HPE Community
HPE Aruba Networking & ProVision-based
1834768 Members
3043 Online
110070 Solutions
New Discussion

Re: 5412zl multiple VLAN's need ACL

 
jdixon
Frequent Advisor

‎06-04-2014 09:01 AM

‎06-04-2014 09:01 AM

5412zl multiple VLAN's need ACL

I received my 5412zl and have been reading on getting ready to configure it. I'm running into a design problem though (well not really a problem.. wanting more guidance).

 

Basically I have about 20 VLANs. None of the VLAN's should talk to each other except for a couple exeptions:

 

  • All VLANs should be able to talk to 10.1.0.80 on port 80 & 443 which is located in VLAN 10
  • None of the VLANs should be able to talk to each other

 

From what I read for performance reasons it is best to apply the access-list inbound instead of outbound for performance reasons.

 

So for something like this do I create an extended access list that denies all the VLAN's and permit the ones I want at the bottom?

 

What I was hoping ot be able to do to just make it easier is make an extended access lists where I just put in my PERMITs and it has an implicit DENY at the end. This seems to work except for internet access. I've tried telling it to allow the firewall IPbut doesn't seem to work.

 

Long story short is there a way to create an access list where I just put my PERMITs in and apply it to the inbound for a VLAN? The VLAN's all need interenet access though

0 Kudos
2 REPLIES 2
Matt Kunard
Occasional Advisor

‎06-04-2014 02:15 PM

‎06-04-2014 02:15 PM

Re: 5412zl multiple VLAN's need ACL

ACLs on that unit do have an implicit deny at the end so it could be as simple as adding statements for what you explicitly want to permit then applying that ACL inbound on the VLANs in question.  For internet access you need statements for DNS and HTTP/HTTPs trafic along with statements allowing access to your internal systems.

0 Kudos
jdixon
Frequent Advisor

‎06-06-2014 04:20 PM - edited ‎06-06-2014 04:21 PM

‎06-06-2014 04:20 PM - edited ‎06-06-2014 04:21 PM

Re: 5412zl multiple VLAN's need ACL

The problem is I basically want to deny all the VLAN's but allow out to the internet (anywhere on internet).

 

I could end up having 100 VLAN's so I want thinking it would be easier to just put in what I wanted to allow instead of having to write deny's over 100 times and then a permit any any at the end.

 

I guess this what I'm trying to do (inbound ACL applied to VLAN 505):

 

Allow VLAN 5

Allow IP 10.10.10.10 on VLAN 10

Allow to Internet

(implicit deny)

 

 

This is what I'm doing and it works.. just more I have to do:

 

Deny VLAN 2

Deny VLAN 3

Deny VLAN 4

Deny VLAN 6

....

..

..

Permit any any

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.