HPE Community
Switches, Hubs, and Modems
1751977 Members
4527 Online
108784 Solutions
New Discussion юеВ

vlan to vlan acls

 
SOLVED
Go to solution
fernando sabio
Occasional Contributor

тАО03-24-2007 01:58 PM

тАО03-24-2007 01:58 PM

vlan to vlan acls

so, it seems our trusty 2824 won't do this.

based on the specs, seems the 3400cl will do so:

http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/23591-23599-23599-23599-12086666-12086690-18940243.html

but wanted to hear it from a horse's mouth: do you/have you routed between vlans on a 3400cl? (ie: we have several vlans on campus and want to move data from specific nodes in the existing vlans into another vlan (backup to disk servers), but don't want to just open up all ports/full routing)

so an true acl between the vlans is what we need.

thoughts?
0 Kudos
6 REPLIES 6
Mohieddin Kharnoub
Honored Contributor

тАО03-24-2007 03:34 PM

тАО03-24-2007 03:34 PM

Solution

Re: vlan to vlan acls

Hi

To control the traffic on a Routing Switch, Simply you need ACLs on ProCurve Switches.

Of course there are many ways to do that, but the standard way is the ACLs.

On the 2800 you can't do it, but you can on the 3400.

There are other security methods that may help like, Source port filtering, MAC Lockdown ...

The following link has the answers:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-Security-Oct2006-59906052-Chap12.pdf

Good Luck !!!
Science for Everyone
razzer
Honored Contributor

тАО03-24-2007 03:35 PM

тАО03-24-2007 03:35 PM

Re: vlan to vlan acls

can you not route a direct data transfer through a switch via mac addresses?
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО03-24-2007 03:40 PM

тАО03-24-2007 03:40 PM

Re: vlan to vlan acls

Hi

Razmat ....

What you need is MAC Access-List, which is not available on ProCurve Switches.

You still can use the Source Port Filtering to do that, because controlling the MAC should be through Layer2 not Layer3.

Good luck !!!
Science for Everyone
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-25-2007 07:33 PM

тАО03-25-2007 07:33 PM

Re: vlan to vlan acls

Razmat:

routing is Layer 3 business, whereas MAC addressing is Layer 2 business.

You can stop some MACs showing on some ports of your switch, but you can surely not do routing based on MAC addresses: there is no routing protocol out there that does this.

0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО03-26-2007 03:34 AM

тАО03-26-2007 03:34 AM

Re: vlan to vlan acls

Hi

My dear OLARU, ACLs controls L2 up to L4 (as we all know).

AND...

So many vendors use MAC ACLs in some complex scenarios and implement it in a Policy Based Routing or even Route Maps which is L3 (business).

So you can find in many cases, OSI layers dancing together in multiple ACLs , and these ACLs are used in a complex Route Maps that combines L2 up to L4 :)

Good Luck !!!
Science for Everyone
0 Kudos
fernando sabio
Occasional Contributor

тАО03-26-2007 03:56 PM

тАО03-26-2007 03:56 PM

Re: vlan to vlan acls

not so fast.

from here: http://www.hp.com/rnd/support/manuals/3400cl.htm, specifically here: ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051.pdf

page 10-4 aka: page: 432


"also, acls, qos, and rate limiting share the same per-port mask resources on these switches. for these reasons, the best places to apply acsl on the 3400cl/6400cl switches are on "edge" ports where acls are likely to be less complex and resource-intensive than in core network applicaions where the per-vlan and inbound/outbound acl filtering offered by the 5300xl switches may be the best acl sol'n."



and on 10-13, page 441,

"Note that ACLs do not screen traffic at
any internal point where traffic moves between VLANs or subnets
within the switch; only on inbound ports and static trunks. Refer to
├в ACL Inbound Application Points├в on page 10-10."

this switch 3400cl if hp or 3560G if cisco is the 'core' of this multi-vlan network, ie: all gigabit to iSCSI disk based backup will go through this switch. we're trying to get specific ports to go from vlan A to vlan B and vlan A to vlan C, and vlan A to vlan D. block B <--> C, etc. and the ports won't always be the same, so a few entries per ACL in both directions, in that some are just disk based backups (hi bandwidth) some may be snmpmonitoring of server resources, too. so not high traffic but dropped UDP packets would be bad for false-positives.

comments?



looks like we want the 5300...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.