Route Subnet to only access 1 IP address on different VLAN HP Procurve

Question

I'm trying to route VLAN 300 which has a subnet 192.168.100.0/26 to only access 10.220.1.10 on VLAN 220 but struggling with the config. HP's documentation from what I can tell just wants me to enable IP RIP but that gives access to the entire 220 VLAN when all I'm trying to do is give access to 10.220.1.10 on VLAN 220

This is for RF Guns connecting to an AS400 server and we are trying to isolate the traffic from everything else. So the RF guns live on VLAN 300 in 192.168.100.0/26 and the AS400 lives on VLAN 220 with 10.220.1.10 as its IP

I'm not a big Procurve user, but you want ACLs: http://www.hp.com/rnd/support/manuals/pdf/release_06628_07110/Bk2_Ch3_ACL.pdf after putting the VLAN routing in place like you mention. — TheCleaner, Dec 17 '14 at 02:37

score 2 · Answer 1 · answered Dec 17 '14 at 06:19

After some trial and error, I came to the solution below and it works as designed. Thanks to all that helped.

ip access-list extended "100"
     10 permit ip 192.168.100.0 0.0.0.63 10.220.1.10 0.0.0.0
     20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Vlan 300
     ip access-group 100 in

something strange I noticed I can ping source 192.168.100.1 xxxxxxxxxxxxx (my vlan ip-address for VLAN 300) and I get successful responses from other clients than 10.220.1.10 but I only get responses from 10.220.1.10 when working with actual clients in the VLAN 300 range. Am I getting these ping responses to 10.220.1.xxx devices from 192.168.100.1 (vlan IP of VLAN 300) solely because it is the switch VLAN IP and not the access-list rules don't apply to VLAN IP but they do for the clients?

xdfil · Accepted Answer · 2014-12-17T02:49:08.173

0

If you are trying to access a single system on a subnet that has more than one system on it...

I would put a static route on the end systems that specified to reach the 10.220.1.10 system you need to go through the HP router. Then I would use an access list on the router to ensure it is only routing traffic you intend.

You can't use routing to (easily) do what you want because a router thinks in terms of subnets. It thinks about which subnets it has access to based on network address and mask. If it has an interface on the same network as 10.220.1.10 it is going to think of itself as a viable candidate to rout traffic to any host on that subnet. And that isn't what you want, you just want the one host.

Another thing to keep in mind is that routers don't know what VLANs are. Routers are layer 3. Routers only care about IP addresses. They will reference your VLAN through an IP interface, or a Sub-Interface if you are dealing with a VLAN Trunk.

EDIT

If the HP router is also the default gateway, you don't need to worry about any static routes. Just put an ACL on the interface leading to 10.220.1.10.

edited Dec 17 '14 at 02:49

answered Dec 17 '14 at 02:41

xdfil

481
2
6
15

Does it make more sense to add another NIC card to AS400 and just assign it a static IP in the VLAN 300 subnet 192.168.100.0/26 to truly isolate all this traffic on VLAN 300? – Matt Weick Dec 17 '14 at 03:04
I have never configured ACL's before so I'm trying to read the manual which @TheCleaner provided above. So the ACL get's assigned to the Interface 10.220.1.10 is connected to and not the VLAN 300 correct? – Matt Weick Dec 17 '14 at 03:06
Adding another NIC works too. I wouldn't do it that way. What are you going to do every time something comes up like this keep buying more NICs? – xdfil Dec 17 '14 at 04:04
ACL is the way to go, but I don't know HP network gear so I can't suggest a config. But ACLs are a fundamental piece of any professional network gear so it's got to be there. – xdfil Dec 17 '14 at 04:06
1

Also, be careful it sounds like you are in a production environment and you are not sure what you are doing. Changing ACLs on a router is a really easy way to cause a service outage. – xdfil Dec 17 '14 at 04:09
I got it working, I edited the post above. Thanks for the info. Can you please advise above? – Matt Weick Dec 17 '14 at 06:12
I don't have enough reputation to comment on your answer. Your solution looks good and the behavior you described sounds normal to me. You basically already explained it: to ping the VLAN300 interface the traffic never comes in on that interface so it doesn't have to follow the rules. – xdfil Dec 17 '14 at 12:51

score 0 · Answer 3 · answered Dec 17 '14 at 04:20

You enable RIP and after do ACL. Like illustrated there a bit for the ACL, http://vmfocus.com/2012/10/14/how-to-configure-access-lists-route-between-vlans-on-hp-v1910-24g/

Would look like that in the config.. (but I'am not the best in HP switch..)

ip access-list extended "220"
      10 permit ip 192.168.100.0 255.255.255.192 10.220.1.10 255.255.255.255

...

vlan 220
    name "..."
    untagged 2
    tagged A1
    ip address 10.220.1.1 255.255.255.0
    exit

what about this? "access-list 100 permit ip 10.220.1.10/32 192.168.100.0/26" — Matt Weick, Dec 17 '14 at 04:58

Route Subnet to only access 1 IP address on different VLAN HP Procurve

3 Answers3