Layer 3 HP Procurve Vlan ACL's

[Donny_Dog]

Does anyone have any experience with HP Procurve Layer 3 switches? We have deployed a Layer 3 mesh using the 3500yl series.

I've been asked to research connecting two sites via these switches with a 1 gb connection. The stipulation is that the 1gb connection can only be used for traffic on a specific subnet. (its essentially 2 physical sites sharing a /24 network that's subnetted in half using a /25).

The organisation do not want the connection to be used by any other traffic.

I am 90% sure I'm on the right track by deploying a VACL (Vlan ACL) and permitting only traffic destined for the specific subnet to use it.

Long shot, does anyone know what I'm talking about? is a VACL the right choice or would it be an RACL.?

 

[dk]

hmmm, switching isn't really my thing, but vlanning it definitely sounds about right, but i really am not sure, i try and stay away from ethernet networking, i do FC SAN stuff mainly.

3500 is a decent switch though, we run all our stuff on those.

 

[182Pete]

If the /25 networks only exist at each end you shouldn't be able to route across the link for other networks unless the link is participating in route announcement to other destinations. If OSPF or ISIS are not enabled this is unlikely.

 

[Donny_Dog]

If the /25 networks only exist at each end you shouldn't be able to route across the link for other networks unless the link is participating in route announcement to other destinations. If OSPF or ISIS are not enabled this is unlikely.

Yeah, we don't run OSPF etc, its just a RIPv2 mesh with spanning tree.

so it would be simply a case of not advertising the link using rip? that makes sense.
so should I keep the /25 address ranges at both ends, or just create a vlan between the two and let them use the full class C? i guess subnetting them down might give the link a break, for broadcast purposes....

 

[young_lew]

A Vacl would work, although for the purpose of what you're doing two routers would have made more sense as you could choose which routes should be advertised out of each specific interface.

And yeah it's best to keep them as /25's to keep it simple, vlan'ing them should be enough though.

 

[Donny_Dog]

A Vacl would work, although for the purpose of what you're doing two routers would have made more sense as you could choose which routes should be advertised out of each specific interface.

And yeah it's best to keep them as /25's to keep it simple, vlan'ing them should be enough though.

Hmm.. yeah the issue might be telling the 3500 not to redistribute a connected vlan in RIP.... is the redistribute static or redistribute connected a universal router/switch command? I'd have to figure out a way of telling the 3500 not to redistribute the particular vlan between the two....:S christ, I wish this was my bread and butter.

 

[182Pete]

Forget ACL's, they are not the solution as using packet filtering will break your network.

If you are using RIPv2 then you need to ensure that the point to point interface and the remote /25 networks are not included in your RIP advertisements. You also need to ensure that connected interfaces are not redistributed into RIP and if they are redistributed that the point to point interface and /25 networks are set to passive.

Removing the point to point interface from the routing protocol will stop it being used as a transit for other traffic. Once you've done that you should just configure one static route on each switch pointing towards the transit link for the /25 networks that exist at each end.