Switches, Hubs, and Modems
1750753 Members
4804 Online
108779 Solutions
New Discussion юеВ

Re: Acl - Use port or vlan?

 
Angelo Pellegrinon
Occasional Advisor

Acl - Use port or vlan?

Hello.
I have an HP procurve 5400 and I need to use special acl for 3 pc groups.

The pcs are in the SAME SUBNET ad I must have:
PC GROUP A: Allow speacking with PC GROUP B
PC GROUP B: Allow speacking with PC GROUP C
PC GROUP A: Block speacking with PC GROUP C

Can i make 3 vlans and use static routing or special acl? Is it possible with SAME SUBNETS?

How can i do it?

Is there any other solution?

Sorry for my English and thank's in advance

Angelo
12 REPLIES 12
cenk sasmaztin
Honored Contributor

Re: Acl - Use port or vlan?

hi Angelo

***Can i make 3 vlans and use static routing or special acl? Is it possible with SAME SUBNETS?

no Angelo you don't create same subnet tree vlan it's impossible

for running this operation two way

way 1-assign statically each group pc ip address and attach acl on switch port(static)very bed.

way 2-my advice you can use IDM you can create on IDM user base access list no need look port, no need static ip ,no need vlan very successfull


cenk
cenk

cenk sasmaztin
Honored Contributor

Re: Acl - Use port or vlan?

or each user group carry other subnet and you can sperate vlan your network

in that case attach user group acl on vlan interface


cenk
cenk

Angelo Pellegrinon
Occasional Advisor

Re: Acl - Use port or vlan?

I try to explain better what i have to do.
I have one Voip Server (GROUP A), this server uses a PRI over erthernet box (GROUP B) and a lot of VoIP telephones (GROUP C).

A sees B&C, B sees A, C sees A

I must optimize the traffic between A and B. Unfortunately i can't attach a new nic on he server (and dedicate a vlan for those ips.)

There are no users and i cant' utilize vlan tagged packets (the PRI box is "stupid")
Angelo Pellegrinon
Occasional Advisor

Re: Acl - Use port or vlan?

Maybe the acl on ports is the best solution?

The server's ip is static, the pri box is static, only telephones ips are not static. Buy i wish to do something like:

ip xxx.xxx.xxx.1(pri box) accepts only from xxx.xxx.xxx.200 and xxx.xxx.xxx.201 (voip servers)

and

ip xxx.xxx.xxx.1 sends ony to xxx.xxx.xxx.200 and xxx.xxx.xxx.201

I must say that the box can only speak and only accept packets from/to the server. I don't whant the pri box to receive other network packets like broadcast..
cenk sasmaztin
Honored Contributor

Re: Acl - Use port or vlan?

A sees B&C, B sees A, C sees A******:D

so B notsee c all other group between connect

is this true ?


there fore you make create tree vlan

and you can running routing between vlan


for example

group A vlan 10 172.16.10.1/24
group B vlan 20 172.16.20.1/24
group C vlan 30 172.16.30.1/24

and ip routing enable on switch

now each vlan connect between (with routing)


you can create acl and assign vlan b and vlan c


cenk
cenk

cenk sasmaztin
Honored Contributor

Re: Acl - Use port or vlan?

or you can use source port filtering

source port-filter very easy way for seperate switch port for example


coresw2(config)# filter source-port A1 drop A10-A20

int A1 dont connect A10-A20 interface but connection all other interface

very easy

cenk
cenk

Angelo Pellegrinon
Occasional Advisor

Re: Acl - Use port or vlan?

OK!

My problem is that the voip servers, the phones and the pri box are in the same network.

Is it possible if a put the pri box in other network?

Server and phone in vlan 100, pri box in vlan 200.

Ogni server ips in vlan 100 can see vlan 200 and vice versa
Angelo Pellegrinon
Occasional Advisor

Re: Acl - Use port or vlan?

The source port-filter solution maybe it's good.

Can i say:

Port A1 connects port A2 and A3 and receives only from A2 and A3?

Ports A2 and A3 can see all other ports
cenk sasmaztin
Honored Contributor

Re: Acl - Use port or vlan?

vlan sperate only L2 broadcast domain
you can ip routing command on switch running routing between vlan


for example

vlan 10 ip address 172.16.10.1/24

vlan 10 member pc
ip address 172.16.10.10/24
dg:172.16.10.1

vlan 20 ip address 172.16.20.1/24
vlan 20 member pc
ip adress 172.16.20.10/24
dg:172.16.20.1

you can ping test between pc you can see ping ok.
vlan sperate only L2 you can want connect different vlan's pc enable ip routing on switch and assign vlan interface ip address
pc default gateway address


cenk

cenk