Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: HP 2920 Switch filter traffic from a specific VLAN

 
SOLVED
Go to solution
Highlighted
Occasional Contributor

HP 2920 Switch filter traffic from a specific VLAN

Hi all,

I have a question about filtering trafffic from a specifc VLAN. We need filter all the traffic from VLAN 20 to all other VLAN's. Let say that the traffic from VLAN 20 can only access the Internet. But all other VLANs should be able to access VLAN 20.

List of VLANs:

VL1= 192.168.1.0/24

VL10=192.168.2.0/24

VL20=10.0.0.0/23

VLAN 1 route the traffic to the Internet and should be able to access also VL10, VL20, VL30

VLAN 10 should also be able to access VL1, VL20, VL30

VLAN 20 should only have access to the Internet

VLAN 30 should also be able to access VL1, VL10, VL20

When we apply the following ACL to VLAN20 we can only access the Internet from VL20 thats OK. But also traffic from VL1, VL10 and VL30 can no more access the VLAN 20.

ip access-list extended "Deny-VL20-to-VL1-VL10-VL30"

10 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255

20 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255

30 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255

40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

#

vlan 20
   name "Client-Netz"
   untagged 17-24
   ip access-group "Deny-VL20-to-VL1-VL10-VL30" vlan-in
   ip address 10.0.0.1 255.255.254.0
   dhcp-server
   exit

Is there a way to setup such a filter?

We have also try to add a permit rule for each VLAN that should by able to access the VLAN 20 but no success.

ip access-list extended "Deny-VL20-to-VL1-VL10-VL30"

5 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.1.255

10 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255

15 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.1.255

20 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255

25 permit 192.168.3.0 0.0.0.255 10.0.0.0 0.0.1.255

30 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255

40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

 

Many thanks in advanced for your help.

1 REPLY 1
Highlighted
Occasional Contributor
Solution

Re: HP 2920 Switch filter traffic from a specific VLAN

UPDATE problem is Solved.

FIX:

VLAN 1 - 192.168.1.0 /24 (Default_VLAN)

VLAN 10 - 192.168.2.0 /24 (Mgmt)

VLAN 20 - 10.0.0.0 /23 (Guest-Access)

VLAN 30 - 192.168.3.0 /24 (Team)

IP Routing is enabled on the switch to allow all VLANs to communicate with each other.

Goal: VLAN 20 (Untrusted VLAN) should only allow traffic to the Internet and cannot access in any other VLAN. All other VLANs ( 1, 10 and 30) should be able to ping and initiate traffic (such as printing) to devices in VLAN 20. In order to accomplish this, you need to allow communications from other VLANs back into VLAN 20 in order to allow bidirectional functionality.

1.

Start by making an extended ACL. Here is an extended ACL called "UNTRUSTED" which will allow bidirectional traffic that is initiated from VLANs 1, 10, and 30.

ip access-list extended UNTRUSTED

permit tcp 10.0.0.0 0.0.1.255 any established (The word "established" at the end of this ACL means that traffic initiated from anywhere outside of the VLAN 1, 10 and 30 is permitted and will allow VLAN 20 devices to communicate back to the initiator.

2.

Next allow the devices in VLAN 20 to reply to pings initiated from devices outside their VLAN.

permit icmp 10.0.0.0 0.0.1.255 any echo-reply (The "echo-reply" allows devices in VLAN 20 to reply to ping and other ICMP requests.

3.

Next deny VLAN 20 traffic from going to the other VLANs

deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255

deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255

deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255

4.

Next allow VLAN20 traffic to get to the Internet

permit ip 10.0.0.0 0.0.1.255 any

5.

Next deny all other traffic (for more security)

deny ip any any

Now the "UNTRUSTED" ACL, should look like this:

ip access-list extended "UNTRUSTED"

10 permit tcp 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255 established

20 permit icmp 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255 0

30 deny ip 10.0.0.0 0.0.1.255 192.168.1.0 0.0.0.255

40 deny ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.255

50 deny ip 10.0.0.0 0.0.1.255 192.168.3.0 0.0.0.255

90 permit ip 10.0.0.0 0.0.1.255 0.0.0.0 255.255.255.255

100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

6.

Now apply the ACL inbound on the VLAN 20

Interface vlan 20

ip access-group "UNTRUSTED" vlan in

And it works (:-)