This post is more than 5 years old
14 Posts
0
12242
May 17th, 2012 06:00
6248 VLAN routing and segmentation query
Hi,
I have an issue that I have been wrestling with for a couple of days and I am still no closer to finding a solution. What I want to do is create a number of VLANS that are isolated from each other apart from one.
I have created a number of VLANs on the 6248 and can quite happily route traffic between them all the problem the problem I'm having is stopping the two client VLANs talking to each whilst still being able to talk to the infrastructure VLAN. I'll outline the topology below:
VLAN 161 (Infrastructure) 172.16.1.0/255.255.255.0
VLAN 162 (Client) 172.16.2.0/255.255.255.0
VLAN 163 (Client) 172.16.3.0/255.255.255.0
VLAN 168 (external) This is used to connect to the outside world and can be ignored for now.
VLANs 161-163 are hosted on HYPER-V R2 and the guests have the "Enable VLAN identification" property set to the correct VLAN ID
There are 3 switch ports configured with access to the VLANs 161-163. Port 1/g13 is a single port connected to the HYPER-V server and g26/g28 are Teamed ports configured on the hyper-v server. Ultimatley my live setup will use the teamed network but for purpose of simplifying the issue I have connected the guests to a non teamed network port (1/g13)
I have three guests on the HYPER-V Server
DC01 (VLAN 161)
172.16.1.16/255.255.255.0/172.16.1.254
PC01 (VLAN 162)
172.16.2.1/255.255.255.0/172.16.2.254
PC02 (VLAN 163)
172.16.3.1/255.255.255.0/172.16.3.254
So to recap what I need is for VLAN 161 to talk to 162 and 163 but VLAN 162 and VLAN 163 should not be able to talk to each other.
Here is the current running config, any assistance would be welcome as I am stuck.
Thanks in advance
Paul
console#show running-config
!Current Configuration:
!System Description "PowerConnect 6248, 3.3.1.10, VxWorks 6.5"
!System Software Version 3.3.1.10
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 161-163,168
vlan routing 168 3
vlan routing 161 4
vlan routing 162 5
vlan routing 163 6
exit
stack
member 1 2
exit
ip address 192.168.2.254 255.255.255.0
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.1
interface vlan 161
routing
ip address 172.16.1.254 255.255.255.0
exit
interface vlan 162
routing
ip address 172.16.2.254 255.255.255.0
exit
interface vlan 163
routing
ip address 172.16.3.254 255.255.255.0
exit
interface vlan 168
routing
ip address 192.168.1.254 255.255.255.0
ip netdirbcast
bandwidth 10000
ip rip send version rip1
ip rip receive version rip1
ip mtu 1500
exit
interface ethernet 1/g13
switchport mode general
switchport general allowed vlan add 161-163 tagged
exit
!
interface ethernet 1/g26
switchport mode general
switchport general allowed vlan add 161-163 tagged
exit
!
interface ethernet 1/g28
switchport mode general
switchport general allowed vlan add 161-163 tagged
exit
!
interface ethernet 1/g37
switchport mode general
exit
!
interface ethernet 1/g38
switchport mode general
exit
!
interface ethernet 1/g48
switchport mode general
switchport general pvid 168
switchport general allowed vlan add 168
exit
Moonigan
14 Posts
0
May 17th, 2012 09:00
Hi,
Thanks for the response. I thought ACL's where only applied to traffic coming in or out of a port. In my scenario all traffic passes interally over port 13 of the switch so ACL's would not be applicable. I may be wrong but I'm pretty sure I read this a couple of days ago when I started researching the solution.
Regards
Paul
Moonigan
14 Posts
0
May 17th, 2012 12:00
Thanks again for the response. I'm about to finish for the day but I will read through the document tonight and attempt to apply the ACL's in the morning. I'll report back and let you know either way.
Regards
Paul
Moonigan
14 Posts
0
May 18th, 2012 02:00
As promised I have setup an ACL with a few ACE's and it works perfectly so thankyou very much for your assistance. :emotion-21:
For completeness here are the commands I added to get the ACL working.
ACCESS-LIST INFRA permit IP ANY 172.16.1.0 0.0.0.255 (Allow all networks to talk to the INFRASTRUCTURE LAN)
ACCESS-LIST INFRA permit IP 172.16.1.0 0.0.0.255 (Allow the INFRASTRUCTURE LAN to talk to anything)
ACCESS-LIST INFRA deny ANY ANY (dont allow anything to talk to anything else)
Once I had created the ACL I used the following to apply it to the VLANs 162 and 163
INTERFACE VLAN 162
IP ACCESS-GROUP INFRA
Rinse and repeat the two commands above for each VLAN
Thanks again
Paul