Inter VLAN routing
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on October 13, 2006, 12:36 pm
Please log in for more thread options Hi there! I have inherited a bit of a sticky one, hope someone can help. Situation: Network 192.168.0.0/16, with servers, printers, workstations (on def vlan 1) Need to add several VLANS for other devices (eg timeclocks etc). I have already determined having eg VLAN2 = 192.168.100.x/16 is not good (as all devices can still see each other in both VLANS, and neither can I do 192.168.100.x/24, as the /16 then is the problem) * Have several L2 (Procurve 5406) switches, and devices will be spread across these switches in diff VLANs * IP routing enabled on all switches * This is what I need to do: Can you advise whether this config looks do-able? VLAN1 = 192.168.0.1->15.254/20 (/21 might also do, but I have a lot of
units to consider for the "production" network)
VLAN2 = 192.168.100.0/24 VLAN3 = 192.168.101.0/24 This of course would mean a change to the current /16 production network, but is not a major issue as only servers, rest are DHCP for workstations. Thanks in advance E | |||||||||||||||||||
|
Posted by anoop on October 13, 2006, 2:13 pm
Please log in for more thread options eugvanr@hotmail.com wrote: > I have inherited a bit of a sticky one, hope someone can help.
> Situation: Network 192.168.0.0/16, with servers, printers, workstations > (on def vlan 1) > Need to add several VLANS for other devices (eg timeclocks etc). > I have already determined having eg VLAN2 = 192.168.100.x/16 is not > good (as all devices can still see each other in both VLANS, and > neither can I do 192.168.100.x/24, as the /16 then is the problem) > > * Have several L2 (Procurve 5406) switches, and devices will be spread > across these switches in diff VLANs > * IP routing enabled on all switches > * This is what I need to do: > -> several host in VLAN1 need access to all hosts in VLAN2
> -> hosts in VLAN2 need to talk to each other, and to one host in VLAN1 > -> Later adding VLAN3, would need the same as above, but, no access to > VLAN2
The 5406 supports routing and ACLs so I think should be very easily doable. Let each VLAN be its own subnet, turn on routing and limit access between devices using ACLs -- on each VLAN configure permit rules that say which devices/subnets it is allowed to talk to. Anoop | |||||||||||||||||||
|
Posted by on October 13, 2006, 2:47 pm
Please log in for more thread options
Thanks very much! 1) Just wanted to be sure my IP address scheme will not cause issues. 2) Server hosts on VLAN1 have gway to an ISA server, but workstations have no gateway, only ISA fw clients. I assume that I need to set default gateways? And on VLAN2/3 do I need to set def gateway of the IP of the VLAN interface on the swithc? eg: Switch2, VLAN2 IP=192.168.100.2 Host1 (VLAN2), IP=192.168.100.10/24, gw =192.168.100.2 and Switch1, VLAN2 IP=192.168.100.1 Host1 (VLAN1 IP=192.168.100.10/24), gw = 192.168.100.1 3) You don't suppose there is any way I can keep the current VLAN1 (192.168.0.0/16), and assign another private IP range, 10.0.1.0/24 and 10.0.2.0/24 to the other VLANs? Would be less work, but my assumption is that routing should still take place regardless? Thanks again, hope you can clarify above? E anoop wrote: > eugvanr@hotmail.com wrote:
> > > I have inherited a bit of a sticky one, hope someone can help.
> > Situation: Network 192.168.0.0/16, with servers, printers, workstations > > (on def vlan 1) > > Need to add several VLANS for other devices (eg timeclocks etc). > > I have already determined having eg VLAN2 = 192.168.100.x/16 is not > > good (as all devices can still see each other in both VLANS, and > > neither can I do 192.168.100.x/24, as the /16 then is the problem) > > > > * Have several L2 (Procurve 5406) switches, and devices will be spread > > across these switches in diff VLANs > > * IP routing enabled on all switches > > * This is what I need to do: > > -> several host in VLAN1 need access to all hosts in VLAN2
> > -> hosts in VLAN2 need to talk to each other, and to one host in VLAN1 > > -> Later adding VLAN3, would need the same as above, but, no access to > > VLAN2
>
> The 5406 supports routing and ACLs so I think should be very > easily doable. Let each VLAN be its own subnet, turn on > routing and limit access between devices using ACLs -- on > each VLAN configure permit rules that say which devices/subnets > it is allowed to talk to. > > Anoop | |||||||||||||||||||
|
Posted by anoop on October 13, 2006, 3:22 pm
Please log in for more thread options
eugvanr@hotmail.com wrote: > Thanks very much!
> > 1) Just wanted to be sure my IP address scheme will not cause issues. > 2) Server hosts on VLAN1 have gway to an ISA server, but workstations > have no gateway, only ISA fw clients. I assume that I need to set > default gateways? And on VLAN2/3 do I need to set def gateway of the IP > of the VLAN interface on the swithc? eg: > > Switch2, VLAN2 IP=192.168.100.2 > Host1 (VLAN2), IP=192.168.100.10/24, gw =192.168.100.2 > > and > Switch1, VLAN2 IP=192.168.100.1 > Host1 (VLAN1 IP=192.168.100.10/24), gw = 192.168.100.1 Yes, you will need a default gateway to be assigned for all devices that need to talk to devices outside of their VLAN and the way you describe doing it is correct. But DHCP should handle giving out gateways as well if that is what you are using for handing out IP addresses. > 3) You don't suppose there is any way I can keep the current VLAN1
> (192.168.0.0/16), and assign another private IP range, 10.0.1.0/24 and > 10.0.2.0/24 to the other VLANs? Would be less work, but my assumption > is that routing should still take place regardless? I don't see any reason why you shouldn't be able to do the above. In a larger enterprise network, this would have the potential to prevent one from doing as much aggregation as one might like, but in your case, for such a small network, there is probably no downside to doing this. As a general remark, make sure that all communication for devices that need to communicate with one another, and that you intend to put in different VLANs, is happening over IP since you will now be involving routing. Also you will need to have ACLs in place to prevent certain devices from talking to one another, otherwise by default, once you turn on routing, everyone will be able to talk to everyone else. Anoop | |||||||||||||||||||
|
Posted by Albert Manfredi on October 13, 2006, 2:56 pm
Please log in for more thread options
> I have inherited a bit of a sticky one, hope someone can help.
> Situation: Network 192.168.0.0/16, with servers, printers, > workstations > (on def vlan 1) > Need to add several VLANS for other devices (eg timeclocks etc). > I have already determined having eg VLAN2 = 192.168.100.x/16 is not > good (as all devices can still see each other in both VLANS, and > neither can I do 192.168.100.x/24, as the /16 then is the problem) If one IP subnet is defined as 192.168.0.0/16 IP subnet, then you can't create another IP subnet with the same prefix as this one. In this particular address block, the 192.168.0.0 to 192.168.255.255 block from RFC 1918, you cannot create two IP subnets if one of the two has a 16-bit wide prefix. On the other hand, you could create two IP subnets like this: 192.168.1.0/24 and 192.168.2.0/24, for example. > * Have several L2 (Procurve 5406) switches, and devices will be spread
> across these switches in diff VLANs > * IP routing enabled on all switches > * This is what I need to do: > -> several host in VLAN1 need access to all hosts in VLAN2
> -> hosts in VLAN2 need to talk to each other, and to one host in VLAN1 > -> Later adding VLAN3, would need the same as above, but, no access to > VLAN2
> > Can you advise whether this config looks do-able? > > VLAN1 = 192.168.0.1->15.254/20 (/21 might also do, but I have a lot of > units to consider for the "production" network) > VLAN2 = 192.168.100.0/24 > VLAN3 = 192.168.101.0/24 If you already have routers between different IP subnets, i.e. between the VLANs, then what's the problem? Bert | |||||||||||||||||||
| Similar Threads | Posted |
| Inter VLAN Routing | July 28, 2005, 3:18 am |
| Inter VLAN routing | October 13, 2006, 12:36 pm |
| How-to Print w/inter-vlan routing? | February 8, 2006, 2:40 pm |
| VLAN Routing | June 21, 2007, 6:28 pm |
| VLAN Routing | June 21, 2007, 6:32 pm |
| Help: Low-Cost Switch with VLAN routing / LAN Segmentation? | October 17, 2005, 3:04 pm |
| 3Com Superstack 4500 VLAN routing | December 18, 2006, 10:33 am |
| difference b/w inter-switch link port and trunk port | July 6, 2008, 12:06 pm |
| Routing problem | December 12, 2005, 9:48 pm |
| Need a metaphor for routing | March 30, 2006, 9:01 am |
| Lan to Lan to internet routing problem | October 7, 2004, 8:48 am |
| IGMP routing startup | October 19, 2004, 2:14 pm |
| Desktop switch kills routing | November 30, 2004, 1:19 pm |
| Routing between VLANs using a Layer 3 Switch | March 24, 2005, 11:39 am |
| What is VLAN, how it is used?. I have 4 PC's on one LAN connectd to router, how can I apply VLAN concept here?. | February 4, 2005, 1:16 am |
-> hosts in VLAN2 need to talk to each other, and to one host in VLAN1
-> Later adding VLAN3, would need the same as above, but, no access to