Switches, Hubs, and Modems
1748150 Members
3506 Online
108758 Solutions
New Discussion

Re: How to filter traffic between 2 subnets on the same VLAN

 
77rajesh
Visitor

How to filter traffic between 2 subnets on the same VLAN

Hi,

 

I want to create 2 subnets in same VLAN and users in the 2 subnets should not be able to send traffic to each other.

 

I have managed so far to assign a secondary IP on the VLAN interface on the L3 Switch but i am not able to stop the subnet users from sending traffic to each other, i tried creating an ACL which filters the traffic between the 2 subnets and want to apply it on the VLAN interface for the inbound traffic but i just cant find the command to apply the ACL on the interface. 

 

Please check the ACL below

 

acl number 3000
rule 0 deny ip source 10.11.40.0 0.0.3.255 destination 10.11.44.0 0.0.3.255
rule 5 deny ip source 10.11.44.0 0.0.3.255 destination 10.11.40.0 0.0.3.255
rule 10 permit ip any any

 

H3C Comware Platform Software
Comware Software, Version 5.20, Release 6605P03

 

Q1. Can i use an ACL on a VLAN interface to filter traffic between two subnets on the same VLAN 

Q2. If Q1 is correct then i want to know how i can apply this ACL on the interface as i am not able to find a command to do this. 

4 REPLIES 4
Vince-Whirlwind
Honored Contributor

Re: How to filter traffic between 2 subnets on the same VLAN

I've never tried it, but I would expect it to work, as the packets have to be routed on the VLAN interface to go between subnets regardless what VLAN they are on.

 

interface vlan1

   packet-filter name 3000 inbound

77rajesh
Visitor

Re: How to filter traffic between 2 subnets on the same VLAN

Hi, Thanks for your response. I agree with you but my problem is i just cant seem to find a command to apply the ACL on the VLAN interface or the interface itself. Pls check below 

 

[NUB_CORE]inter Vlan-interface 1
[NUB_CORE-Vlan-interface1]pack
[NUB_CORE-Vlan-interface1]p?
pim
ping
portal
proxy-arp

 

I have checked online and i read that on S7500 series we have to go into 'qos' option check below

 

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S7500_Series_Switches/Configuration/Operation_Manual/H3C_S7500_OM-(Release_3100_Series)-(V1.04)/200707/207837_1285_0.htm#_Toc172462802

 

Index no. 24 ACL CONFIGURATION

 

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-typeinterface-number

Enter QoS view

qos

Apply an ACL on the port

packet-filter { inbound |outbound } acl-rule [system-index ] [ not-care-for-interface ]

Required

This command is supported by Type A LPUs.

packet-filter inbound acl-rule [ system-index ]

Required

This command is supported by LPUs other than Type A.

Display information about ACLs applied to a port or all ports.

display acl running-packet-filter { all | interfaceinterface-type interface-number }

Optional

This command can be executed in any view.

 

Check what i get when i type qos on both vlan interface as well as the physical interface

 

[NUB_CORE]interface vlan 40


[NUB_CORE-Vlan-interface40]qos ?


apply Apply specific QoS policy on interface


[NUB_CORE-Vlan-interface40]quit


[NUB_CORE]inter gi 8/0/2


[NUB_CORE-GigabitEthernet8/0/2]qos


[NUB_CORE-GigabitEthernet8/0/2]qos ?


apply Apply specific QoS policy on interface

bandwidth Queue bandwidth

gts Apply GTS(Generic Traffic Shaping) policy on interface
lr Apply LR(Line Rate) policy on physical interface
priority Configure port priority
sp Configure strict priority queue
trust Configure priority trust mode
wfq Configure weighted fair queue
wred Apply WRED(Weighted Random Early Detection) configuration
information
wrr Configure weighted round robin queue


[NUB_CORE-GigabitEthernet8/0/2]qos

 

Can this be problem with the firmware or i am just not able to find the command to configure it on this version

Please help.

 

[NUB_CORE]disp version
H3C Comware Platform Software
Comware Software, Version 5.20, Release 6605P03
Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S7506E uptime is 11 weeks, 4 days, 18 hours, 35 minutes

MPU(M) 0:
Uptime is 11 weeks,4 days,18 hours,35 minutes
H3C S7506E MPU(M) with 1 BCM1125H Processor
BOARD TYPE: LSQ1SRP12GB
DRAM: 512M bytes
FLASH: 64M bytes
NVRAM: 512K bytes
PCB 1 Version: VER.B
PCB 2 Version: VER.B
Bootrom Version: 301
CPLD 1 Version: 002
CPLD 2 Version: 003
Release Version: H3C S7506E-6605P03
Patch Version : None

MPU(M) 1:
Uptime is 11 weeks,4 days,18 hours,35 minutes
H3C S7506E MPU(S) with 1 BCM1125H Processor
BOARD TYPE: LSQ1SRP12GB
DRAM: 512M bytes
FLASH: 64M bytes
NVRAM: 512K bytes
PCB 1 Version: VER.B
PCB 2 Version: VER.B
Bootrom Version: 301
CPLD 1 Version: 002
CPLD 2 Version: 003
Release Version: H3C S7506E-6605P03
Patch Version : None

Slot 2 Without Board

Slot 3 Without Board

Slot 4 Without Board

Slot 5 Without Board

Slot 6 Without Board

Slot 7 Without Board

LPU 8:
Uptime is 11 weeks,4 days,18 hours,34 minutes
H3C S7506E LPU with 1 BCM1122 Processor
BOARD TYPE: SRP12GBSLAVE
DRAM: 512M bytes
FLASH: 0M bytes
NVRAM: 0K bytes
PCB 1 Version: NA
Bootware Version: 303
CPLD 1 Version: NA
Release Version: H3C S7506E-6605P03
Patch Version : None

LPU 9:
Uptime is 11 weeks,4 days,18 hours,35 minutes
H3C S7506E LPU with 1 BCM1122 Processor
BOARD TYPE: SRP12GBSLAVE
DRAM: 512M bytes
FLASH: 0M bytes
NVRAM: 0K bytes
PCB 1 Version: NA
Bootware Version: 303
CPLD 1 Version: NA
Release Version: H3C S7506E-6605P03
Patch Version : None

77rajesh
Visitor

Re: How to filter traffic between 2 subnets on the same VLAN

Hi, Please confirm could this be a firmware problem.

Vince-Whirlwind
Honored Contributor

Re: How to filter traffic between 2 subnets on the same VLAN

Show us your full config.

 

Do you have IP routing enabled?