Wired Intelligent Edge

 View Only
last person joined: 6 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

ACL for communication between VLANs

This thread has been viewed 0 times

  • 1.  ACL for communication between VLANs

    Posted May 25, 2020 05:45 PM

    Hello

    I have an aruba 2930F switch where I have created 3 vlan

    I want vlan 2 and vlan 3 to have full input and output communication with these vlan 1 addresses (192.168.1.71 and 192.168.1.79)


    #2930F
    #Aruba
    #ACL


  • 2.  RE: ACL for communication between VLANs

    EMPLOYEE
    Posted May 26, 2020 03:00 AM

    Hello!

    VLAN 3 hosts should have access only to 192.168.1.71-79 addresses in VLAN 1. What about the rest of communication? I suppose their access to the rest of VLAN 1 and 2 addressing space should be blocked, but what about their Internet connection? 

    Please, as well share subnets you use for VLAN 2 and 3, so we can help you creating proper ACLs.

     



  • 3.  RE: ACL for communication between VLANs

    Posted May 26, 2020 03:44 PM

    Vlan 1 => 192.168.1.0/24

    Vlan 2=>192.168.3.0/24

    Vlan 3=>192.168.100.0/24

    the other ip of VLAN 1 I don't want them to have communication with vlan 2 and 3

     



  • 4.  RE: ACL for communication between VLANs

    EMPLOYEE
    Posted May 27, 2020 03:54 AM

    You can apply two approaches - filter traffic either coming from VLAN 1 or from VLANs 2 and 3. I find the first option easier as you will need to apply VACL just on VLAN 1.

    ip access-list extended "VLAN1-FILTER"
     10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
     20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
     30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255 
     40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
     50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
     60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

    Then apply this ACL as VACL on VLAN1:

    vlan 1 ip access-group VLAN1-FILTER vlan


    But since you didn't answer my question regarding the rest of communication, keep in mind that this ACL will allow 192.168.1.71-79 range to talk only to VLAN2 and VLAN3. All other communications will be blocked. If you need to implement following scheme:
    - Allow 192.168.1.71-79 talk to VLAN2 and 3
    - Block the rest of VLAN1 addresses communication to VLAN 2 and 3
    - Allow other communication

    then you need to add at the end of your ACL permitting ACE to overcome implicit deny, so the ACL will look like this:

    ip access-list extended "VLAN1-FILTER"
     10 permit ip 192.168.1.71 0.0.0.0 192.168.3.0 0.0.0.255
     20 permit ip 192.168.1.71 0.0.0.0 192.168.10.0 0.0.0.255
     30 permit ip 192.168.1.72 0.0.0.15 192.168.3.0 0.0.0.255 
     40 permit ip 192.168.1.72 0.0.0.15 192.168.10.0 0.0.0.255
     50 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
     60 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
     100 permit ip any any

    Hope this helps!