Switches, Hubs, and Modems
1748255 Members
4034 Online
108760 Solutions
New Discussion

Procurve 5400zl - ACL - restrict vlan acces

 
Kim Olling
New Member

Procurve 5400zl - ACL - restrict vlan acces

Hallo...

I'm struggling with some ACL configurations.

Basic informations.
Switch HP procurve 5412zl
VLAN 10 (Administration)
VLAN 20 (Servers)
VLAN 30 (Students)
VLAN 40 (Guest)
VLAN 50 (Internet)
VLAN 60 (Device NET, printer etc.)
VLAN 70 (Management NET)

On VLAN 10, 30, 40, 60 and 70 the switch is acting as default gateway

Between VLAN 20 and the servers we got a firewall, so the servers are on another subnet than VLAN20.



Types of setups we are trying to reach.

1. All VLANs have access througt VLAN 50, to the internet

2. VLAN 10 is only accessable from VLAN 20 (from the servers from another subnet) and 70

3. When we are adding a new VLAN, then it's by default blocked from VLAN 10 without changing the ACL.

4. VLAN 70 have access to all VLANs

5. VLAN 60 is only accessable from VLAN 20 (from the servers from another subnet) and of course VLAN 70

Best regards

Kim
1 REPLY 1
Pieter 't Hart
Honored Contributor

Re: Procurve 5400zl - ACL - restrict vlan acces

if your firewall is "strong enough" why not use the firewall to do traffic-filtering between your vlan's?


It's probably much easier to configure the rules you demand on the firewall than with acl's on the procurve.


1. All VLANs have access throug VLAN 50, to the internet
=> that's no problem, if the 5400 routes between vlan's, default all traffic is allowed.

2. VLAN 10 is only accessable from VLAN 20 (from the servers from another subnet) and 70
- vlan-20 is only to connect this network to the firewall?,
-> your rule should be configured for the real adresses of the server network (if no NAT is used), not the connecting vlan-20.
so the acl must permit the server-subnet and vlan-70 subnet.

3. When we are adding a new VLAN, then it's by default blocked from VLAN 10 without changing the ACL.
-> thats default behaviour, access is denied until explicitly permitted (as done in 2.).


4. VLAN 70 have access to all VLANs
- same as 1.

5. VLAN 60 is only accessable from VLAN 20 (from the servers from another subnet) and of course VLAN 70
->same as 2.