Switches, Hubs, and Modems
1748030 Members
4994 Online
108757 Solutions
New Discussion юеВ

Re: Block traffic between specific vlans - Procurve 3500

 
SOLVED
Go to solution
Rob P_2
Occasional Advisor

Block traffic between specific vlans - Procurve 3500

This should be a fairly easy configuration...I am fairly new to the Procurve world, and all the ACE/ACL types and options are making my head hurt. I am attempting to only allow traffic from VLAN 200 to get to VLAN 1, with all traffic between 200 other VLANS denied.

VLAN 200 - 10.200.0.0 / 16 (public wireless)
VLAN 100 - 10.100.0.0 / 16 (internl systems)
VLAN 50 - 10.50.0.0 /16 (internal systems)
VLAN 1 - 10.1.0.1 /16 (next hop on way to the internet)

I am thinking I should be able to apply a rule to VLAN 200 allowing traffic to VLAN 1 and it should implicitly deny traffic to other VLANs...but I am not sure.

Alternatively, rules applied the internal VLANs to block incoming VLAN 200 traffic.

Whats the best way to do this? And can you give me some sample commands to enter on the switch?

Thanks!
10 REPLIES 10
Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

I should add that the 3500 is the core switch for thsi network, it is handling routing between the all the varions VLANs...it should be the only place I need to add these rules.

Thanks again,
Pieter 't Hart
Honored Contributor

Re: Block traffic between specific vlans - Procurve 3500

You need to create a RACL
>>> Routed IP Traffic ACL (RACL). An RACL is an ACL configured on a VLAN to filter routed IP traffic entering or leaving the switch on that interface.....<<<

NB this interface mentioned is NOT where the packet "internaly" moves to the other vlan, but the physical interface
("entering or leaving the switch" not "entering or leaving the vlan".)

so it will be a in-RACL on vlan 200 allowing only access to vlan1

ip access-list extended "acl-vl200-to-inet"
10 permit ip 255.255.255.255
255.255.255.255
20

vlan 200 ip access-group acl-vl200-to-inet in

An RACL does not filter within the vlan itself, so all hosts in vlan200 can still communicate.
Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

Ok...I was thinking the RACL was the proper way to go, but the description about it being applied to the interface was throwing me a bit.

I guess what that description is trying to say is that the RACL is global to the switch, and any packet that flows thru any port on the switch and needs to be routed is compared against the switch's RACL list and handled accordingly? This makes sense to me...

The VACL concept is still eluding me tho...what would be a common usage scenario for one of those? I am not grasping what exactly these are for...intra-vlan traffic rather than inter-vlan traffic?

Thanks for clarifying this stuff, its actually very helpful!





Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

Ok, now I read that RACLs are applied to a specific VLAN, not globally to the switch. But the filtering is done where the traffic physically enters the switch, and only applies to routed traffic.

I think I understand RACLs now, but feel free to correct my understanding :)

Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

And I'll also just mention that configuring an "inbound" RACL on VLAN 200 to filter traffic leaving VLAN 200 just seems....backward.

If someone could clarify why that is considered inbound, I would be very grateful! I am sure its just a matter of envisioning the traffic flow differently than I do, but I am not grasping the thought process there either.

Hopefully once I get these basic concepts understood the rest of the help files will make a lot more sense to me.

Thanks again!
Shadow13
Respected Contributor

Re: Block traffic between specific vlans - Procurve 3500

in the VLAN it will be like this
"inbound" means the traffic entering the VLAN from the clients on that VLAN (entering the switch through that VLAN).


"Outbound" means the traffic entering the VLAN from other VLANs (exiting the switch through that VLAN)

Just think of the VLAN as a physical port, inbound means comming from the client attached to that port (entering the switch) and outbound means exiting to that port going to the client (exiting the switch).

Pieter 't Hart
Honored Contributor
Solution

Re: Block traffic between specific vlans - Procurve 3500

Shadow13 does not describe the process right.

The criterium is "entering or leaving the switch "!

So,
- if you've got a single switch, with two vlan's.
- you've setup routing between those vlans
- when the data is transferred between the vlan's it does NOT leave the switch!
=> that's why you need to apply the filter IN to the first or OUT the second vlan.
Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

Thanks guys! I think I got my head wrapped around this now....implemented the new rules, and they seem to work as intended. I'll send some points to everyone, you were all helpful :)
Rob P_2
Occasional Advisor

Re: Block traffic between specific vlans - Procurve 3500

Explanations above did the trick, thanks!