https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024210#M11804 Can you paste a copy of the ACL you tried using? Thu, 21 Jun 2007 08:13:32 GMT Matt Hobbs 2007-06-21T08:13:32Z https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024209#M11803 hi,<BR /><BR />i want to restrict the traffic between our guest-vlan and server-vlan. in the server-vlan are dhcp-, dns- and proxy-server. <BR /><BR />guests: vlan 11 (192.168.11.0)<BR />server: vlan 100 (192.168.100.0)<BR />dns/dhcp: 192.168.100.111<BR />proxy: 192.168.100.99:8080<BR /><BR />i want to allow only dhcp/dns/proxy-traffic. <BR /><BR />i've wrote a outbound acl for vlan 11...but it doesnt work properly.<BR /><BR />any ideas or config examples?<BR /><BR />thanks Thu, 21 Jun 2007 06:55:55 GMT https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024209#M11803 Sven Bergmann 2007-06-21T06:55:55Z https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024210#M11804 Can you paste a copy of the ACL you tried using? Thu, 21 Jun 2007 08:13:32 GMT https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024210#M11804 Matt Hobbs 2007-06-21T08:13:32Z https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024211#M11805 On the GuestVLAN interface, apply the inbound ACL like this:<BR /><BR />ip access-group Guests_in in<BR /><BR />Inbound ACL should be:<BR /><BR />ip access-list extended Guests_in<BR /> remark *** To allow traffic to proxy:<BR /> permit tcp 192.168.11.0 0.0.0.255 host 192.168.100.99 eq 8080<BR /> remark *** To allow DNS querries:<BR /> permit udp 192.168.11.0 0.0.0.255 host 192.168.100.111 eq domain<BR /> remark *** To allow IP aquisition:<BR /> permit udp any any eq bootps<BR /><BR />To the same GuestVLAN interface, apply the outbound ACL like this:<BR /><BR />ip access-group Guests_out out<BR /><BR />Outbound ACL should be:<BR /> ip access-list extended Guests_out<BR /> remark *** To allow traffic from proxy:<BR /> permit ip host 192.168.100.99 192.168.11.0 0.0.0.255 <BR /> remark *** To allow DNS and DHCP responses:<BR /> permit ip host 192.168.100.111 any<BR /><BR /><BR />Comments:<BR />1. I use something like that on a Cisco device, but good routers should allow you something similar, probabilly with slightly different sintax<BR />2. The inbound ACL is more granular, and therefore stricter than the looser outbound ACL.<BR />3. The order of the statements in the ACLs take into account traffic quantities: proxy traffic will be biggest, then DNS querries/answers and some light DHPC requests/responses<BR /><BR /> Fri, 22 Jun 2007 00:24:54 GMT https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024211#M11805 OLARU Dan 2007-06-22T00:24:54Z https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024212#M11806 @OLARU Dan<BR /><BR />it looks good...i will try it next week.<BR /><BR />i think my basically failure was to misunterstand the meaning of inbound/outbound. (i thougt that outbound traffic is traffic that leaves the vlan) Sat, 23 Jun 2007 01:30:33 GMT https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024212#M11806 Sven Bergmann 2007-06-23T01:30:33Z https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024213#M11807 inbound/outbound is defined with respect to the router:<BR /><BR />1. inbound: traffic that enters the router interface from the outside<BR />2. outbound: traffic that gets out of the router interface Mon, 25 Jun 2007 01:39:10 GMT https://community.hpe.com/t5/switches-hubs-and-modems/layer-4-acl-s-for-guest-vlan/m-p/4024213#M11807 OLARU Dan 2007-06-25T01:39:10Z