- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Can we restrict routing between VLANs in A5120...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2014 10:17 AM
02-10-2014 10:17 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
Thank you for the post. What is you would like to allow Web traffic from VLAN 11 to VLAN 13?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2014 02:34 PM
03-11-2014 02:34 PM
Re: Can we restrict routing between VLANs in A5120 using ACL?
I tried to follow that example and it didnt work out.. i opened a case with HP and we got it working.
The main issue was that INVERSE mask needs to be used, so 0.0.0.255 instead of 255.255.255.0
It should also be noted that HP puts an implicit PERMIT at the end of ACL's.. Cisco uses an implicit DENY.
PG
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 07:17 AM
04-22-2014 07:17 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
On vlan 11 I have made:
rule 10 deny ip source 10.0.11.0 0.0.0.255 destination 10.0.13.0 0.0.0.255
rule 20 permit ip source any destination any
This block both sides from ping.
And on the vlan 13 i have made:
rule 10 permit ip source any destination any.
I cant do vlan 13 to ping or comunicate with VLAN 11 and block VLAN 11 to ping or comunicate with vlan 13.
Thanks advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2015 08:01 PM
04-11-2015 08:01 PM
Re: Can we restrict routing between VLANs in A5120 using ACL?
Wow, just happen to stumble back on this and I realized that I didn't put the inverse mask. Sorry for the mis-information here is how it should of been stated.
now lets say I want to restrict traffic from users on vlan 11 (10.0.11/0/24) to get to vlan 13 (10.0.13.0/24) and vice versa.
First lets create an advanced acl to deny vlan 11 to vlan 13
acl number 3011
description Inbound vlan 11 traffic
rule deny ip source 10.0.11.0 0.0.0.255 destination 10.0.13.0 0.0.0.255
rule permit ip source any
quit
now go into vlan interface 11 and apply the acl
int vlan 11
packet-filter 3011 inbound
quit
- this will prevent vlan 11 from accesing vlan 13
-this needs to be applied to the inbound interface of vlan 11 since all of vlan 11's traffic is being sent to 10.0.11.1 (which is the vlan's interface) as its gateway.
now to prevent vlan 13 traffic to vlan 11
acl number 3013
description Inbound Vlan 13 traffic
rule deny ip source 10.0.13.0 0.0.0.255 destination 10.0.11.0 0.0.0.255
rule permit ip source any
quit
int vlan 13
packet-filter 3013 inbound
quit
now vlan 11 and 13 can no longer ping or comunicate with each other.
Also advanced ACL's start in the 3000 range so I just add the vlan to the end of it. Ex. vlan 11 - 3011
hope this helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2016 11:03 AM
02-18-2016 11:03 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
It works so well that makes my smile!!
I just blocked the mobile vlan to communicate with the corporate vlan. :D
It is so great my friend.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2018 10:19 AM
10-29-2018 10:19 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
hello friend, yes it can be achieved, after reviewing several forums I made this configuration:
Example:
vlan1: 172.16.0.0 255.0.0.0 vlan20: 172.20.0.0 255.255.255.0
1) Start by making an extended ACL.
Here is an extended ACL called 3020 that will allow bidirectional traffic that starts from the VLAN 1.
acl number 3020
description Entrance vlan 20 traffic
rule permit tcp source 172.20.0.0 0.0.0.255 destination any established
* The word "established" at the end of this ACL means that traffic initiated from anywhere outside of VLAN 20 is allowed and will allow VLAN 20 devices to communicate again with the initiator.
2) Next, allow the devices in VLAN 20 to respond to pings initiated from devices outside of your VLAN.
rule permit icmp source 172.20.0.0 0.0.0.255 destination any icmp-type echo-reply
* "Echo-reply" allows devices on VLAN 20 to respond to ping and other traffic requests ICMP.
3) Next, avoid traffic from VLAN 20 going to the other VLANs
rule deny ip source 172.20.0.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
4) Next, allow VLAN 30 traffic to reach the Internet
rule permit ip source 172.20.0.0 0.0.0.255 destination any
5) Next, deny the rest of the traffic (for security)
rule deny ip source any destination any
Summary:
rule permit tcp source 172.20.0.0 0.0.0.255 destination any established
rule permit icmp source 172.20.0.0 0.0.0.255 destination any icmp-type echo-reply
rule deny ip source 172.20.0.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule permit ip source 172.20.0.0 0.0.0.255 destination any
rule deny ip source any destination any
6) Apply this incoming ACL on VLAN 20
interface Vlan-interface20
packet-filter 3020 inbound
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-29-2018 06:24 AM
11-29-2018 06:24 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
Hello,
Actualy I have a problem at this issue.
I have 3 vlan vlan1,vlan2,vlan3
vlan1 has server dns+dhcp. I want to deny vlan1 to vlan3 but When I create acl for deny rule, Vlan 3 didnt receive ip from dhcp. How to can I permit dhcp and dns.
My acl config here ;
acl number 3012
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 10.35.110.0 0.0.0.255
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
acl number 3013
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 10.35.110.0 0.0.0.255
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
acl number 3014
rule 0 deny ip source 10.35.110.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 5 deny ip source 10.35.110.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
Thanks for support.
Yakup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2018 03:37 AM
12-03-2018 03:37 AM
Re: Can we restrict routing between VLANs in A5120 using ACL?
@it_ejvnior @Jasoned32 @Van Cotoco @yakup akpınar @CesarMartinez @
Please note that the second rule wasn't necessary considering the fact that HPE Comware switches have an "Implicit permit" as the last ACE while CISCO, HPE Provision and Aruba OS switches have "Implicit deny".
So you may want to add a deny all rule explicitly.
Regards,
- « Previous
-
- 1
- 2
- Next »