topic Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25 in Switches, Hubs, and Modems

Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Mon, 16 Feb 2009 17:21:48 GMT

Hi attached is the configuration file now how can we block vlan50 from accessing all vlan except vlan1 but even in vlan1 one i want to allow only one ip for for full access which is gateway so that it can go out and one ip with specific port 110 and 25.

in brief i want to allow two ip for specific port in vlan1

one for smtp and pop3 (10.2.1.100)
and second for internet (10.2.1.1 & 10.2.1.2)

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

cenk sasmaztin — Mon, 16 Feb 2009 20:23:45 GMT

you can use acl
create acl role and asign vlan 50 interface (out)

ip access-list standard "10"
permit 10.2.1.100 255.255.255.0
permit 10.2.1.1 255.255.255.0
permit 10.2.1.2 255.255.255.0
deny 10.2.1.0 255.255.255.0
deny 10.2.10.0 255.255.255.0
deny 10.2.20.0 255.255.255.0
deny 10.2.30.0 255.255.255.0
deny 10.2.40.0 255.255.255.0
permit 0.0.0.0 255.255.255.25

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

cenk sasmaztin — Mon, 16 Feb 2009 20:28:32 GMT

copy and paste this config on your switch and make test

my advice ;update your switch last version

; J8697A Configuration Editor; Created on release #K.12.16

hostname "5406zl"
snmp-server contact ""
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
ip access-list standard "10"
permit 10.2.1.100 255.255.255.0
permit 10.2.1.1 255.255.255.0
permit 10.2.1.2 255.255.255.0
deny 10.2.1.0 255.255.255.0
deny 10.2.10.0 255.255.255.0
deny 10.2.20.0 255.255.255.0
deny 10.2.30.0 255.255.255.0
deny 10.2.40.0 255.255.255.0
permit 0.0.0.0 255.255.255.255
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.40.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
ip access-group "10" out
voice
exit

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Tue, 17 Feb 2009 05:57:14 GMT

All right i will do that but in this way the IP which we have permitted is having full permission but i want to allow only smtp and pop3 for 10.2.1.100.

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

cenk sasmaztin — Tue, 17 Feb 2009 07:06:33 GMT

; J8697A Configuration Editor; Created on release #K.12.16

hostname "5406zl"
snmp-server contact ""
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "110"
permit tcp 10.2.50.0 255.255.255.0 eq 110 10.2.1.100 0.0.0.0 eq 110
permit tcp 10.2.50.0 255.255.255.0 eq 25 10.2.1.100 0.0.0.0 eq 25
permit ip 10.2.50.0 255.255.255.0 10.2.1.1 255.255.255.0
permit ip 10.2.50.0 255.255.255.0 10.2.1.2 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.1.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.10.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.20.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.30.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.40.0 255.255.255.0
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.40.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
ip access-group "110" out
voice
exit

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Sat, 21 Feb 2009 07:52:43 GMT

HI, but with this configuration i m not able to block anything every thing is open
like 10.2.1.100 is open for everyting
an not just for 25 & 110.

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Sat, 21 Feb 2009 18:00:17 GMT

But with the standard access-list everything is working but with standard access-list every port is open on a certiain IP address.

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Fri, 27 Feb 2009 20:02:02 GMT

Hi can anybody help me regarding this.

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Alok-Gupta — Wed, 11 Mar 2009 08:13:53 GMT

HI....
can anybody help me on this