- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Sandboxing a VLAN to disable internet traffic on 5...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2015 02:45 PM
07-20-2015 02:45 PM
Sandboxing a VLAN to disable internet traffic on 5406zl switch.
Short form after the form logged me out and deleted my first attempt!
We have a 5406zl with a lot of 2920 and 2610 switches routing through it. I need to sandbox a VLAN so traffic can only reach the internal 10.4.0.0/20 network range.
VLAN 82 is the vlan. Its range is 10.4.8.128/25 and I want to only allow 10.4.0.0/20 traffic.
so is this my process?
ip access-list standard "Sandbox-82"
permit ip 10.4.0.0/20
vlan 82 ip access-group Sandbox-82 out
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2015 05:58 PM
07-20-2015 05:58 PM
Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.
"in"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2015 11:23 AM
07-21-2015 11:23 AM
Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2015 01:20 PM - edited 07-21-2015 01:59 PM
07-21-2015 01:20 PM - edited 07-21-2015 01:59 PM
Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.
Well it does not appear to be working.
Here is my ACL entry in the running config
ip access-list standard "Sandbox-82"
10 permit 10.4.0.0 0.0.15.255
exit
So I applied to vlan82 and now that vlan entry has this
ip access-group "Sandbox-82" in
Doesn't that only allow traffic from 10.4.0.0/20 into the VLAN from outside?
Yet traffic is still coming in when I ping www.google.com. What did I forget? Or should this be an extended ACL with source and destination information?
More like this
ip access-list extended Sandbox-82
10 permit ip 10.4.0.0/20 10.4.8.128/25
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2015 03:41 PM
07-21-2015 03:41 PM
Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.
Just to be clear, - when you apply that acl to the VLAN82 interface, hosts on VLAN82 can still ping Google?
If that's the case, please clarify:
- what is the default GW address configured on the host you are pinging from?
- what is the IP address configured on the VLAN82 interface where you have the acl applied?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2015 03:51 PM
07-21-2015 03:51 PM
Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.
Actually, you are right, what you actually want to do is filter the traffic on destination subnet, so use an extended list, like:
ip access-list extended Sandbox-82
10 permit ip 10.4.8.128/25 10.4.0.0/20
So traffic from the VLAN82 subnet will be permitted to those 10.4.0.0/20 addresses, with the implicit deny stopping anythign else.