Page 1 of 1
VLAN must not comunicate
Posted: 14 Jan 2013 10:16
by mzced
Goodmorning, i'm a newbbies in a configuration of alcatel lucent.
In my switch i have configured 3 Vlan.
One of this, called "Wlan", assign IP with DHCP, 192.168.3.xxx.
When a device have taken IP address i try to ping IP of another VLAN, Vlan - 192.168.2.xxx and this return a response.
I have tried to set "disable" forwarding service of "Wlan" but in this mode all client don't take IP from DHCP.
I would isolate VLAN's from all traffic from/to Wlan <--> Vlan.
What could i do?
Thanks for all advice and support
Fabrizio
Re: VLAN must not comunicate
Posted: 19 Jan 2013 04:13
by silvio
Hi Fabrizio,
there are some possibilities depending from your network.
If the 6850 is the gateway of all of your three vlans - than you can disable forwarding of the ip interface wlan. But than the dhcp for wlan must be in same vlan.
If you use ip-helper (dhcp relay) than ip-forwarding for all ip interfaces should be stay enabled.
Better way is to use policies. F.e. the following config - for more unterstanding with a NET2 where WLAN-users have access, but not to NET1
policy network group WLAN 192.168.3.0 mask 255.255.255.0
policy network group NET1 192.168.1.0 mask 255.255.255.0
policy network group NET2 192.168.2.0 mask 255.255.255.0
policy condition WLAN-NET1 source network group WLAN destination network group NET1
policy condition WLAN-NET2 source network group WLAN destination network group NET2
policy action ALLOW
policy action DENY disposition deny
policy rule ALLOW-NET2 precedence 100 condition WLAN-NET2 action ALLOW
policy rule DENY-NET1 precedence 10 condition WLAN-NET1 action DENY
qos apply
this is only a little example. You can use a lot of other conditions like "destination ip all", or you can allow dhcp-offer from a specific IP-address.....
I hope you will find your best way.
regards
Silvio
Re: VLAN must not comunicate
Posted: 22 Jan 2013 07:11
by mzced
Today i will try this.
Thanks for your advice
Re: VLAN must not comunicate
Posted: 25 Jan 2013 08:22
by mzced
silvio wrote:Hi Fabrizio,
there are some possibilities depending from your network.
If the 6850 is the gateway of all of your three vlans - than you can disable forwarding of the ip interface wlan. But than the dhcp for wlan must be in same vlan.
If you use ip-helper (dhcp relay) than ip-forwarding for all ip interfaces should be stay enabled.
Better way is to use policies. F.e. the following config - for more unterstanding with a NET2 where WLAN-users have access, but not to NET1
policy network group WLAN 192.168.3.0 mask 255.255.255.0
policy network group NET1 192.168.1.0 mask 255.255.255.0
policy network group NET2 192.168.2.0 mask 255.255.255.0
policy condition WLAN-NET1 source network group WLAN destination network group NET1
policy condition WLAN-NET2 source network group WLAN destination network group NET2
policy action ALLOW
policy action DENY disposition deny
policy rule ALLOW-NET2 precedence 100 condition WLAN-NET2 action ALLOW
policy rule DENY-NET1 precedence 10 condition WLAN-NET1 action DENY
qos apply
this is only a little example. You can use a lot of other conditions like "destination ip all", or you can allow dhcp-offer from a specific IP-address.....
I hope you will find your best way.
regards
Silvio
THANKSSSSSS
I have do some little change and all work correctly.
Thanks for your support.