×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

ProCurve 2910al switch - managing traffic between VLANS

ProCurve 2910al switch - managing traffic between VLANS

ProCurve 2910al switch - managing traffic between VLANS

(OP)
Hi guys,

I have a Procurve 2910al switch with 3 VLANs:

VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 30: 192.168.30.0/24

Is it possible to allow the traffic from VLAN 10 to VLAN 20 & VLAN 30 but block the traffic from VLAN 20 & VLAN 30 to VLAN 10 ?

Does someone has an working example?

Thank you for your help!

RE: ProCurve 2910al switch - managing traffic between VLANS

Yes, you'll need to implement ACLs (access control lists) to do this. So for example,

Switch(config)# ip access-list extended "Block20-30"
 10 deny ip 192.168.20.0/24 192.168.10.0/24
 20 deny ip 192.168.30.0/24 192.168.10.0/24
 30 permit ip any any

Switch(config)# vlan 10 ip access-group Block20-30 in

So what this is doing is creating a access list called Block20-30,
defining sub rules by number (10, 20, 30, etc...) in case you need to add or delete just a sub-rule, denying ip from source network of 192.168.20.0/24 to desination of 192.168.10.0/24 (same for next line 20 for source of 192.168.30.0/24), then last line if permitting ip any any to allow all other IP traffic otherwise it's an implicit deny, last is to apply that access list to a VLAN interface in the direction of traffic (in this case traffic coming in to VLAN 10)

I did this real quick and I don't do ACLs all the time so I might have things backwards, so please test this before implementing into production.

Please read over http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-W_14_03.pdf in the ACL section for additional info.

But this should give you the general idea on what needs to be done. Hope I could help.

RE: ProCurve 2910al switch - managing traffic between VLANS

(OP)
Hi cajuntank,thank you for your answer.

I have not test it yet since I'm out of office, but don't you think that I have to also include he "established" command? For example:

10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 established
20 permit tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 established

In order to give me (in) permission from VLAN 10 but not from VLAN 20, 30 back.

Also, for a strange reason I cannot bind the ACL to the VLAN itself, so I guess I will have to bind the ACL to all the interfaces untagged in this VLAN. For example:

int 1-12
ip access-group "Block20-30" in
exit

What do you think cajuntank? Is that makes sense?

Thank you for your help.

Regards
leonic

RE: ProCurve 2910al switch - managing traffic between VLANS

My example denies all of IP, your example denies just tcp and that might be what you're after...I was just giving you a generalization.
When you specify tcp, you also need to specify what port or port range you are denying or allowing. The "established" command is only applicable when defining tcp and you are correct that it is used for controlling TCP connection traffic (see page 9-60 & 9-61 in the pdf link I provided). Don't forget about the implicit deny unless you create an allow statement at the end.

On another note, your example used wildcard masks, but mine used CIDR... they are both a legitimate usage for mask statements.

And sorry, had the statement
Switch(config)# vlan 10 ip access-group Block20-30 in (which is a RACL) and you needed a VACL which would read

Switch(config)# vlan 10 ip access-group Block20-30 vlan

Hope I could help.

 

RE: ProCurve 2910al switch - managing traffic between VLANS

(OP)
Thanks for your reply cajuntank,

Really appreciated!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close