LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

deny communication in same vlan on 2930M-48G

 
Highlighted
Tim23
Occasional Advisor

deny communication in same vlan on 2930M-48G

Hello everybody,

in my network i have 10 Vlan's.  Host  192.168.152.112 is in Vlan 152(Vlan IP: 192.168.152.1 ).  in this Vlan there are 10 host's, so 192.168.152.112 should not have access to other host, only with host: 192.168.152.102  

Ip routing is enabled on switch.

I've tried with ACL do that but doesn't work.

 ip access-list extended VL152

# Deny ip host 192.168.152.112 any 

# Permit ip host 192.168.152.112 host 192.168.152.102

any Idea ??

 

 

3 REPLIES 3

Re: deny communication in same vlan on 2930M-48G

Hello

The first thing that may be a problem is the order of the ACL rules. The rules are processed top down and as soon as a rule is matched the action is performed and the remaining rules are not evaluated. For this reason you should put more specific rules at the top of the ACL.

In your case you have deny ip host 192.168.152.112 any  as a first rule and permit ip host 192.168.152.112 host 192.168.152.102 as a second rule.

The first rule is more general and it catches packets matching the second rule. So if a packet with source IP 192.168.152.112 and destination IP 192.168.152.102 is seen by the switch only the first rule (deny) will be triggered and the packet denied. So you should reverse the order.

You are not writing if this ACL was applied (ip access-group command), how it was applied. You can apply it on a physical port or a VLAN. Inbound or outbound direction. On a VLAN you can apply it to routed or switched traffic. Many things depend on how the ACL was applied.

You should also keep in evaluate if your ACL should be permitting traffic in both directions or only in one. If you are allowing traffic from A to B, it doesnt mean that traffic from B to A is also allowed. But this also depends on where the ACL is applied and in which direction.

If you want to learn more about the ACLs on the 2930 switches, you can check the Access Security Guide, Chapter 12 Access Control List.

https://internal.support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-a00076262en_us&withFrame

Please note that there may be another way to achieve what you want. You can filter traffic based on port number and not IP addressing. If you have a single host per port this may also be an option, please check in the same manual chapter 25 Source port filter.

I am an HPE employee

Accept or Kudo


parnassus
Honored Contributor

Re: deny communication in same vlan on 2930M-48G

Hi!

ACLs are used against traffic routed incoming/outgoing related VLANs (inter-VLANs) and don't apply for traffic among hosts within the very same VLAN...my bad...with VLAN ACL it's possible...eventually document yourself about the alternate Private VLAN technique used to segregate traffic between hosts residing into a particular VLAN.

Have a look here.

Tim23
Occasional Advisor

Re: deny communication in same vlan on 2930M-48G

thank you for your reply,

yes with private VLAN it is ok. 

but i'm looking for a easier way. i have test this ACL and that works.

ip access-list extended "VLin"
10 deny ip 192.168.152.101  192.168.152.102 
20 permit ip any any
exit

so in VLAN 152 :

ip acces-gr VLin vlan-in 

I'm wait to config and test other things too an then we'll see .  I'll let you know .

thank you again