- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Create VLAN with ACL to restrict ssh only traffic
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2010 10:24 AM
тАО11-08-2010 10:24 AM
Create VLAN with ACL to restrict ssh only traffic
New to advanced switching features. Hoping you can help me out.
I have a default switch up and running with a bunch of client workstations. (IP: 10.1.1.2 with /24 Mask) Connected to a router with multiple vpn connections to other offices (Router ip 10.1.1.1). We have a public server that we would like to connect to which we will do by running a fiber connection to a remote HP Layer2 switch. (Server ip 10.10.10.20) We would like to keep the traffic separated for security, allowing only port 22/80 for SSH/HTTP traffic from the clients to the server, and not allowing the server to contact any of the devices on the 10.1.1.0/24 network.
The Fiber connection is on port 24.
I've created a VLAN (400 - same as the remote HP switch) with untagged port 24.
I assume I have to turn on ip routing, and also set up the default route to the router, and route the associated traffic to the public server.
Can someone lay out what I need and associated config entries?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2010 02:28 PM
тАО11-08-2010 02:28 PM
Re: Create VLAN with ACL to restrict ssh only traffic
what switch model do you have?
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2010 02:40 PM
тАО11-08-2010 02:40 PM
Re: Create VLAN with ACL to restrict ssh only traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2010 09:54 AM
тАО11-09-2010 09:54 AM
Re: Create VLAN with ACL to restrict ssh only traffic
the config should be something like this:
vlan 1
name "01_CLIENT"
ip address 10.1.1.254/24
ip access-group ACL_01 in
untagged 1-22 // Client ports
vlan 400
name "400_SERVER"
ip address 10.10.10.254/24
untagged 24
vlan 99
name "99_TRANSFER_TO_VPN_ROUTER" // dedicated transfer network to router is recommended
ip address 10.10.99.254/24 // you have to assign a new IP address on the router i.e. 10.10.99.1
untagged 23 // port with Router
ip access-list extended ACL_01 in
permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.20 eq 22 // Allow SSH to the server
permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.20 eq 80 // Aloow HTTP to the server
deny ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 log // deny everything else to 10.10.10.0/24
permit ip any any // allow everthing else
You can also set a second ACL on VLAN 400 to protect the opposite direcion to VLAN 1
Have a look in the ACL chapter for details: http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-9-ACLs.pdf
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2010 10:26 AM
тАО11-09-2010 10:26 AM
Re: Create VLAN with ACL to restrict ssh only traffic
Thanks for the follow up.
As far as routing, I will need to enable it on the switch correct? Then also add a static route on our router to point at the ip address of the switch.
I would then have to set the default gateway for all vlans to the router ip correct?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2010 11:25 AM
тАО11-09-2010 11:25 AM
Re: Create VLAN with ACL to restrict ssh only traffic
sure: "ip routing" needs to be enabled.
And you have to set static routes for network 10.1.1/24 and 10.10.10/24 pointing to the procurve: 10.10.99.254 (in my example).
All hosts need to get the local gateway IP address of the switch:
clients in VLAN 1: 10.1.1.254
server in VLAN 400: 10.10.10.254
static default route on the procurve:
ip route 0.0.0.0 0.0.0.0 10.10.99.1
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2010 11:54 AM
тАО11-09-2010 11:54 AM
Re: Create VLAN with ACL to restrict ssh only traffic
Again thanks for the follow up! We're mostly concerned about users on the server connecting into our client network so I have added the other ACL for VLAN 400 (in). Since we also have a few web servers on the 10.1.1.0/24 network, I do not want to allow all port 80 traffic from the server.
I believe I can do this by making the ACL "established" ?
ip access-list extended CLUSTERIN_ACL in
permit tcp 10.10.10.20 0.0.0.0 10.1.1.0 0.0.0.255 eq 22 established
permit tcp 10.10.10.20 0.0.0.0 10.1.1.0 0.0.0.255 eq 80 established
deny ip 10.10.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
So any originating connection from the client side will allow the traffic that's only established. Do I understand this right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2010 02:39 PM
тАО11-09-2010 02:39 PM
Re: Create VLAN with ACL to restrict ssh only traffic
ip access-list extended CLUSTERIN_ACL in
permit tcp 10.10.10.20 0.0.0.0 eq 22 10.1.1.0 0.0.0.255 established
permit tcp 10.10.10.20 0.0.0.0 eq 80 10.1.1.0 0.0.0.255 established
deny ip 10.10.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
Cheers,
Michael