You actually can Implement an ACL to filter Intervlan Traffic.
You can only implement it towards the inbound direction of the vlan interface.
-by default when you create the vlans and add IP's to the vlan interfaces the hp switch 5120 will add default routes to every vlan that has an IP. So by default all vlan's will be able to comunicate with each other.
Lets say you have 3 vlans and you want vlan 11 and 13 to not comunicate with each other and vlan 12 to comunicate with all of them.
Vlan11 - 10.0.11.0/24
vlan 12 - 10.0.12.0/24
vlan 13 - 10.0.13.0/24
On the a5120 CLI
First create the vlan and assign ip address to the vlan interface.
system-view
vlan 11
quit
int vlan 11
ip add 10.0.11.1 255.255.255.0
quit
and so on for the other vlans - These ip addresses are going to be the default gateways of the vlans, so your clients will point to them as the default gateway.
now lets say I want to restrict traffic from users on vlan 11 (10.0.11/0/24) to get to vlan 13 (10.0.13.0/24) and vice versa.
First lets create an advanced acl to deny vlan 11 to vlan 13
acl number 3011
description Inbound vlan 11 traffic
rule deny ip source 10.0.11.0 255.255.255.0 destination 10.0.13.0 255.255.255.0
rule permit ip source any
quit
now go into vlan interface 11 and apply the acl
int vlan 11
packet-filter 3011 inbound
quit
- this will prevent vlan 11 from accesing vlan 13
-this needs to be applied to the inbound interface of vlan 11 since all of vlan 11's traffic is being sent to 10.0.11.1 (which is the vlan's interface) as its gateway.
now to prevent vlan 13 traffic to vlan 11
acl number 3013
description Inbound Vlan 13 traffic
rule deny ip source 10.0.13.0 255.255.255.0 destination 10.0.11.0 255.255.255.0
rule permit ip source any
quit
int vlan 13
packet-filter 3013 inbound
quit
now vlan 11 and 13 can no longer ping or comunicate with each other.
Also advanced ACL's start in the 3000 range so I just add the vlan to the end of it. Ex. vlan 11 - 3011
hope this helps
Jason Keubke
CCNA
HP AIS Network Infrastructure
