Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict VLAN Routing

SOLVED
Go to solution
Stefan Wusowski
Frequent Advisor

Restrict VLAN Routing

Hello,
my problem is to restrict the VLAN routing. When I add VLANs to a 3400 switch with IP Adresses and IP Routing is on, then all VLAN can connect in to all VLAN!? That right?
But I don't want that. I have a SRV VLAN and more branch VLANs. I want all branch VLANs to SRV VLAN but no branch VLAN to branch VLAN. How can I configure that?

THX
Stefan Wusowski
4 REPLIES
Jonathan Axford
Trusted Contributor

Re: Restrict VLAN Routing

Have you tried using ACL's to prevent traffic from one IP subnet from getting to another?

I am sure the 3400cl supports this (Quick check on the procurve website confirms this...)

Where there is a will there is a way...
Mohieddin Kharnoub
Honored Contributor

Re: Restrict VLAN Routing

Hi

The 3400 is an intellegent switch, so it has Access control lists (ACLs)which can provide IP layer 3 filtering based on source/destination IP address/subnet and source/destination TCP/UDP port number.

If you can provide your IP addresses for your Vlans, and what exactly the restricyions you need , then we can break it out for you with ACLs.

Good Luck !!!
Science for Everyone
Stefan Wusowski
Frequent Advisor

Re: Restrict VLAN Routing

Hello,
I know that the 3400 can work with ACL, but I never try it. I hear that's complicated. Here my VLAN config.

IP Netz Name VLAN-ID
172.18.8.0/21 Zen-VLAN-1 1
10.100.100.0/24 Adm-VLAN-100 100 10.100.101.0/24 GMP-VLAN-101 101
10.100.102.0/24 Fin-VLAN-102 102
10.100.103.0/24 GF-VLAN-103 103
10.100.104.0/24 IT-VLAN-104 104
10.100.105.0/24 SRV-VLAN-105 105

Default Gateway xxx.yyy.zzz.1

I add the following IP Addresse to the main Switch
vlan 100 ip address 10.100.100.1/24
vlan 101 ip address 10.100.101.1/24
vlan 102 ip address 10.100.102.1/24
vlan 103 ip address 10.100.103.1/24
vlan 104 ip address 10.100.104.1/24
vlan 105 ip address 10.100.105.1/24
That is also the default Gateway for the VLAN's

VALN 100-104 routed to VLAN 105 and back, but no routing between VLAN 100-104.

Can anyone provide examples ACL for denied the VLAN Routing.

;-)))) Big THX
Stefan Wuswoski

Mohieddin Kharnoub
Honored Contributor
Solution

Re: Restrict VLAN Routing

Hi

Your configuration will be:

1- Create a standard access list:
----------------------------------
3400(config)# access-list 1 deny 10.100.100.1/24
3400(config)# access-list 1 deny 10.100.101.1/24
3400(config)# access-list 1 deny 10.100.102.1/24
3400(config)# access-list 1 deny 10.100.103.1/24
3400(config)# access-list 1 deny 10.100.104.1/24
3400(config)# access-list 1 permit any

2- Apply it to vlans 100 to 104:
---------------------------------
3400(config)# vlan 100 ip access-group 1 in
3400(config)# vlan 101 ip access-group 1 in
3400(config)# vlan 102 ip access-group 1 in
3400(config)# vlan 103 ip access-group 1 in
3400(config)# vlan 104 ip access-group 1 in

3- Verify your configuration by Show access-list.

I hope that will be enough to help :)

Don't forget to assign points,

Good Luck !!!
Science for Everyone