- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- 5304XL VLAN and Access List Help
Switches, Hubs, and Modems
1753770
Members
4820
Online
108799
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2005 08:10 AM
тАО03-01-2005 08:10 AM
I have 18 VLANS that span 3 core switches and several smaller switches. The 3 core switches are 5304XL. The 3 core switches all have IP Routing enabled. There are only IP addresses on the VLAN's in the main 5304 if this matters... These 3 switches also will have VLAN 90 which will be used for wireless access points for public use. I need to be able to block all traffic to the other VLANs except for Internet traffic.The Internet router(192.168.1.20) is in VLAN 1.
Can someone verify if this would work?
On the 3 core switches I would make this configuration:
VLAN 90
ip access-group 101
access-list 101 permit tcp 10.90.0.0 0.0.255.255 host 192.168.1.20 eq 80
Am I anywhere close to getting this right?
Thanks for the assistance.
Can someone verify if this would work?
On the 3 core switches I would make this configuration:
VLAN 90
ip access-group 101
access-list 101 permit tcp 10.90.0.0 0.0.255.255 host 192.168.1.20 eq 80
Am I anywhere close to getting this right?
Thanks for the assistance.
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2005 11:49 AM
тАО03-02-2005 11:49 AM
Solution
Not too close yet. Your access list will permit people to surf to the router but not to the internet. Also you have to specify a direction in your ip access-group 101 statement (in or out)
Let's say you make this an IN list and the VLAN90 is the Wireless VLAN where all hosts will have an IP address on the 10.90.0.0 mask 255.255.0.0.
I'm more a router guy than a switch guy so I'm not really sure if the access list applies to switched traffic. I assume it doesn't. I also assume that your other VLANS all have 10.x.0.0 subnets.
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 8080
The first line blocks all ip traffic to all 10.x.0.0 subnets. The assumption here is that your other VLANS are all 10.x.0.0 so this keeps the wireless away from them. The Internet does not use the 10 net so this does not bother that traffic. IF you have other IP subnets you don't want them to get to then add deny statements at the beginning. For instance, they don't need to talk to your router so you could add
access-list 101 deny ip any host 192.168.1.20
at the beginning of the list or broaden it to the whole 192.168.1.0 or even 192.168.0.0.
Don't think it will hamper 10.90.0.0 traffic from talking to other 10.90.0.0 traffic since that should be switched. If you find they can't talk to each other then start the list with
access-list permit ip 10.90.0.0 0.0.255.255 10.90.0.0 0.0.255.255
The second line allows any traffic to port 80 to pass to the Internet (we've already blocked all traffic to the other VLANS by blocking the 10 net)
The last line is the same but allows them to also do https connections. The implicit deny ip any any blocks all other traffic.
You may want to add lines at the beginning of the list to allow things like
ICMP any any echo-reply
or
tcp any any established
(let's someone on the other VLANS establish a connection to a host on the wireless for troubleshooting or monitoring.)
Then you apply it with:
vlan 90 access-group 101 in
Think that should do it.
Ron
Let's say you make this an IN list and the VLAN90 is the Wireless VLAN where all hosts will have an IP address on the 10.90.0.0 mask 255.255.0.0.
I'm more a router guy than a switch guy so I'm not really sure if the access list applies to switched traffic. I assume it doesn't. I also assume that your other VLANS all have 10.x.0.0 subnets.
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 8080
The first line blocks all ip traffic to all 10.x.0.0 subnets. The assumption here is that your other VLANS are all 10.x.0.0 so this keeps the wireless away from them. The Internet does not use the 10 net so this does not bother that traffic. IF you have other IP subnets you don't want them to get to then add deny statements at the beginning. For instance, they don't need to talk to your router so you could add
access-list 101 deny ip any host 192.168.1.20
at the beginning of the list or broaden it to the whole 192.168.1.0 or even 192.168.0.0.
Don't think it will hamper 10.90.0.0 traffic from talking to other 10.90.0.0 traffic since that should be switched. If you find they can't talk to each other then start the list with
access-list permit ip 10.90.0.0 0.0.255.255 10.90.0.0 0.0.255.255
The second line allows any traffic to port 80 to pass to the Internet (we've already blocked all traffic to the other VLANS by blocking the 10 net)
The last line is the same but allows them to also do https connections. The implicit deny ip any any blocks all other traffic.
You may want to add lines at the beginning of the list to allow things like
ICMP any any echo-reply
or
tcp any any established
(let's someone on the other VLANS establish a connection to a host on the wireless for troubleshooting or monitoring.)
Then you apply it with:
vlan 90 access-group 101 in
Think that should do it.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-04-2005 01:05 AM
тАО03-04-2005 01:05 AM
Re: 5304XL VLAN and Access List Help
Thanks Ron, I won't be able to try it until next week but it makes since to me now.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP