Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL for communication between VLANs

 
Highlighted
Occasional Collector

ACL for communication between VLANs

Hello

I have an aruba 2930F switch where I have created 3 vlan

I want vlan 2 and vlan 3 to have full input and output communication with these vlan 1 addresses (192.168.1.71 and 192.168.1.79)

3 REPLIES 3
Highlighted
HPE Pro

Re: ACL for communication between VLANs

Hello!

VLAN 3 hosts should have access only to 192.168.1.71-79 addresses in VLAN 1. What about the rest of communication? I suppose their access to the rest of VLAN 1 and 2 addressing space should be blocked, but what about their Internet connection? 

Please, as well share subnets you use for VLAN 2 and 3, so we can help you creating proper ACLs.

 

I am an HPE employee

Accept or Kudo

Highlighted
Occasional Collector

Re: ACL for communication between VLANs

Vlan 1 => 192.168.1.0/24

Vlan 2=>192.168.3.0/24

Vlan 3=>192.168.100.0/24

the other ip of VLAN 1 I don't want them to have communication with vlan 2 and 3

 

Highlighted
HPE Pro

Re: ACL for communication between VLANs

You can apply two approaches - filter traffic either coming from VLAN 1 or from VLANs 2 and 3. I find the first option easier as you will need to apply VACL just on VLAN 1.

ip access-list extended "VLAN1-FILTER"
 10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
 20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
 30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255 
 40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
 50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

Then apply this ACL as VACL on VLAN1:

vlan 1 ip access-group VLAN1-FILTER vlan


But since you didn't answer my question regarding the rest of communication, keep in mind that this ACL will allow 192.168.1.71-79 range to talk only to VLAN2 and VLAN3. All other communications will be blocked. If you need to implement following scheme:
- Allow 192.168.1.71-79 talk to VLAN2 and 3
- Block the rest of VLAN1 addresses communication to VLAN 2 and 3
- Allow other communication

then you need to add at the end of your ACL permitting ACE to overcome implicit deny, so the ACL will look like this:

ip access-list extended "VLAN1-FILTER"
 10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
 20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
 30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255 
 40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
 50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
 100 permit ip any any

Hope this helps!

 

I am an HPE employee

Accept or Kudo