- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: layer 4 acl's for guest vlan
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-20-2007 11:55 PM
тАО06-20-2007 11:55 PM
layer 4 acl's for guest vlan
i want to restrict the traffic between our guest-vlan and server-vlan. in the server-vlan are dhcp-, dns- and proxy-server.
guests: vlan 11 (192.168.11.0)
server: vlan 100 (192.168.100.0)
dns/dhcp: 192.168.100.111
proxy: 192.168.100.99:8080
i want to allow only dhcp/dns/proxy-traffic.
i've wrote a outbound acl for vlan 11...but it doesnt work properly.
any ideas or config examples?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-21-2007 01:13 AM
тАО06-21-2007 01:13 AM
Re: layer 4 acl's for guest vlan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-21-2007 05:24 PM
тАО06-21-2007 05:24 PM
Re: layer 4 acl's for guest vlan
ip access-group Guests_in in
Inbound ACL should be:
ip access-list extended Guests_in
remark *** To allow traffic to proxy:
permit tcp 192.168.11.0 0.0.0.255 host 192.168.100.99 eq 8080
remark *** To allow DNS querries:
permit udp 192.168.11.0 0.0.0.255 host 192.168.100.111 eq domain
remark *** To allow IP aquisition:
permit udp any any eq bootps
To the same GuestVLAN interface, apply the outbound ACL like this:
ip access-group Guests_out out
Outbound ACL should be:
ip access-list extended Guests_out
remark *** To allow traffic from proxy:
permit ip host 192.168.100.99 192.168.11.0 0.0.0.255
remark *** To allow DNS and DHCP responses:
permit ip host 192.168.100.111 any
Comments:
1. I use something like that on a Cisco device, but good routers should allow you something similar, probabilly with slightly different sintax
2. The inbound ACL is more granular, and therefore stricter than the looser outbound ACL.
3. The order of the statements in the ACLs take into account traffic quantities: proxy traffic will be biggest, then DNS querries/answers and some light DHPC requests/responses
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-22-2007 06:30 PM
тАО06-22-2007 06:30 PM
Re: layer 4 acl's for guest vlan
it looks good...i will try it next week.
i think my basically failure was to misunterstand the meaning of inbound/outbound. (i thougt that outbound traffic is traffic that leaves the vlan)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2007 06:39 PM
тАО06-24-2007 06:39 PM
Re: layer 4 acl's for guest vlan
1. inbound: traffic that enters the router interface from the outside
2. outbound: traffic that gets out of the router interface