Sure. First you should take off “ip default-gateway” as this and “ip routing” should not be enabled together. Your default ip route is essentially doing the same thing.

For the access-list you could use something like…
deny ip 10.56.68.1 0.0.3.255 172.16.9.1 0.0.0.127
… which would block traffic going from Curric to Admin.

To test ip routing, ping between interfaces. If the interfaces ping, layer 3 routing is working.

If you’re still having problems you might be interested in a day or so (depending how many switches) of my time on site to resolve this for you in time for term start?

Stefan

Below is effectively our config file. VLAN 1 (WAN) links to our internet router.

Basically we don’t want to give VLANs 10,30,40 or 50 access to the Admin VLAN (20) but want all VLANs access to VLAN 1 so they can get onto the internet.

You will see that we have ip routing enabled so hopefully the switch is doing layer 3 switching taking the load off our router (on VLAN 1). We have set ip route to hopefully route any unknown traffic out to the gateway (last line of the config).

Could you suggest a suitable ACL to achieve this?

Thanks,

Stephen

ip default-gateway 10.53.160.73
ip routing
snmp-server community “public” Unrestricted
vlan 1
name “WAN”
untagged B1
ip address 10.53.160.78 255.255.255.0
no untagged A1-A24,B2-B22,Trk1
exit
vlan 10
name “Curriculum_Network”
untagged A1-A24,B2-B21,Trk1
ip address 10.56.68.1 255.255.252.0
tagged B1
exit
vlan 20
name “Admin_Network”
untagged B22
ip address 172.16.9.1 255.255.255.128
tagged B1
exit
vlan 30
name “Teacher_wireless”
ip helper-address 10.56.68.15
ip address 10.58.228.1 255.255.255.0
tagged A1-A24,B1-B21,Trk1
exit
vlan 40
name “Untrusted_wireless”
ip helper-address 10.56.68.15
ip address 10.58.229.1 255.255.255.0
tagged A1-A24,B2-B21,Trk1
exit
vlan 50
name “Trusted_wireless”
ip helper-address 10.56.68.15
ip address 10.58.230.1 255.255.254.0
tagged A1-A24,B2-B21,Trk1
exit
ip route 0.0.0.0 0.0.0.0 10.53.160.73

You could always set traffic shaping policies on your dvPortGroup to put top end limits on ingress or egress traffic.

I actually thought the shares and limits were applied to both ingress and egress combined, as ‘network traffic’ let’s say. Otherwise a value on HostX could potentially surpass the same shares/limits set on HostY. Where did you read this?

Stefan

In the above example CURRIC can talk to ADMIN but not the other way around.

I’ll try explain:
When VLANs are defined on an HP switch they won’t talk to each other until you either:
a.) enable ip default-gateway to route between the VLANs via a router (sometimes called router on a stick).
b.) enable ip routing on the switch which will route between the VLANs without a router.

ip routing is the preferred method as it keeps bandwidth on the backplane of a switch instead of creating a link bottleneck to a router.

When ip routing is enabled the switch will route between all VLANs with an ip address, without security on the VLANs. This is where the ip access-list extended “ACL_NAME” comes in to play, which is then applied to each of the VLANs you would like to secure with ip access-group ACL_NAME vlan.

Let me know how you get on. If you’re still struggling i’ll email you, we might be able to help over the phone.

Stefan