Switches, Hubs, and Modems
1748121 Members
3371 Online
108758 Solutions
New Discussion

InterVLANs security (ACL)

 
SOLVED
Go to solution

InterVLANs security (ACL)

if I want to create 3 vlan (vlan admin, vlan 1 and vlan 2), and I want to create an ACL between them. The scenario as bellow:

1. Vlan admin can access all Vlan (vlan 1 and vlan 2).
2. Vlan 1 or vlan 2 can't access all other i.e.:
• vlan 1 can't access vlan 2 or vlan admin.
• And vlan 2 can't access vlan 1 or vlan admin).

I tried to do this on 5412zl ProCurve switch by ACL's but the result is no vlan can access the other vlans. which I need the admin vlan access all other.
6 REPLIES 6

Re: InterVLANs security (ACL)

Hi all,
Is it anybody help me in this issue.
Actualy I think this is a normal behavior when all vlans cant access other, which the required is only admin vlan can access the other and no one can access the admin valn.
and if I need to do this I have to use a firewall module.
anyone can advice me or confirm my point.
thank a lot all.
Olaf Borowski
Respected Contributor

Re: InterVLANs security (ACL)

Hi,

You are right, by default VLANs can't talk to each other. A VLAN can be considered a different subnet.
Example:
VLAN(10) admin: 192.168.1.x/24
VLAN(1) user: 192.168.2.x/24
VLAN(3) user: 192.168.3.x/24
Without "routing" enabled on the switch, VLAN 10 can't communicate with VLAN 1 or 3.
On the 5412: Issue the follwing command (disabled by default): "ip routing"
Now the 5412 will route between the locally attached subnets assuming the default gateway address of the clients is set to the IP address of that VLAN. If VLAN 10 has an IP address of 192.168.1.254, that is the default gateway address for the client.
Now you accomplished everyone talking to each other and you can use ACLs now to restrict that.
Example: VLAN 10 is allowed to communictate with VLAN 3:
ip access-list extended "Allow VLAN3"
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
By default, everything else is denied.
Apply the access-list to VLAN 10 via the "access-group command"
Do the similar thing for the other VLANs to restrict or permit communication. Remember you have to do the reverse too meaning you have to allow VLAN 3 to communicate with VLAN 10.
Good luck and the documenation on ACLs spells all this out.

Olaf

Re: InterVLANs security (ACL)

Thanks a lot for your quick response.
Actualy I can't disable ip routing because I use an IP helper that because I use one dhcp for multiple vlan.
So is it any other solution.
On the other hand I want just admin vlan can access all other and also vlan 3 in the above example but vlan 3 can't access admin vlan, I mean I need an one direction of communication.
Please advice me.
Olaf Borowski
Respected Contributor
Solution

Re: InterVLANs security (ACL)

Maybe misunderstanding...You need to "enable" routing, not "disable".
In regards to "one way communication": You need a stateful firewall to do that. Reason:
In our example, if admin is allowed to communciate with VLAN 3, you don't have to do anything on VLAN 10 (admin). On VLAN 3, you would place an ACL that says:
deny ip 192.168.3.0 255.255.255.0 192.168.1.0 0.0.0.255.
permit ip any any
This would prohibit source of 192.168.3.x to communicate with 192.168.1.x.
But: If admin vlan sends a packet to a node on VLAN 3, the node on VLAN 3 has to reply. The reply (answer) would be blocked by the ACL. This is why you need a stateful firewall to do this. This router/switch need to know and remember who initiated the conversation and keep track of it (stateful). The rule in the firewall would say: If admin Vlan initiates a connection to VLAN 3, let the communication flow. If VLAN 3 tries to communicate with Admin VLAN, block it. Again, you need a stateful firewall to do this.

Olaf

Re: InterVLANs security (ACL)

Dear Olaf,

thanks for replay, realy you are great.
Your answer is very good and confirm my point that I want to use a firewall module for my 5412zl procurve switch.
Thanks again and I hope if me and you become a friend.

Re: InterVLANs security (ACL)

Thats true, realy I need a firewall module.