HPE Community
Aruba & ProVision-based
1753394 Members
7179 Online
108792 Solutions
New Discussion юеВ

Re: 5406zl Switch Access List

 
Omer Asik
Occasional Advisor

тАО11-21-2006 01:48 AM - last edited on тАО10-26-2014 07:32 PM by

тАО11-21-2006 01:48 AM - last edited on тАО10-26-2014 07:32 PM by

5406zl Switch Access List

Hi,
I have installed HP Procurve 5406zl 48G switch to my customer. The default VLAN of the switch contains 48 ports and they are being used for Internal private network. The other modelules of the switch contains 65 different VLANs starting from 192.168.10.1/24 to 192.168.75.1/24. My Default_Vlan ip address is 10.37.1.5/16.
I want to prevent my Default_VLAN from the other VLANs. ( from 192.168.10.1/24 to 192.168.75.1/24 ). I know that i can implement this settings throught Access List but i am new on it.
What is the exact Access List command settings for this setup ?
Thank you.

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator

0 Kudos
6 REPLIES 6
Mohieddin Kharnoub
Honored Contributor

тАО11-21-2006 03:01 PM

тАО11-21-2006 03:01 PM

Re: 5406zl Switch Access List

Hi

On the 5400 you can create an ACLs to help you prevent one Vlan from accessing other Vlans.

Now if you notice that you have to prevent 1 Vlan from accessing 65 Vlans, and that means if we want to use Standard ACL then we need 65 of them, so we can use Extended ACL and wild card mask.

5400(config)#ip access-list extended "Vlan1"
deny ip 10.37.1.5 0.0.255.255 192.168.10.1 0.0.127.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 out

The previous Extended ACL will block any traffic with source 10.37.0.0/16 destined to a range of IP addresses between:
192.168.0.0/24 to 192.168.127.255.
and it will allow other Vlan1 traffic destined other that previous range of networks.

After creating the ACL we apply it on Vlan1 (default-vlan) to outbound traffic.

Good Luck !!!


Science for Everyone
0 Kudos
Omer Asik
Occasional Advisor

тАО11-21-2006 06:22 PM

тАО11-21-2006 06:22 PM

Re: 5406zl Switch Access List

I want to block any ip traffic from 192.168.X.X network to 10.37.1.5. I mean;
My source networks are ;

192.168.10.1
192.168.11.1
.
.
.
.
192.168.75.1

and destination network is 10.37.1.5.
In your answer it will block all ip traffic from 10.37.1.5 to 192.168.X.X network.

0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО11-21-2006 07:42 PM

тАО11-21-2006 07:42 PM

Re: 5406zl Switch Access List

Hi

Here you go :)


5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 in

The previous Extended ACL will block any INCOMING traffic with source between 192.168.0.0/24 to 192.168.127.255 and destined to 10.37.0.0/16 and it will allow other traffic.

Good Luck !!!
Science for Everyone
0 Kudos
Matt Hobbs
Honored Contributor

тАО11-22-2006 02:09 AM

тАО11-22-2006 02:09 AM

Re: 5406zl Switch Access List

If I'm reading this right, you have two options:

5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 1 ip access-group vlan1 out

OR

5400(config)#ip access-list extended "Vlan1"
deny ip 192.168.10.1 0.0.127.255 10.37.1.5 0.0.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
5400(config)#vlan 2 ip access-group vlan1 in
5400(config)#vlan 3 ip access-group vlan1 in
5400(config)#vlan 4 ip access-group vlan1 in
etc

Applying ACL's on the 'in' is more efficient.
0 Kudos
nawid
Occasional Visitor

тАО10-22-2014 12:17 AM - edited тАО10-22-2014 12:20 AM

тАО10-22-2014 12:17 AM - edited тАО10-22-2014 12:20 AM

Re: 5406zl Switch Access List

Dear All i would like to block Vlan 2 10.140.0.0 255.255.0.0 to vlan 1 10.9.0.0 255.255.255.0

 

I wanted to block user vlan 2 users to access vlan 1

 

hostname "Core-Switch"
ip access-list extended "Block"
exit
ip access-list extended "block"
10 deny ip 0.0.0.0 255.255.255.255 10.140.0.0 255.255.0.0
20 deny ip 0.0.0.0 255.255.255.255 10.9.0.0 255.255.255.0
exit
module 1 type J9537A
ip routing
vlan 1
name "Admin"
untagged A21
ip helper-address 10.9.1.205
ip address 10.9.1.10 255.255.255.0
tagged A1-A19,A23-A24
no untagged A20,A22
ip access-group "block" in
exit
vlan 2
name "HSIA"
untagged A20,A22
tagged A1-A6,A19,A21,A23-A24
no ip address
exit
vlan 100
name "WiFi_MNGT"
untagged A23
ip address 172.16.100.1 255.255.255.0
tagged A1-A6,A19-A21,A24
exit
vlan 140
name "VLAN140"
tagged A1-A6,A19-A24
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree
spanning-tree priority 0 force-version rstp-operation
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

 

please provide me how to do ti

0 Kudos
runnow70
Occasional Contributor

тАО11-26-2017 05:11 AM

тАО11-26-2017 05:11 AM

Re: 5406zl Switch Access List

How can use in and out on the vlan. I'm confused.Let me know.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.