- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Re: deny communication in same vlan on 2930M-48G
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2019 12:41 AM - edited 12-12-2019 12:42 AM
12-12-2019 12:41 AM - edited 12-12-2019 12:42 AM
deny communication in same vlan on 2930M-48G
Hello everybody,
in my network i have 10 Vlan's. Host 192.168.152.112 is in Vlan 152(Vlan IP: 192.168.152.1 ). in this Vlan there are 10 host's, so 192.168.152.112 should not have access to other host, only with host: 192.168.152.102
Ip routing is enabled on switch.
I've tried with ACL do that but doesn't work.
ip access-list extended VL152
# Deny ip host 192.168.152.112 any
# Permit ip host 192.168.152.112 host 192.168.152.102
any Idea ??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2019 02:19 AM - edited 12-13-2019 02:20 AM
12-13-2019 02:19 AM - edited 12-13-2019 02:20 AM
Re: deny communication in same vlan on 2930M-48G
Hello
The first thing that may be a problem is the order of the ACL rules. The rules are processed top down and as soon as a rule is matched the action is performed and the remaining rules are not evaluated. For this reason you should put more specific rules at the top of the ACL.
In your case you have deny ip host 192.168.152.112 any as a first rule and permit ip host 192.168.152.112 host 192.168.152.102 as a second rule.
The first rule is more general and it catches packets matching the second rule. So if a packet with source IP 192.168.152.112 and destination IP 192.168.152.102 is seen by the switch only the first rule (deny) will be triggered and the packet denied. So you should reverse the order.
You are not writing if this ACL was applied (ip access-group command), how it was applied. You can apply it on a physical port or a VLAN. Inbound or outbound direction. On a VLAN you can apply it to routed or switched traffic. Many things depend on how the ACL was applied.
You should also keep in evaluate if your ACL should be permitting traffic in both directions or only in one. If you are allowing traffic from A to B, it doesnt mean that traffic from B to A is also allowed. But this also depends on where the ACL is applied and in which direction.
If you want to learn more about the ACLs on the 2930 switches, you can check the Access Security Guide, Chapter 12 Access Control List.
Please note that there may be another way to achieve what you want. You can filter traffic based on port number and not IP addressing. If you have a single host per port this may also be an option, please check in the same manual chapter 25 Source port filter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2019 03:54 AM - edited 12-13-2019 04:02 AM
12-13-2019 03:54 AM - edited 12-13-2019 04:02 AM
Re: deny communication in same vlan on 2930M-48G
Hi!
ACLs are used against traffic routed incoming/outgoing related VLANs (inter-VLANs) and don't apply for traffic among hosts within the very same VLAN...my bad...with VLAN ACL it's possible...eventually document yourself about the alternate Private VLAN technique used to segregate traffic between hosts residing into a particular VLAN.
Have a look here.
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2019 07:24 AM
12-16-2019 07:24 AM
Re: deny communication in same vlan on 2930M-48G
thank you for your reply,
yes with private VLAN it is ok.
but i'm looking for a easier way. i have test this ACL and that works.
ip access-list extended "VLin"
10 deny ip 192.168.152.101 192.168.152.102
20 permit ip any any
exit
so in VLAN 152 :
ip acces-gr VLin vlan-in
I'm wait to config and test other things too an then we'll see . I'll let you know .
thank you again