1. Home
  2. Ethernet LAN
  3. Inter VLAN routing

Inter VLAN routing

Hi there!

I have inherited a bit of a sticky one, hope someone can help. Situation: Network 192.168.0.0/16, with servers, printers, workstations (on def vlan 1) Need to add several VLANS for other devices (eg timeclocks etc). I have already determined having eg VLAN2 = 192.168.100.x/16 is not good (as all devices can still see each other in both VLANS, and neither can I do 192.168.100.x/24, as the /16 then is the problem)

  • Have several L2 (Procurve 5406) switches, and devices will be spread across these switches in diff VLANs
  • IP routing enabled on all switches
  • This is what I need to do:

-> several host in VLAN1 need access to all hosts in VLAN2

-> hosts in VLAN2 need to talk to each other, and to one host in VLAN1

-> Later adding VLAN3, would need the same as above, but, no access to VLAN2

Can you advise whether this config looks do-able?

VLAN1 = 192.168.0.1->15.254/20 (/21 might also do, but I have a lot of units to consider for the "production" network) VLAN2 = 192.168.100.0/24 VLAN3 = 192.168.101.0/24

This of course would mean a change to the current /16 production network, but is not a major issue as only servers, rest are DHCP for workstations.

Thanks in advance

E
Reply to
eugvanr
Loading thread data ...

The 5406 supports routing and ACLs so I think should be very easily doable. Let each VLAN be its own subnet, turn on routing and limit access between devices using ACLs -- on each VLAN configure permit rules that say which devices/subnets it is allowed to talk to.

Anoop

Reply to
anoop

Thanks very much!

1) Just wanted to be sure my IP address scheme will not cause issues. 2) Server hosts on VLAN1 have gway to an ISA server, but workstations have no gateway, only ISA fw clients. I assume that I need to set default gateways? And on VLAN2/3 do I need to set def gateway of the IP of the VLAN interface on the swithc? eg:

Switch2, VLAN2 IP=192.168.100.2 Host1 (VLAN2), IP=192.168.100.10/24, gw =192.168.100.2

and Switch1, VLAN2 IP=192.168.100.1 Host1 (VLAN1 IP=192.168.100.10/24), gw = 192.168.100.1

3) You don't suppose there is any way I can keep the current VLAN1 (192.168.0.0/16), and assign another private IP range, 10.0.1.0/24 and 10.0.2.0/24 to the other VLANs? Would be less work, but my assumption is that routing should still take place regardless?

Thanks aga> snipped-for-privacy@hotmail.com wrote:

Reply to
eugvanr

If one IP subnet is defined as 192.168.0.0/16 IP subnet, then you can't create another IP subnet with the same prefix as this one. In this particular address block, the 192.168.0.0 to 192.168.255.255 block from RFC 1918, you cannot create two IP subnets if one of the two has a

16-bit wide prefix.

On the other hand, you could create two IP subnets like this:

192.168.1.0/24 and 192.168.2.0/24, for example.

If you already have routers between different IP subnets, i.e. between the VLANs, then what's the problem?

Bert

Reply to
Albert Manfredi

Yes, you will need a default gateway to be assigned for all devices that need to talk to devices outside of their VLAN and the way you describe doing it is correct.

But DHCP should handle giving out gateways as well if that is what you are using for handing out IP addresses.

I don't see any reason why you shouldn't be able to do the above. In a larger enterprise network, this would have the potential to prevent one from doing as much aggregation as one might like, but in your case, for such a small network, there is probably no downside to doing this.

As a general remark, make sure that all communication for devices that need to communicate with one another, and that you intend to put in different VLANs, is happening over IP since you will now be involving routing. Also you will need to have ACLs in place to prevent certain devices from talking to one another, otherwise by default, once you turn on routing, everyone will be able to talk to everyone else.

Anoop

Reply to
anoop

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.