Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ProCurve 2910al switch - managing traffic between VLANS 1

Status
Not open for further replies.

leonic

Technical User
Jul 22, 2011
3
Hi guys,

I have a Procurve 2910al switch with 3 VLANs:

VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 30: 192.168.30.0/24?

Is it possible to allow the traffic from VLAN 10 to VLAN 20 & VLAN 30 but block the traffic from VLAN 20 & VLAN 30? to VLAN 10 ?

Does someone has an working example??

Thank you for your help!
 
Yes, you'll need to implement ACLs (access control lists) to do this. So for example,

Switch(config)# ip access-list extended "Block20-30"
10 deny ip 192.168.20.0/24 192.168.10.0/24
20 deny ip 192.168.30.0/24 192.168.10.0/24
30 permit ip any any

Switch(config)# vlan 10 ip access-group Block20-30 in

So what this is doing is creating a access list called Block20-30,
defining sub rules by number (10, 20, 30, etc...) in case you need to add or delete just a sub-rule, denying ip from source network of 192.168.20.0/24 to desination of 192.168.10.0/24 (same for next line 20 for source of 192.168.30.0/24), then last line if permitting ip any any to allow all other IP traffic otherwise it's an implicit deny, last is to apply that access list to a VLAN interface in the direction of traffic (in this case traffic coming in to VLAN 10)

I did this real quick and I don't do ACLs all the time so I might have things backwards, so please test this before implementing into production.

Please read over in the ACL section for additional info.

But this should give you the general idea on what needs to be done. Hope I could help.
 
Hi cajuntank,thank you for your answer.

I have not test it yet since I'm out of office, but don't you think that I have to also include he "established" command? For example:

10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 established
20 permit tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 established

In order to give me (in) permission from VLAN 10 but not from VLAN 20, 30 back.

Also, for a strange reason I cannot bind the ACL to the VLAN itself, so I guess I will have to bind the ACL to all the interfaces untagged in this VLAN. For example:

int 1-12
ip access-group "Block20-30" in
exit

What do you think cajuntank? Is that makes sense?

Thank you for your help.

Regards
leonic
 
My example denies all of IP, your example denies just tcp and that might be what you're after...I was just giving you a generalization.
When you specify tcp, you also need to specify what port or port range you are denying or allowing. The "established" command is only applicable when defining tcp and you are correct that it is used for controlling TCP connection traffic (see page 9-60 & 9-61 in the pdf link I provided). Don't forget about the implicit deny unless you create an allow statement at the end.

On another note, your example used wildcard masks, but mine used CIDR... they are both a legitimate usage for mask statements.

And sorry, had the statement
Switch(config)# vlan 10 ip access-group Block20-30 in (which is a RACL) and you needed a VACL which would read

Switch(config)# vlan 10 ip access-group Block20-30 vlan

Hope I could help.

 
Thanks for your reply cajuntank,

Really appreciated!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top