Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL Suggestions / Help?

AoAIT
Occasional Contributor

ACL Suggestions / Help?

Ok, I'm here because of my feeble ACL skills. I’m building a new network centered around a Procurve 8206zl and need a little directional assistance.

Six IDF's (wiring closets) have fiber homeruns to the server room. Each IDF logically consists of two VLAN’s – one for data and one for voice. So, the network consists of 12 VLAN’s (plus a couple administrative VLAN’s).

The server subnet is 10.10.1.0 /24 and the VoIP is 10.10.2.0 /24.

I would like all data subnets to talk (wide open) to the server subnet and all the voice subnets to do likewise with the VoIP system. I would also need to allow communication between the data servers and VoIP servers.

Questions:

• Would it be better to create the ‘data’ and ‘VoIP’ ACL’s using IP subnets or VLAN ID’s? I’m thinking IP’s.

• Where do I apply the ACL? What interface? Each IDF VLAN is also a unique fiber run into the 8206. Does that means I have to apply it within each VLAN at the 'tagged' port(s) on the 8206?

• Does anyone have an example of something similar that I could completely plagiarize?

Thanks in advance,
Tom
2 REPLIES
Ian Vaughan
Honored Contributor

Re: ACL Suggestions / Help?

Howdy,
I would use IP's (and tcp ports if you want to get fancy) and use them inbound on the L3 interface. I always think of it as trying to defend the perimeter of the device that's doing the inter-vlan routing.

The ACL just needs applying to the VLAN itself (the logical L3 interface) not the ports therein.
something like :
# vlan 200 ip access-group HOSTS in
would apply an ACL colled HOSTS inbound on Vlan200

As for an example see p10-46 in here -
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf

Just take your time with your "wildcard" masks on the ACL's(normal class-c subnet is 0.0.0.255 not 255.255.255.0) as they are the opposite way around to the ones that you put on the interfaces with IP addresses.

Cheers
Ian
Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
AoAIT
Occasional Contributor

Re: ACL Suggestions / Help?

Thanks for the reply.

I actually printed that whole section and am using it for reference.

Let me give some details.

Here's the layout for the building:
Data VLAN's
10.10.131.0 - 3rd Floor North
10.10.231.0 - 3rd Floor South
10.10.121.0 - 2nd Floor North
10.10.221.0 - 2nd Floor South
10.10.111.0 - 1st Floor North
10.10.211.0 - 1st Floor South
10.10.101.0 - Basement Level

Voice VLAN's
10.10.132.0 - 3rd Floor North
10.10.232.0 - 3rd Floor South
10.10.122.0 - 2nd Floor North
10.10.222.0 - 2nd Floor South
10.10.112.0 - 1st Floor North
10.10.212.0 - 1st Floor South
10.10.102.0 - Basement Level

The data VLAN's only need to talk to the server subnet of 10.10.1.0 /24. I believe the following applied 'in' to the server VLAN interface should do:

access-list extended 111
permit ip 10.10.131.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.231.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.121.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.221.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.111.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.211.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.101.0 0.0.0.255 10.10.1.0 0.0.0.255

For the voice VLAN's, how do I make it so they can talk between themselves? Do I have to make an entry for each VLAN to each VLAN?

Thanks,
Tom