6248 VLAN routing and segmentation query

Question

Hi, I have an issue that I have been wrestling with for a couple of days and I am still no closer to finding a solution. What I want to do is create a number of VLANS that are isolated from each other apart from one. I have created a number of VLANs on  the 6248 and can quite happily route traffic between them all the problem the problem I'm having is stopping the two client VLANs talking to each whilst still being able to talk to the infrastructure VLAN. I'll outline the topology below:   VLAN 161 (Infrastructure) 172.16.1.0/255.255.255.0 VLAN 162 (Client) 172.16.2.0/255.255.255.0 VLAN 163 (Client) 172.16.3.0/255.255.255.0 VLAN 168 (external) This is used to connect to the outside world and can be ignored for now. VLANs 161-163 are hosted on HYPER-V R2 and the guests have the 'Enable VLAN identification' property set to the correct VLAN ID   There are 3 switch ports configured with access to the VLANs 161-163. Port 1/g13 is a single port connected to the HYPER-V server and g26/g28 are Teamed ports configured on the hyper-v server. Ultimatley my live setup will use the teamed network but for purpose of simplifying the issue I have connected the guests to a non teamed network port (1/g13) I have three guests on the HYPER-V Server DC01 (VLAN 161) 172.16.1.16/255.255.255.0/172.16.1.254 PC01 (VLAN 162) 172.16.2.1/255.255.255.0/172.16.2.254 PC02 (VLAN 163) 172.16.3.1/255.255.255.0/172.16.3.254 So to recap what I need is for VLAN 161 to talk to 162 and 163 but VLAN 162 and VLAN 163 should not be able to talk to each other. Here is the current running config, any assistance would be welcome as I am stuck. Thanks in advance Paul   console#show running-config!Current Configuration:!System Description 'PowerConnect 6248, 3.3.1.10, VxWorks 6.5'!System Software Version 3.3.1.10!Cut-through mode is configured as disabled!configurevlan databasevlan 161-163,168vlan routing 168 3vlan routing 161 4vlan routing 162 5vlan routing 163 6exitstackmember 1 2exitip address 192.168.2.254 255.255.255.0ip routingip route 0.0.0.0 0.0.0.0 192.168.1.1interface vlan 161routing ip address 172.16.1.254 255.255.255.0exitinterface vlan 162routingip address 172.16.2.254 255.255.255.0exitinterface vlan 163routingip address 172.16.3.254 255.255.255.0exitinterface vlan 168routingip address 192.168.1.254 255.255.255.0ip netdirbcastbandwidth 10000ip rip send version rip1ip rip receive version rip1ip mtu 1500exit interface ethernet 1/g13switchport mode generalswitchport general allowed vlan add 161-163 taggedexit!interface ethernet 1/g26switchport mode generalswitchport general allowed vlan add 161-163 taggedexit!interface ethernet 1/g28switchport mode generalswitchport general allowed vlan add 161-163 taggedexit!interface ethernet 1/g37switchport mode generalexit!interface ethernet 1/g38switchport mode general exit!interface ethernet 1/g48switchport mode generalswitchport general pvid 168switchport general allowed vlan add 168exit

Moonigan · Answer

Hi,

Thanks for the response. I thought ACL's where only applied to traffic coming in or out of a port. In my scenario all traffic passes interally over port 13 of the switch so ACL's would not be applicable. I may be wrong but I'm pretty sure I read this a couple of days ago when I started researching the solution.

Regards

Paul

Moonigan · Answer

Thanks again for the response. I'm about to finish for the day but I will read through the document tonight and attempt to apply the ACL's in the morning. I'll report back and let you know either way.

Regards

Paul

Moonigan · Answer

As promised I have setup an ACL with a few ACE's and it works perfectly so thankyou very much for your assistance. :emotion-21:

For completeness here are the commands I added to get the ACL working.

ACCESS-LIST INFRA permit IP ANY 172.16.1.0 0.0.0.255 (Allow all networks to talk to the INFRASTRUCTURE LAN)

ACCESS-LIST INFRA permit IP 172.16.1.0 0.0.0.255 (Allow the INFRASTRUCTURE LAN to talk to anything)

ACCESS-LIST INFRA deny ANY ANY (dont allow anything to talk to anything else)

Once I had created the ACL I used the following to apply it to the VLANs 162 and 163

INTERFACE VLAN 162

IP ACCESS-GROUP INFRA

Rinse and repeat the two commands above for each VLAN

Thanks again

Paul

Networking General

Was this post helpful?