent through a vlan to the 2610 wich can process this somehow and send this back to the vlan of the bacupserver on the 1800.
So the connection between them is passed twice.

Maybe you're better off replacing the 1800?
or connect the backup-server to the 2610?

I can't replace it or connect backup servers to 2600.

Maybe I can filter ports on 2600 and put trunk between 2600 and 1800 in separate vlans.

Something like this:

server1 -> 2600 port 1
server2 -> 2600 port 2

2600 port25+port26 -> trk1 -> 1800 port1+port2

server3 1800port3
server4 1800port4

Then on 1800 I'll make:
trk1 -> vlan1
port3 -> vlan2
port4 -> vlan3

No routing between vlans so it doesn't communicate with each other.

port25+port26 -> trk2 -> backup server.

Now, how can I make trk2 accessible from all vlans?

Should I configure servers with different subnet or can I use the same subnet for all vlans?

You HAVE to route somewhere else there is no communication between vlan's.

Thats not technically true, vlan packets are packets with a certain "tag". If you send packets with a vlan-tag to a vlan-aware port all packets are passed!
so network-card of the host will receive all vlan-tagged packets.
Normally a host only accepts its native vlan (packets with no tag). but it may ignore the tag and accept all packets.
but then it doesn't reply with the same tag!
so ther's no tcp-connection!

Some NIC drivers are VLAN-aware!
you can "add" virtual NIC's listening to a certain vlan-tag, each with it's own ip-address.
maybe that's a direction to explore?
(2 x 23 virtual nic's in a server ? hmmmmm... thats not realy scalable)

So, how can I restrict communication between servers without changing switches?

Source filter on 2600 and nothing on the 1800?

Better than nothing....

Hi Alessandro,
see post from "Jul 15, 2008 13:35:07 GMT"

i don't think its a good idea to do so, but technically it can be made to work.

1) at the 1800 put every host in it's own vlan (untagged)
2) configure a link between the two switches te send and receive all vlans as tagged.
3)create a separate vlan for the backupserver (multiple nics?)
4) connect this vlan through an extra port to the 2610.
(tagged or untagged in the same vlan)

NB! you saccrifice some ports to "pass-thru" the backup server to the 2610 where you have more managebility!
NB! the link(s) between the two switches may also require multiple physical ports (trunk) else you wont profit from the "bonded" port of the backupserver.

5) on the 2610 create all vlans (local + from 1800)
6) configure the link between the two switches for all tagged packets (vlans from 1800).
7) configure the separate port for the backup vlan. (from step-4)
8) give all vlan a unique ip-adress in its own subnet
(you can use very small subnets wich allow only two hosts)
6) give all servers an ip-adress matching the vlan/subnet
7) configure all servers for the connected switch-vlan-adres as default gateway
8)enable routing on the switch

from here you may use port filter or access-list on the 2610 to allow only traffic from each local port and the connecting port (step-2) to the connecting port (or trunk) of the backupserver and back.

(auchhh....)

Any other methods to disable communications between servers?

the "disable" is no problem.
the "enable all only-to-a-single-destination" poses your problem.

Part of the restriction com from the wish to use devices curently present.
if you replace the switches with devices with more capabilities, it may be easier.

subnetting within a single vlan (multinetting) also disables traffic between the hosts.
but then you'll still need another device (like a dedicated router) to connect those subnets and filter only for traffic you want.

I'll go with source port filter on the 2610.
And nothing on the 1800.

1800 is used as aggregator.

My scenario is:

rack1->2610->servers
rack2->2610->servers

Each 2610 will be connected by a trunk to rack0->1800->backup

Filtering on 2610 means that every server on the 2610 can't communicate with every other. It's ok.

But there is a problem:

Servers on rack1 will be able to communicate with servers on rack2 because filtering drop connection between ports on the same switch but forward via trunk and the trunk is able to communicate with all others (1800 hans't filtering capabilites)

Is ok?

I've attached a network diagram.

SRV1, SRV2, SRV3, SRV4, SRV5, SRV6 need to be separate. No communication between them, but needs to be on the same subnet.

TRK1 is the trunk between one 2610 and the 1800-24

TRK2 is the trunk between one 2610 and the 1800-24

TRK3 is the trunk between the 1800-24 and the backupserver

Backupserver need to communicate with all other servers.

Filtering on the 26100 will drop connection between servers connected to it, but will allow connection with all other servers.

I don't like this.

after this post i'll withdraw from the thread.

i allready mentioned that if possible at all, a solution with the current components would be ill advised, because it will be complex and bad manageable/scaleable.

things to ask yourself:
- why may these servers not see each other?
the whole internet contains servers wich CAN communicate with eachother at ip-level!

- why cant you replace (or switch) some components, to put the backupserver on a more manageable connection?

- why use a switch while putting a single port in a vlan?
you'll be better off with a copper-wire!

regards.
Pieter