- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Block traffic between specific vlans - Procurv...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2010 10:32 AM
тАО05-31-2010 10:32 AM
VLAN 200 - 10.200.0.0 / 16 (public wireless)
VLAN 100 - 10.100.0.0 / 16 (internl systems)
VLAN 50 - 10.50.0.0 /16 (internal systems)
VLAN 1 - 10.1.0.1 /16 (next hop on way to the internet)
I am thinking I should be able to apply a rule to VLAN 200 allowing traffic to VLAN 1 and it should implicitly deny traffic to other VLANs...but I am not sure.
Alternatively, rules applied the internal VLANs to block incoming VLAN 200 traffic.
Whats the best way to do this? And can you give me some sample commands to enter on the switch?
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2010 10:35 AM
тАО05-31-2010 10:35 AM
Re: Block traffic between specific vlans - Procurve 3500
Thanks again,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2010 11:44 PM
тАО05-31-2010 11:44 PM
Re: Block traffic between specific vlans - Procurve 3500
>>> Routed IP Traffic ACL (RACL). An RACL is an ACL configured on a VLAN to filter routed IP traffic entering or leaving the switch on that interface.....<<<
NB this interface mentioned is NOT where the packet "internaly" moves to the other vlan, but the physical interface
("entering or leaving the switch" not "entering or leaving the vlan".)
so it will be a in-RACL on vlan 200 allowing only access to vlan1
ip access-list extended "acl-vl200-to-inet"
10 permit ip
20
vlan 200 ip access-group acl-vl200-to-inet in
An RACL does not filter within the vlan itself, so all hosts in vlan200 can still communicate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2010 06:50 PM
тАО06-01-2010 06:50 PM
Re: Block traffic between specific vlans - Procurve 3500
I guess what that description is trying to say is that the RACL is global to the switch, and any packet that flows thru any port on the switch and needs to be routed is compared against the switch's RACL list and handled accordingly? This makes sense to me...
The VACL concept is still eluding me tho...what would be a common usage scenario for one of those? I am not grasping what exactly these are for...intra-vlan traffic rather than inter-vlan traffic?
Thanks for clarifying this stuff, its actually very helpful!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2010 06:58 PM
тАО06-01-2010 06:58 PM
Re: Block traffic between specific vlans - Procurve 3500
I think I understand RACLs now, but feel free to correct my understanding :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2010 07:11 PM
тАО06-01-2010 07:11 PM
Re: Block traffic between specific vlans - Procurve 3500
If someone could clarify why that is considered inbound, I would be very grateful! I am sure its just a matter of envisioning the traffic flow differently than I do, but I am not grasping the thought process there either.
Hopefully once I get these basic concepts understood the rest of the help files will make a lot more sense to me.
Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2010 09:49 PM
тАО06-01-2010 09:49 PM
Re: Block traffic between specific vlans - Procurve 3500
"inbound" means the traffic entering the VLAN from the clients on that VLAN (entering the switch through that VLAN).
"Outbound" means the traffic entering the VLAN from other VLANs (exiting the switch through that VLAN)
Just think of the VLAN as a physical port, inbound means comming from the client attached to that port (entering the switch) and outbound means exiting to that port going to the client (exiting the switch).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2010 10:40 PM
тАО06-01-2010 10:40 PM
SolutionThe criterium is "entering or leaving the switch "!
So,
- if you've got a single switch, with two vlan's.
- you've setup routing between those vlans
- when the data is transferred between the vlan's it does NOT leave the switch!
=> that's why you need to apply the filter IN to the first or OUT the second vlan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-05-2010 04:26 PM
тАО06-05-2010 04:26 PM
Re: Block traffic between specific vlans - Procurve 3500
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-05-2010 04:28 PM
тАО06-05-2010 04:28 PM