Extreme Networks

Hi!

Ok ,for a basic setup, you need three VLANs:

create vlan admin
configure vlan admin tag 10
configure vlan admin ipaddress 10.76.22.1 255.255.255.0

create vlan controls
configure vlan controls tag 20
configure vlan controls ipaddress 172.16.22.1 255.255.254.0

create vlan century
configure vlan century tag 30
configure vlan century ipaddress 10.76.0.xx 255.255.255.0 <- need correct IP here (are you .22 and Century some other IP?)

configure iproute add 0.0.0.0 0.0.0.0 10.76.0.22 <- IP of the Century router
enable ipforwarding <--- enables routing on all VLANs

Add ports to the VLANs (examples, use your own port assignments as needed):

configure vlan admin add ports 1-10 untagged
configure vlan controls add ports 11-20 untagged
configure vlan century add ports 24 untagged

In case you need tagged ports with, say, admin and controls for trunking those to another switch:
configure vlan admin add ports 22-23 tagged
configure vlan controls add ports 22-23 tagged

I am assuming this is how the network is supposed to be connected:

admin------ Extreme ---- Century router ---- Internet
controls---- X440

What I didn't get was which IP addresses you use for the X440-to-Century connection. I assume this:

- Century router has IP 10.76.0.22/24 on the interface towards the X440
- X440 should have another address in that subnet, designated 10.76.0.xx/24 above

This should work, but will not stop the controls network from reaching the Internet. For that you need a policy.

After testing the basic setup (please do that first so you know the basics work), you need a policy (ACL) that denies traffic from VLAN controls to the Internet.

edit policy deny-controls-internet

i (for enabling editing, an ugly vi editor monstrosity)

[Paste the text below into the editor]

# Policy for denying traffic from Controls to the Internet
entry permit-controls-admin {
if {
source-address 172.16.22.0/23;
destination-address 10.76.22.0/24;
} then {
permit;
}
}

entry deny-controls-Internet {
if {
source-address 172.16.22.0/23;
} then {
deny;
}
}

Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)

Apply the policy to the VLANs:

configure access-list deny-controls-internet add vlan controls

This applies the policy/ACL to the VLAN controls and will have no effect on other VLANs.

If all is good, you're done!

I did this as a dry-run, no testing, so if not all is correct, please forgive me 😉

/Fredrik

vlan admin vid 10 10.76.22.1 /24
vlan controls vid 20 172.16.22.1 /23
century link router 10.76.0.22/24

have dhcp setup as well for controls vlan ip would pick up 172.16.22.x sub:255.255.254.0 gw:172.16.22.1
vlan admin 10.76.22.x sub:10.76.22.1 gw:10.76.22.1
admin vlan (with internet) should be able to communicate with controls vlan but controls vlan should not have internet access.

Ah, you said "We want admin vlan and the controls vlan to not have internet.". Do you need routing between those VLANs? If so, you can use routing between the VLANs and an ACL to prevent the controls VLAN from reaching anything else than the admin VLAN.

If you provide the following, I might be able to help you:

IP, subnet and VLAN ID for the two VLANs
Router for Internet (default gateway)

/Fredrik

The only vlan that would have internet would be the “admin” vlan. Controls vlan would be closed. Would I still need to look to the OSPF? I also tagged the port that the internet comes Into the switch port 24, and put that port on a 3rd clan called “clink”