- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- InterVLANs security (ACL)
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2009 01:29 AM
06-13-2009 01:29 AM
1. Vlan admin can access all Vlan (vlan 1 and vlan 2).
2. Vlan 1 or vlan 2 can't access all other i.e.:
• vlan 1 can't access vlan 2 or vlan admin.
• And vlan 2 can't access vlan 1 or vlan admin).
I tried to do this on 5412zl ProCurve switch by ACL's but the result is no vlan can access the other vlans. which I need the admin vlan access all other.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2009 08:11 AM
06-13-2009 08:11 AM
Re: InterVLANs security (ACL)
Is it anybody help me in this issue.
Actualy I think this is a normal behavior when all vlans cant access other, which the required is only admin vlan can access the other and no one can access the admin valn.
and if I need to do this I have to use a firewall module.
anyone can advice me or confirm my point.
thank a lot all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2009 04:46 PM
06-13-2009 04:46 PM
Re: InterVLANs security (ACL)
You are right, by default VLANs can't talk to each other. A VLAN can be considered a different subnet.
Example:
VLAN(10) admin: 192.168.1.x/24
VLAN(1) user: 192.168.2.x/24
VLAN(3) user: 192.168.3.x/24
Without "routing" enabled on the switch, VLAN 10 can't communicate with VLAN 1 or 3.
On the 5412: Issue the follwing command (disabled by default): "ip routing"
Now the 5412 will route between the locally attached subnets assuming the default gateway address of the clients is set to the IP address of that VLAN. If VLAN 10 has an IP address of 192.168.1.254, that is the default gateway address for the client.
Now you accomplished everyone talking to each other and you can use ACLs now to restrict that.
Example: VLAN 10 is allowed to communictate with VLAN 3:
ip access-list extended "Allow VLAN3"
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
By default, everything else is denied.
Apply the access-list to VLAN 10 via the "access-group command"
Do the similar thing for the other VLANs to restrict or permit communication. Remember you have to do the reverse too meaning you have to allow VLAN 3 to communicate with VLAN 10.
Good luck and the documenation on ACLs spells all this out.
Olaf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2009 05:25 AM
06-14-2009 05:25 AM
Re: InterVLANs security (ACL)
Actualy I can't disable ip routing because I use an IP helper that because I use one dhcp for multiple vlan.
So is it any other solution.
On the other hand I want just admin vlan can access all other and also vlan 3 in the above example but vlan 3 can't access admin vlan, I mean I need an one direction of communication.
Please advice me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2009 06:33 AM
06-14-2009 06:33 AM
SolutionIn regards to "one way communication": You need a stateful firewall to do that. Reason:
In our example, if admin is allowed to communciate with VLAN 3, you don't have to do anything on VLAN 10 (admin). On VLAN 3, you would place an ACL that says:
deny ip 192.168.3.0 255.255.255.0 192.168.1.0 0.0.0.255.
permit ip any any
This would prohibit source of 192.168.3.x to communicate with 192.168.1.x.
But: If admin vlan sends a packet to a node on VLAN 3, the node on VLAN 3 has to reply. The reply (answer) would be blocked by the ACL. This is why you need a stateful firewall to do this. This router/switch need to know and remember who initiated the conversation and keep track of it (stateful). The rule in the firewall would say: If admin Vlan initiates a connection to VLAN 3, let the communication flow. If VLAN 3 tries to communicate with Admin VLAN, block it. Again, you need a stateful firewall to do this.
Olaf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2009 10:24 AM
06-14-2009 10:24 AM
Re: InterVLANs security (ACL)
thanks for replay, realy you are great.
Your answer is very good and confirm my point that I want to use a firewall module for my 5412zl procurve switch.
Thanks again and I hope if me and you become a friend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2009 10:25 AM
06-14-2009 10:25 AM