HPE Community
Switches, Hubs, and Modems
1752577 Members
4843 Online
108788 Solutions
New Discussion

Re: Access-list doubt with tagged ports and virtual hosts

 
JordiBlasco
New Member

‎06-03-2008 10:38 AM

‎06-03-2008 10:38 AM

Access-list doubt with tagged ports and virtual hosts

Hi,

we have a Procurve 3500 Layer 3, and we want to configure an access-list within vlans.

The problem is that we have defined 3 vlans on the same two tagged paravirtual machine (Xen Source) ports and this vlans, must communicate with others vlans.

What we have to do in order to:
enable ssh (22) access from vlan4 to vlan3.
enable smtp (25) access from vlan2 to vlan3.


___________________________
___________________________
sw01-ly3(config)# show vlan 3

Status and Counters - VLAN Information - Ports - VLAN 3

VLAN ID : 3
Name : VLAN03-dades
Status : Port-based
Voice : No
Jumbo : No

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
4 Tagged Learn Down
5 Tagged Learn Up
7 Untagged Learn Down
8 Untagged Learn Down
9 Untagged Learn Down
10 Untagged Learn Down
11 Untagged Learn Down
12 Untagged Learn Down

VLAN03-dades | Manual 192.168.3.254 255.255.255.0 No


sw01-ly3# show vlan 2

Status and Counters - VLAN Information - Ports - VLAN 2

VLAN ID : 2
Name : VLAN02-acces
Status : Port-based
Voice : No
Jumbo : No

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
2 Untagged Learn Up
3 Untagged Learn Down

VLAN02-acces | Manual 192.168.2.254 255.255.255.0 No


sw01-ly3# show vlan 4

Status and Counters - VLAN Information - Ports - VLAN 4

VLAN ID : 4
Name : VLAN04-gestio
Status : Port-based
Voice : No
Jumbo : No

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
4 Tagged Learn Down
5 Tagged Learn Up

VLAN04-gestio | Manual 192.168.4.254 255.255.255.0 No


Many thanks.
0 Kudos
1 REPLY 1
Mohieddin Kharnoub
Honored Contributor

‎06-04-2008 12:31 AM

‎06-04-2008 12:31 AM

Re: Access-list doubt with tagged ports and virtual hosts

Hi

For the SSH:

Sw(config)#ip access-list extended SSH
Sw(config-ext-nacl)#permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 22
Sw(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 22
Sw(config-ext-nacl)#permit ip any any
Sw(config)#vlan 3 ip access-group SSH in


For the SMTP:

Sw(config)#ip access-list extended SMTP
Sw(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 22
Sw(config-ext-nacl)#deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 25
Sw(config-ext-nacl)#permit ip any any
Sw(config)#vlan 3 ip access-group SMTP in

Note (please check for any mistakes):
You can permit or deny any other traffic based on your security requirements then you can apply the ACLs.

Good Luck !!!
Science for Everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.