I'm trying to learn about L3 switch routing. I thought I had great success today, but it turns out I only traded one problem for another.
I'll describe the environment: I have an HP Aruba 3810 and a sizable number of VLANs, though the ones of importance are VLANs 2, 10, and 1000. The latter (1000) has a domain controller and a 40GbE NAS which I want the devices on VLANs 2 and 10 to communicate with, but I don't want devices on VLAN 2 to be able to communicate directly with VLAN 10 devices and vice versa. Nor do I want any of the other VLANs to cross-communicate.
To reiterate, 2 can talk to 1000 and vice-versa, 10 can talk to 1000 and vice-versa, but 2 may not talk to 10 or vice versa. And the rest of the VLANs keep to themselves.
Anyway, I managed to discover how to do that quite successfully! I found the relevant commands (see below) and set the workstations to use the 3810M as their gateway, and voila! All seemed to be great... ...except for a new problem.
That problem: _All_ VLANs are now getting multicast/IGMP/mDNS traffic from _all_ other VLANs.
For example, my environment is all Macs, and in Finder it'll list nearby devices found via Bonjour/MDNS. And I've now got machines on exclusively VLAN1 that are seeing Bonjour/MDNS announcements from machines on other VLANs 2, 5, 10, 50, you name it.
I didn't change _a thing_ on any of the other VLANs or the workstations on them. The machines on those other VLANs aren't even using the 3810M as their gateway. I haven't the faintest idea why this is happening and I don't even know where to _begin_ diagnosing this. Heck, the Multicast and Routing guide for the 3810M is 460 pages.
Someone throw me a bone?
In case it helps, here's a truncated version of my config file, mainly containing the parts relevant to routing. I'd appreciate it if someone would tell me where I went stupid in this, if I have.
igmp filter-unknown-mcast igmp lookup-mode ip ip access-list extended "OnlyVLAN02-and-1000" 1 permit ip 10.2.0.0 0.0.255.255 0.0.0.0 255.255.255.255 2 permit ip 10.0.0.0 0.0.255.255 0.0.0.0 255.255.255.255 exit ip access-list extended "OnlyVLAN10-and-1000" 1 permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255 2 permit ip 10.0.0.0 0.0.255.255 0.0.0.0 255.255.255.255 exit ip dns server-address priority 1 1.1.1.1 ip route 0.0.0.0 0.0.0.0 10.0.1.1 metric 250 ip routing vlan 1 no ip address ip igmp ip igmp version 3 exit vlan 2 ip access-group "OnlyVLAN02-and-1000" out ip address 10.2.1.241 255.255.0.0 ip igmp ip igmp version 3 exit vlan 5 no ip address ip igmp ip igmp version 3 exit vlan 10 ip access-group "OnlyVLAN10-and-1000" out ip address 10.10.1.241 255.255.0.0 ip igmp ip igmp version 3 exit vlan 50 name "VLAN50" no ip address ip igmp ip igmp version 3 voice exit vlan 1000 ip address 10.0.1.241 255.255.0.0 ip igmp ip igmp version 3 exit 
No comments:
Post a Comment