3COM 5500G Basic VLAN setup - help please

[nlandas]

Hello and help,

I'm working towards a basic VLAN configuration with two VLANs - VLAN1(default), VLAN2 - I've used the demo Network Director to create VLAN2 with a seperate subnet. I'm having problems establishing routing between the networks on the separate VLANs. I thought I had established a route but no traffic seems to pass from VLAN to VLAN. At this point, I'd like to give VLAN2 full communication through VLAN1 to the Internet and then work on an ACL to block VLAN2 to specific ports. (I'll leave that for later.)

Can anyone out there help with the commands necessary to route all traffic from the subnet on VLAN2 to VLAN1. VLAN1 has the next hop router to the Internet on it.

VLAN1 - 172.18.0.0/255.255.252.0 (untagged)
VLAN2 - 192.168.200.0/255.255.255.0 (Tagged to ports and trunks.)

Can someone help clue me in? I know this is a very basic configuration but I'm missing something. Thank you.

 

[nlandas]

What I'm trying to do is create VLAN2 in order to have our WAPs have access to a filtered VLAN2 that can only access specific Internet tcp/udp ports. I'd like to keep the majority of my existing network with servers, workstations and default gateway(router) to the Internet on VLAN1. Right now I'd be happy to get VLAN1 and VLAN2 communicating through the 5500G. Then I'll tackle the ACL later.

VLAN1 - 172.18.180.0/255.255.252.0
VLAN2 - 192.168.200.1/255.255.255.0

I can provide any other details - Here's the routing table..

Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 172.18.180.1 Vlan-interface1
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
172.18.180.0/22 DIRECT 0 0 172.18.180.54 Vlan-interface1
172.18.180.54/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.200.0/24 DIRECT 0 0 192.168.200.1 Vlan-interface2
192.168.200.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0

VLAN ID: 1
VLAN Type: static
Route Interface: configured
IP Address: 172.18.180.54
Subnet Mask: 255.255.252.0
Description: VLAN 0001
Name: VLAN 0001
Tagged Ports: none
Untagged Ports:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3
GigabitEthernet1/0/4 GigabitEthernet1/0/5 GigabitEthernet1/0/6
GigabitEthernet1/0/7 GigabitEthernet1/0/8 GigabitEthernet1/0/9
GigabitEthernet1/0/10 GigabitEthernet1/0/11 GigabitEthernet1/0/12
GigabitEthernet1/0/13 GigabitEthernet1/0/14 GigabitEthernet1/0/15
GigabitEthernet1/0/16 GigabitEthernet1/0/17 GigabitEthernet1/0/18
GigabitEthernet1/0/19 GigabitEthernet1/0/20 GigabitEthernet1/0/21
GigabitEthernet1/0/22 GigabitEthernet1/0/23 GigabitEthernet1/0/24

VLAN ID: 2
VLAN Type: static
Route Interface: configured
IP Address: 192.168.200.1
Subnet Mask: 255.255.255.0
Description: Guest WEP VLAN
Name: VLAN 0002
Tagged Ports:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/6
Untagged Ports: none

I'm new to VLANs and used to a flat topology. I understand the concepts behind it all but the execution details are lacking. I've read the manuals, 100 web pages related to it and just need a good prod in the right direction. I know I'm doing something thick headed.

The routing table looked strange to me using the loopback0 but that was added automatically by the web interface and Network Director when they configured the devices IP and the VLAN2 IP.

Sorry to reply to my post but I just thought that the other information might be useful. -Nyle

 

[nlandas]

I got it all working. I used 3COMs demo Network Director to create the VLANs that I needed.

system-view - to enter system-view
interface vlan-interface X - to change into the VLAN to interface
ip address X.X.X.X X.X.X.X - To assign an IP address with subnet mask.

The coresponding static routes were automatically created for the VLAN interface which can be checked using.

display ip routing-table

Then I had to work with my WAN provider to add routes for the subnets on my VLANs. I don't control my external router. Once that was complete traffic was fully routed from my VLANs to my other VLANs and the Internet.

Finally I set up an advanced ACL filter to block the new VLANs from accessing anything on my primary VLAN 1.

from system-view
acl number (ACL # - 3000 range) match-order config
rule deny IP source X.X.X.X(Address of source) X.X.X.X(Wildcard of source) destination X.X.X.X(Address of destination) X.X.X.X(Wildcard of destination) time-range allday(My named time range.) - This blocks the entire subnet on VLAN 1 from being access from the subnet on VLAN 3.

Then create rules to unblock specific IPs for access from the VLAN 3 subnet which are on the VLAN 1 subnet.

rule permit IP source X.X.X.X(Address of source) X.X.X.X(Wildcard of source) destination X.X.X.X(Address of destination) 0.0.0.0(Wildcard of destination 0.0.0.0 signifies a host IP) time-range allday(My named time range.) - This allows access from the VLAN 3 subnet to one specific IP on the other subnet in my first case the Internet router(default gateway of the other subnet.)

Then I repeated that for the other few IPs that I needed to open access up for.

Finally I applied the new ACL as a packet-filter from the system view.

So quit back out the system-view.

Type
packet-filter vlan X(Mine is 3) inbound ip-group (ACL # - mine is 3000)

Can can test this and if there are problems or you need to make changes you can use the undo command in from of it to remove it.

I hope this helps someone looking in the future at least get headed in the right direction.