HPE Community
Switches, Hubs, and Modems
1751851 Members
5333 Online
108782 Solutions
New Discussion юеВ

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

 
Alok-Gupta
Occasional Advisor

тАО02-16-2009 09:21 AM

тАО02-16-2009 09:21 AM

Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Hi attached is the configuration file now how can we block vlan50 from accessing all vlan except vlan1 but even in vlan1 one i want to allow only one ip for for full access which is gateway so that it can go out and one ip with specific port 110 and 25.

in brief i want to allow two ip for specific port in vlan1

one for smtp and pop3 (10.2.1.100)
and second for internet (10.2.1.1 & 10.2.1.2)
0 Kudos
8 REPLIES 8
cenk sasmaztin
Honored Contributor

тАО02-16-2009 12:23 PM

тАО02-16-2009 12:23 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

you can use acl
create acl role and asign vlan 50 interface (out)

ip access-list standard "10"
permit 10.2.1.100 255.255.255.0
permit 10.2.1.1 255.255.255.0
permit 10.2.1.2 255.255.255.0
deny 10.2.1.0 255.255.255.0
deny 10.2.10.0 255.255.255.0
deny 10.2.20.0 255.255.255.0
deny 10.2.30.0 255.255.255.0
deny 10.2.40.0 255.255.255.0
permit 0.0.0.0 255.255.255.25
cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО02-16-2009 12:28 PM

тАО02-16-2009 12:28 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

copy and paste this config on your switch and make test

my advice ;update your switch last version


; J8697A Configuration Editor; Created on release #K.12.16

hostname "5406zl"
snmp-server contact ""
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
ip access-list standard "10"
permit 10.2.1.100 255.255.255.0
permit 10.2.1.1 255.255.255.0
permit 10.2.1.2 255.255.255.0
deny 10.2.1.0 255.255.255.0
deny 10.2.10.0 255.255.255.0
deny 10.2.20.0 255.255.255.0
deny 10.2.30.0 255.255.255.0
deny 10.2.40.0 255.255.255.0
permit 0.0.0.0 255.255.255.255
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.40.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
ip access-group "10" out
voice
exit
cenk

0 Kudos
Alok-Gupta
Occasional Advisor

тАО02-16-2009 09:57 PM

тАО02-16-2009 09:57 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

All right i will do that but in this way the IP which we have permitted is having full permission but i want to allow only smtp and pop3 for 10.2.1.100.
0 Kudos
cenk sasmaztin
Honored Contributor

тАО02-16-2009 11:06 PM

тАО02-16-2009 11:06 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

; J8697A Configuration Editor; Created on release #K.12.16

hostname "5406zl"
snmp-server contact ""
snmp-server location "Server Room"
time timezone -8
time daylight-time-rule Continental-US-and-Canada
ip access-list extended "110"
permit tcp 10.2.50.0 255.255.255.0 eq 110 10.2.1.100 0.0.0.0 eq 110
permit tcp 10.2.50.0 255.255.255.0 eq 25 10.2.1.100 0.0.0.0 eq 25
permit ip 10.2.50.0 255.255.255.0 10.2.1.1 255.255.255.0
permit ip 10.2.50.0 255.255.255.0 10.2.1.2 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.1.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.10.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.20.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.30.0 255.255.255.0
deny ip 10.2.50.0 255.255.255.0 10.2.40.0 255.255.255.0
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J8702A
module 2 type J8702A
module 3 type J8702A
module 4 type J8702A
module 5 type J8702A
ip default-gateway 10.2.1.1
ip routing
snmp-server community "public" Unrestricted
snmp-server community "private" Unrestricted
vlan 1
name "Default"
untagged C1-C8
ip address 10.2.1.2 255.255.255.0
no untagged A1-A24,B1-B24
exit
vlan 10
name "Servers"
untagged C9-C20
ip address 10.2.10.1 255.255.255.0
exit
vlan 20
name "Clients"
untagged A1-A24,B1-B24
ip address 10.2.20.1 255.255.255.0
exit
vlan 30
name "Altiris"
untagged D1-D24,E1-E24
ip address 10.2.30.1 255.255.255.0
exit
vlan 40
name "Guest"
untagged C21-C24
ip address 10.2.40.1 255.255.255.0
exit
vlan 50
name "Voice"
ip address 10.2.50.1 255.255.255.0
tagged A1-A24,B1-B24
ip access-group "110" out
voice
exit
cenk

0 Kudos
Alok-Gupta
Occasional Advisor

тАО02-20-2009 11:52 PM

тАО02-20-2009 11:52 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

HI, but with this configuration i m not able to block anything every thing is open
like 10.2.1.100 is open for everyting
an not just for 25 & 110.
0 Kudos
Alok-Gupta
Occasional Advisor

тАО02-21-2009 10:00 AM

тАО02-21-2009 10:00 AM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

But with the standard access-list everything is working but with standard access-list every port is open on a certiain IP address.
0 Kudos
Alok-Gupta
Occasional Advisor

тАО02-27-2009 12:02 PM

тАО02-27-2009 12:02 PM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

Hi can anybody help me regarding this.
0 Kudos
Alok-Gupta
Occasional Advisor

тАО03-11-2009 01:13 AM

тАО03-11-2009 01:13 AM

Re: Ristriction of all VLAN except vlan1 one IP with some specific ports 443,80,110,25

HI....
can anybody help me on this
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.