topic Re: Acl - Use port or vlan? in Switches, Hubs, and Modems

Acl - Use port or vlan?

Angelo Pellegrinon — Fri, 08 Aug 2008 17:58:52 GMT

Hello.
I have an HP procurve 5400 and I need to use special acl for 3 pc groups.

The pcs are in the SAME SUBNET ad I must have:
PC GROUP A: Allow speacking with PC GROUP B
PC GROUP B: Allow speacking with PC GROUP C
PC GROUP A: Block speacking with PC GROUP C

Can i make 3 vlans and use static routing or special acl? Is it possible with SAME SUBNETS?

How can i do it?

Is there any other solution?

Sorry for my English and thank's in advance

Angelo

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 18:10:09 GMT

hi Angelo

***Can i make 3 vlans and use static routing or special acl? Is it possible with SAME SUBNETS?

no Angelo you don't create same subnet tree vlan it's impossible

for running this operation two way

way 1-assign statically each group pc ip address and attach acl on switch port(static)very bed.

way 2-my advice you can use IDM you can create on IDM user base access list no need look port, no need static ip ,no need vlan very successfull

cenk

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 18:12:12 GMT

or each user group carry other subnet and you can sperate vlan your network

in that case attach user group acl on vlan interface

cenk

Re: Acl - Use port or vlan?

Angelo Pellegrinon — Fri, 08 Aug 2008 18:28:08 GMT

I try to explain better what i have to do.
I have one Voip Server (GROUP A), this server uses a PRI over erthernet box (GROUP B) and a lot of VoIP telephones (GROUP C).

A sees B&C, B sees A, C sees A

I must optimize the traffic between A and B. Unfortunately i can't attach a new nic on he server (and dedicate a vlan for those ips.)

There are no users and i cant' utilize vlan tagged packets (the PRI box is "stupid")

Re: Acl - Use port or vlan?

Angelo Pellegrinon — Fri, 08 Aug 2008 18:32:57 GMT

Maybe the acl on ports is the best solution?

The server's ip is static, the pri box is static, only telephones ips are not static. Buy i wish to do something like:

ip xxx.xxx.xxx.1(pri box) accepts only from xxx.xxx.xxx.200 and xxx.xxx.xxx.201 (voip servers)

and

ip xxx.xxx.xxx.1 sends ony to xxx.xxx.xxx.200 and xxx.xxx.xxx.201

I must say that the box can only speak and only accept packets from/to the server. I don't whant the pri box to receive other network packets like broadcast..

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 18:50:19 GMT

A sees B&C, B sees A, C sees A******:D

so B notsee c all other group between connect

is this true ?

there fore you make create tree vlan

and you can running routing between vlan

for example

group A vlan 10 172.16.10.1/24
group B vlan 20 172.16.20.1/24
group C vlan 30 172.16.30.1/24

and ip routing enable on switch

now each vlan connect between (with routing)

you can create acl and assign vlan b and vlan c

cenk

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 19:00:30 GMT

or you can use source port filtering

source port-filter very easy way for seperate switch port for example

coresw2(config)# filter source-port A1 drop A10-A20

int A1 dont connect A10-A20 interface but connection all other interface

very easy

cenk

Re: Acl - Use port or vlan?

Angelo Pellegrinon — Fri, 08 Aug 2008 19:02:36 GMT

OK!

My problem is that the voip servers, the phones and the pri box are in the same network.

Is it possible if a put the pri box in other network?

Server and phone in vlan 100, pri box in vlan 200.

Ogni server ips in vlan 100 can see vlan 200 and vice versa

Re: Acl - Use port or vlan?

Angelo Pellegrinon — Fri, 08 Aug 2008 19:05:14 GMT

The source port-filter solution maybe it's good.

Can i say:

Port A1 connects port A2 and A3 and receives only from A2 and A3?

Ports A2 and A3 can see all other ports

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 19:11:49 GMT

vlan sperate only L2 broadcast domain
you can ip routing command on switch running routing between vlan

for example

vlan 10 ip address 172.16.10.1/24

vlan 10 member pc
ip address 172.16.10.10/24
dg:172.16.10.1

vlan 20 ip address 172.16.20.1/24
vlan 20 member pc
ip adress 172.16.20.10/24
dg:172.16.20.1

you can ping test between pc you can see ping ok.
vlan sperate only L2 you can want connect different vlan's pc enable ip routing on switch and assign vlan interface ip address
pc default gateway address

cenk

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 19:18:32 GMT

magic command :)

coresw2(config)# filter source-port A1 drop A4-A24,B1-B24......

a1 connect only A2 and A3 interface

A2 and A3 interface connect all other interface

cenk

Re: Acl - Use port or vlan?

cenk sasmaztin — Fri, 08 Aug 2008 19:29:30 GMT

Angelo can you test now ?

Re: Acl - Use port or vlan?

Angelo Pellegrinon — Sat, 09 Aug 2008 09:34:37 GMT

Hi!

I'm going to try it on Monday and then i'll tell you!

Thanks in advance!
Angelo