- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- HP 2920 Switch filter traffic from a specific VLAN
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2017 03:12 AM - edited 12-30-2017 01:56 AM
12-27-2017 03:12 AM - edited 12-30-2017 01:56 AM
Hi all,
I have a question about filtering trafffic from a specifc VLAN. We need filter all the traffic from VLAN 20 to all other VLAN's. Let say that the traffic from VLAN 20 can only access the Internet. But all other VLANs should be able to access VLAN 20.
List of VLANs:
VL1= 192.168.1.0/24
VL10=192.168.2.0/24
VL20=10.0.0.0/23
VLAN 1 route the traffic to the Internet and should be able to access also VL10, VL20, VL30
VLAN 10 should also be able to access VL1, VL20, VL30
VLAN 20 should only have access to the Internet
VLAN 30 should also be able to access VL1, VL10, VL20
When we apply the following ACL to VLAN20 we can only access the Internet from VL20 thats OK. But also traffic from VL1, VL10 and VL30 can no more access the VLAN 20.
ip access-list extended "Deny-VL20-to-VL1-VL10-VL30"
10 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255
20 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255
30 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
#
vlan 20
name "Client-Netz"
untagged 17-24
ip access-group "Deny-VL20-to-VL1-VL10-VL30" vlan-in
ip address 10.0.0.1 255.255.254.0
dhcp-server
exit
Is there a way to setup such a filter?
We have also try to add a permit rule for each VLAN that should by able to access the VLAN 20 but no success.
ip access-list extended "Deny-VL20-to-VL1-VL10-VL30"
5 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.1.255
10 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255
15 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.1.255
20 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255
25 permit 192.168.3.0 0.0.0.255 10.0.0.0 0.0.1.255
30 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Many thanks in advanced for your help.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2018 09:16 AM - edited 01-09-2018 09:23 AM
01-09-2018 09:16 AM - edited 01-09-2018 09:23 AM
SolutionUPDATE problem is Solved.
FIX:
VLAN 1 - 192.168.1.0 /24 (Default_VLAN)
VLAN 10 - 192.168.2.0 /24 (Mgmt)
VLAN 20 - 10.0.0.0 /23 (Guest-Access)
VLAN 30 - 192.168.3.0 /24 (Team)
IP Routing is enabled on the switch to allow all VLANs to communicate with each other.
Goal: VLAN 20 (Untrusted VLAN) should only allow traffic to the Internet and cannot access in any other VLAN. All other VLANs ( 1, 10 and 30) should be able to ping and initiate traffic (such as printing) to devices in VLAN 20. In order to accomplish this, you need to allow communications from other VLANs back into VLAN 20 in order to allow bidirectional functionality.
1.
Start by making an extended ACL. Here is an extended ACL called "UNTRUSTED" which will allow bidirectional traffic that is initiated from VLANs 1, 10, and 30.
ip access-list extended UNTRUSTED
permit tcp 10.0.0.0 0.0.1.255 any established (The word "established" at the end of this ACL means that traffic initiated from anywhere outside of the VLAN 1, 10 and 30 is permitted and will allow VLAN 20 devices to communicate back to the initiator.
2.
Next allow the devices in VLAN 20 to reply to pings initiated from devices outside their VLAN.
permit icmp 10.0.0.0 0.0.1.255 any echo-reply (The "echo-reply" allows devices in VLAN 20 to reply to ping and other ICMP requests.
3.
Next deny VLAN 20 traffic from going to the other VLANs
deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255
deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255
4.
Next allow VLAN20 traffic to get to the Internet
permit ip 10.0.0.0 0.0.1.255 any
5.
Next deny all other traffic (for more security)
deny ip any any
Now the "UNTRUSTED" ACL, should look like this:
ip access-list extended "UNTRUSTED"
10 permit tcp 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255 established
20 permit icmp 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255 0
30 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255
50 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255
90 permit ip 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255
100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
6.
Now apply the ACL inbound on the VLAN 20
Interface vlan 20
ip access-group "UNTRUSTED" vlan in
And it works (:-)