Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ProCurve 5406zl - Restricting VLAN to VLAN traffic

SOLVED
Go to solution
Rich Olson
Occasional Advisor

ProCurve 5406zl - Restricting VLAN to VLAN traffic

Hello forum, i'm not so comfortable with ACL's at the moment and was hoping to get an ACL config to cover the following:

Restrict VLAN30 from accessing all vlans other than itself. This VLAn will be an Altiris Deployment Imaging VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN30 cannot access other VLANs except for VLAN1, which will allow VLAN30 to access the Internet.

Restrict VLAN40 from accessing all vlans other than itself. This VLAn will be a Guest VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN40 cannot access other VLANs except for VLAN1, which will allow VLAN40 to access the Internet.


Here is my switch config so far:

; J8697A Configuration Editor; Created on release #K.12.16

hostname "5406zl"
snmp-server contact ""
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.20.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
voice
exit

To recap, I need an ACL example to restrict VLAN30 and VLAN40.

Any help will be much appreciated.
4 REPLIES
Matt Hobbs
Honored Contributor
Solution

Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic

Hi Rich,

I noticed your IP address for VLAN 20 and VLAN 40 is the same, you'll need to correct that.

Once corrected, I believe the following ACLs should do the trick.

ip access-list extended Guest
deny ip any 10.2.10.0/24
deny ip any 10.2.20.0/24
deny ip any 10.2.30.0/24
deny ip any 10.2.50.0/24
permit ip any any
vlan 40
ip access-group Guest in

ip access-list extended Altiris
deny ip any 10.2.10.0/24
deny ip any 10.2.20.0/24
deny ip any 10.2.40.0/24
deny ip any 10.2.50.0/24
permit ip any any
vlan 30
ip access-group Altiris in


Matt
Ardon
Trusted Contributor

Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic

Restrict VLAN30 from accessing all vlans other than itself. This VLAn will be an Altiris Deployment Imaging VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN30 cannot access other VLANs except for VLAN1, which will allow VLAN30 to access the Internet.

Easiest way to do this would be using "Source Port Filtering" where certain ports are only allowed to talk to certain other ports.


Restrict VLAN40 from accessing all vlans other than itself. This VLAn will be a Guest VLAN and will not need access to any other VLANs except the Defualt VLAN1, which is the gateway of the 5406zl switch. By doing this, VLAN40 cannot access other VLANs except for VLAN1, which will allow VLAN40 to access the Internet.

Same solution for this.

I have attached the part of the manual which deals with Source Port Filtering.



ProCurve Networking Engineer
Rich Olson
Occasional Advisor

Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic

Thanks for your help Matt and Ardon.
Rich Olson
Occasional Advisor

Re: ProCurve 5406zl - Restricting VLAN to VLAN traffic

Thanks. Problemo Solved!