HPE Community
Aruba & ProVision-based
1752801 Members
5454 Online
108789 Solutions
New Discussion

Re: ACL's to restrict access to VLAN's on Procurve 5412xl

 
Steve Rooney
Occasional Contributor

‎07-14-2011 03:11 AM

‎07-14-2011 03:11 AM

ACL's to restrict access to VLAN's on Procurve 5412xl

Hi,

 

Hope you can help with this :)

 

We have enaled IP routing on the above switch with various VLAN's which all route between each other fine.  We have one VLAN acting as the core network which has the default gateway out of the building for internet access on it whereas the other VLAN's are for seperate departments.  We need to restrict access to the network so each of the department VLAN's are unable to access each other but all VLAn's can access the core network and core nework can access the department VLAN's.  We need this access because we have incoming VPN's which need to be able to access the department VLAN's depending on which user is logging into the firewall.

 

I've tried setting up Standard ACL which permitted the following Ip range - 192.168.0.0 0.0.1.255 which as I understand the wildcard subnetting would allow the 192.168.1.0 (Core network) range onto the VLAN but nothing above it (192.168.2.0/24 onwards is the department vlans) .   This ACL is then applied to the VLAN as a VACL rather than inbound or outbound - However when I set this all traffic seems to be blocked.  I had to specify a further permit for the IP range of the departments network eg 192.168.2.0 0.0.0.255 which then allowed the devices within the VLAN to access the internet - unfortunately this also allowed other VLAN's to access devices on this VLAN so defeated my ideas of security.

 

Any idea's on how I should acheive this or where I'm going wrong.  Should I be using inbound/outbound ACLs instead?  If so what should be my IP/Subnetting as the reverse wildcard function is a little confusing.

 

Thanks in advance.

0 Kudos
1 REPLY 1
paulgear
Esteemed Contributor

‎07-14-2011 10:56 PM

‎07-14-2011 10:56 PM

Re: ACL's to restrict access to VLAN's on Procurve 5412xl

I personally think that an outbound RACL on each client VLAN would make the most sense in your situation.
Regards,
Paul
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.