HPE Community
Switches, Hubs, and Modems
1822497 Members
2796 Online
109642 Solutions
New Discussion юеВ

Restrict VLAN Routing

 
SOLVED
Go to solution
Stefan Wusowski
Frequent Advisor

тАО07-25-2006 07:44 PM

тАО07-25-2006 07:44 PM

Restrict VLAN Routing

Hello,
my problem is to restrict the VLAN routing. When I add VLANs to a 3400 switch with IP Adresses and IP Routing is on, then all VLAN can connect in to all VLAN!? That right?
But I don't want that. I have a SRV VLAN and more branch VLANs. I want all branch VLANs to SRV VLAN but no branch VLAN to branch VLAN. How can I configure that?

THX
Stefan Wusowski
0 Kudos
4 REPLIES 4
Jonathan Axford
Trusted Contributor

тАО07-25-2006 10:07 PM

тАО07-25-2006 10:07 PM

Re: Restrict VLAN Routing

Have you tried using ACL's to prevent traffic from one IP subnet from getting to another?

I am sure the 3400cl supports this (Quick check on the procurve website confirms this...)

Where there is a will there is a way...
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО07-25-2006 10:54 PM

тАО07-25-2006 10:54 PM

Re: Restrict VLAN Routing

Hi

The 3400 is an intellegent switch, so it has Access control lists (ACLs)which can provide IP layer 3 filtering based on source/destination IP address/subnet and source/destination TCP/UDP port number.

If you can provide your IP addresses for your Vlans, and what exactly the restricyions you need , then we can break it out for you with ACLs.

Good Luck !!!
Science for Everyone
0 Kudos
Stefan Wusowski
Frequent Advisor

тАО07-25-2006 11:26 PM

тАО07-25-2006 11:26 PM

Re: Restrict VLAN Routing

Hello,
I know that the 3400 can work with ACL, but I never try it. I hear that's complicated. Here my VLAN config.

IP Netz Name VLAN-ID
172.18.8.0/21 Zen-VLAN-1 1
10.100.100.0/24 Adm-VLAN-100 100 10.100.101.0/24 GMP-VLAN-101 101
10.100.102.0/24 Fin-VLAN-102 102
10.100.103.0/24 GF-VLAN-103 103
10.100.104.0/24 IT-VLAN-104 104
10.100.105.0/24 SRV-VLAN-105 105

Default Gateway xxx.yyy.zzz.1

I add the following IP Addresse to the main Switch
vlan 100 ip address 10.100.100.1/24
vlan 101 ip address 10.100.101.1/24
vlan 102 ip address 10.100.102.1/24
vlan 103 ip address 10.100.103.1/24
vlan 104 ip address 10.100.104.1/24
vlan 105 ip address 10.100.105.1/24
That is also the default Gateway for the VLAN's

VALN 100-104 routed to VLAN 105 and back, but no routing between VLAN 100-104.

Can anyone provide examples ACL for denied the VLAN Routing.

;-)))) Big THX
Stefan Wuswoski

0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО07-26-2006 12:02 AM

тАО07-26-2006 12:02 AM

Solution

Re: Restrict VLAN Routing

Hi

Your configuration will be:

1- Create a standard access list:
----------------------------------
3400(config)# access-list 1 deny 10.100.100.1/24
3400(config)# access-list 1 deny 10.100.101.1/24
3400(config)# access-list 1 deny 10.100.102.1/24
3400(config)# access-list 1 deny 10.100.103.1/24
3400(config)# access-list 1 deny 10.100.104.1/24
3400(config)# access-list 1 permit any

2- Apply it to vlans 100 to 104:
---------------------------------
3400(config)# vlan 100 ip access-group 1 in
3400(config)# vlan 101 ip access-group 1 in
3400(config)# vlan 102 ip access-group 1 in
3400(config)# vlan 103 ip access-group 1 in
3400(config)# vlan 104 ip access-group 1 in

3- Verify your configuration by Show access-list.

I hope that will be enough to help :)

Don't forget to assign points,

Good Luck !!!
Science for Everyone
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.