- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: 5406zl Switch Access List
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-21-2006 01:48 AM - last edited on тАО10-26-2014 07:32 PM by Lisa198503
тАО11-21-2006 01:48 AM - last edited on тАО10-26-2014 07:32 PM by Lisa198503
5406zl Switch Access List
Hi,
I have installed HP Procurve 5406zl 48G switch to my customer. The default VLAN of the switch contains 48 ports and they are being used for Internal private network. The other modelules of the switch contains 65 different VLANs starting from 192.168.10.1/24 to 192.168.75.1/24. My Default_Vlan ip address is 10.37.1.5/16.
I want to prevent my Default_VLAN from the other VLANs. ( from 192.168.10.1/24 to 192.168.75.1/24 ). I know that i can implement this settings throught Access List but i am new on it.
What is the exact Access List command settings for this setup ?
Thank you.
P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-21-2006 03:01 PM
тАО11-21-2006 03:01 PM
Re: 5406zl Switch Access List
On the 5400 you can create an ACLs to help you prevent one Vlan from accessing other Vlans.
Now if you notice that you have to prevent 1 Vlan from accessing 65 Vlans, and that means if we want to use Standard ACL then we need 65 of them, so we can use Extended ACL and wild card mask.
5400(config)#ip access-list extended "Vlan1"
deny ip 10.37.1.5 0.0.255.255 192.168.10.1 0.0.127.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 out
The previous Extended ACL will block any traffic with source 10.37.0.0/16 destined to a range of IP addresses between:
192.168.0.0/24 to 192.168.127.255.
and it will allow other Vlan1 traffic destined other that previous range of networks.
After creating the ACL we apply it on Vlan1 (default-vlan) to outbound traffic.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-21-2006 06:22 PM
тАО11-21-2006 06:22 PM
Re: 5406zl Switch Access List
My source networks are ;
192.168.10.1
192.168.11.1
.
.
.
.
192.168.75.1
and destination network is 10.37.1.5.
In your answer it will block all ip traffic from 10.37.1.5 to 192.168.X.X network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-21-2006 07:42 PM
тАО11-21-2006 07:42 PM
Re: 5406zl Switch Access List
Here you go :)
5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 in
The previous Extended ACL will block any INCOMING traffic with source between 192.168.0.0/24 to 192.168.127.255 and destined to 10.37.0.0/16 and it will allow other traffic.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-22-2006 02:09 AM
тАО11-22-2006 02:09 AM
Re: 5406zl Switch Access List
5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 out
OR
5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 2 ip access-group vlan1 in
5400(config)#vlan 3 ip access-group vlan1 in
5400(config)#vlan 4 ip access-group vlan1 in
etc
Applying ACL's on the 'in' is more efficient.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2014 12:17 AM - edited тАО10-22-2014 12:20 AM
тАО10-22-2014 12:17 AM - edited тАО10-22-2014 12:20 AM
Re: 5406zl Switch Access List
Dear All i would like to block Vlan 2 10.140.0.0 255.255.0.0 to vlan 1 10.9.0.0 255.255.255.0
I wanted to block user vlan 2 users to access vlan 1
hostname "Core-Switch"
ip access-list extended "Block"
exit
ip access-list extended "block"
10 deny ip 0.0.0.0 255.255.255.255 10.140.0.0 255.255.0.0
20 deny ip 0.0.0.0 255.255.255.255 10.9.0.0 255.255.255.0
exit
module 1 type J9537A
ip routing
vlan 1
name "Admin"
untagged A21
ip helper-address 10.9.1.205
ip address 10.9.1.10 255.255.255.0
tagged A1-A19,A23-A24
no untagged A20,A22
ip access-group "block" in
exit
vlan 2
name "HSIA"
untagged A20,A22
tagged A1-A6,A19,A21,A23-A24
no ip address
exit
vlan 100
name "WiFi_MNGT"
untagged A23
ip address 172.16.100.1 255.255.255.0
tagged A1-A6,A19-A21,A24
exit
vlan 140
name "VLAN140"
tagged A1-A6,A19-A24
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree
spanning-tree priority 0 force-version rstp-operation
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
please provide me how to do ti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-26-2017 05:11 AM
тАО11-26-2017 05:11 AM