HPE Community
HPE Aruba Networking & ProVision-based
1833758 Members
2717 Online
110063 Solutions
New Discussion

Blocking one VLAN subnet from all other local subnets using ACL?

 
nlandas
Frequent Visitor

‎05-22-2014 12:38 PM - edited ‎05-22-2014 12:47 PM

‎05-22-2014 12:38 PM - edited ‎05-22-2014 12:47 PM

Blocking one VLAN subnet from all other local subnets using ACL?

I could use a hand let's say I have 3 VLANs. There are actually more but I hope the principal is the same.

 

VLAN1    172.18.184.0/21

VLAN3    172.26.11.0/24

VLAN43  172.21.161.64/26

 

    I want to stop VLAN43 from being able to communicate with any local subnet. I don't work with ACLs often but thought that  this would be as simple as saying block any ip to each subnet and applying the rule inbound to VLAN 43 on the core routing 8206zl switch?  Can you help me see what I have wrong? There is another 5412zl switch with the VLAN on it but it's not peforming any routing.

 

ip access-list extended "DenySubnets"

10 deny ip any 172.18.184.0/21

20 deny ip any 172.26.11.0/24

60 permit ip any any

vlan 43 ip access-group "DenySubnets" in

 

I tried it as out instead thinking that I misunderstood that the ACL would receive packets inbound from VLAN43 and block traffic in the order specified. I thought any ip to the two specified subnets would be blocked and all other traffic would pass. I am obviously missing something simple and I'm just hoping someone will take a moment to get me back on the right path. Thanks in advance.

0 Kudos
3 REPLIES 3
Chrisd131313
Trusted Contributor

‎05-23-2014 02:18 AM

‎05-23-2014 02:18 AM

Re: Blocking one VLAN subnet from all other local subnets using ACL?

Hi nlandas,

 

I am no ACL expert, but I think you need to apply the ACL as "vlan" not "in" or "out" as you are not wanting to apply the ACL to a specific interface but to a entire VLAN.

 

I coudl be wrong and I am sure there are others who can correct me on that, but I think that is what you need for your scenario.

 

HTH

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
0 Kudos
nlandas
Frequent Visitor

‎06-05-2014 12:09 PM

‎06-05-2014 12:09 PM

Re: Blocking one VLAN subnet from all other local subnets using ACL?

    Thank you for the reply. I'm not certain that I follow. Based on the documentation the VLAN directive allows you to apple the ACL filter to inbound or outbound traffic from that VLAN.

 

vlan 43 ip access-group "DenySubnets" in

 

Could you or someone else clarrify? I'm trying to block the VLAN from accessing any of my primary subnets.

 

Thank you,

-Nyle

0 Kudos
Chrisd131313
Trusted Contributor

‎06-06-2014 01:13 AM

‎06-06-2014 01:13 AM

Re: Blocking one VLAN subnet from all other local subnets using ACL?

Have a read of the Access Security Guide for the switch model you are working with. It explains it under section #9 - Using > Adding or Removing an ACL Assignment on an Interface > Filtering IPv4 traffic inbound on a VLAN. 

 

HTH

 

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.