I've got the following test network:
Architecture:
edge_a: 192.168.e.1 [edge vlan] (edge switch, no acl) [admin vlan] 192.168.m.1/24
core: 192.168.m.2/24 [admin vlan] (core router, yes acl) [admin vlan]
edge_b: 192.168.m.3/24 [admin vlan] (edge switch, no acl) [edge2 vlan] 192.168.e2.1
Topology:
edge_a <--[admin vlan ]--> core <--[admin vlan]--> edge_b
The edge switches do not support ACL's, only a small subset of IP Routing functionality (HP Procurve 2600, or 2800).
The Core supports ACL's (Procurve 5308xl).
Old architecture: All VLAN's ran back to the core router which was the "default gateway" for each.
I'm trying to move the "default gateway" for each vlan to the relevant edge switches.
However, the edge switches will happily route between directly connected vlans such as the Admin vlan. Nodes have no business on that network.
To block access into the admin vlan I'm applying an ACL to the "admin vlan OUT" interface of the core. The theory is that responses to a non-admin source will have no route back and so will always route through the core; therefore, filtering the TCP response.
This does not work, however, a ICMP ping succeeds and results in the following routing table on an edge switch:
remote edge switch# sh ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.m.2 101 static 0 250
192.168.m.0/24 Admin_Vlan 101 connected 0 0
192.168.e.226/32 192.168.m.1 101 icmp 0 255
I suspected maybe this was to do with IRDP, however this protocol is disabled on all three switches in this example.
Where is this "ICMP" route coming from?
This architecture is the best solution I know and this ICMP thing is really wrenching my works.
