Hi Eric
It seems that you don't get the wildcard concept :
if your subnet 1 is masked 255.255.255.0, the the corresponding wildcard is 0.0.0.255
Be sure you set packet-filter filter route
in interface vlan75
You can also globally modify the packet-filter default deny
that is : when no rule matches, then deny.
This way you know (and see in your config) that if it is not explicitly allowed, then it's denied
It may be interesting to add the counting
parameter to your rules, to see which one matched, and how many times.
------------------------------
Frederic
------------------------------
Original Message:
Sent: Jan 30, 2024 02:48 PM
From: Eric Hutchinson_2
Subject: IOT vlan design ideas
So I did some digging around and I am thinking this might be the way to solve this.
So for my test I am trying to stop IP from subnet 1 getting to subnets 2 and 3.
I also need subnet 1 to get to my firewall which happens to live on subnet 2.
acl number 3000 "IOT VLAN restrictions"
rule 0 deny ip source subnet1 0.255.255.255 destination subnet2 0.255.255.255
rule 2 deny ip source subnet1 0.255.255.255 destination subnet3 0.255.255.255
rule 3 permit ip source subnet1 0.255.255.255 destination firewall IP 0.0.0.0
rule 4 permit ip (?)
interface Vlan-interface75
ip-address subnet1 255.255.255.0
packet-filter 3000 outbound
If anyone could point out any mistakes I would appreciate it.
Thanks
Original Message:
Sent: Jan 30, 2024 11:18 AM
From: Eric Hutchinson_2
Subject: IOT vlan design ideas
parnassus,
I have had "zero" luck in finding any layer 2 acl examples to work with. Can you point me to some relevant examples?
Thanks
Original Message:
Sent: Feb 08, 2023 03:46 PM
From: Eric Hutchinson_2
Subject: IOT vlan design ideas
Thanks parnassus I will give this a try.
Original Message:
Sent: Feb 08, 2023 01:32 PM
From: parnassus
Subject: IOT vlan design ideas
Hi! ACL is the answer, ACL protecting your VLAN dedicated to IoT devices, ACL to protect all others VLANs, ACL if your HPE 5900AF is the router for its directly connected VLANs (I suppose it is because you specified that (a) it has more VLANs and (b) the ROLR points to your Firewall which is your NHG to all other non directly connected networks).
Original Message:
Sent: Feb 08, 2023 12:26 PM
From: Eric Hutchinson_2
Subject: IOT vlan design ideas
I have defined a vlan on my 5900AF that I intend to use as a place for internet of things hosts. I gave the vlan a gateway ip address. From here the vlan is propogated throughout my network which are all Arubas past the 5900 AF. My wish list is
- Nothing inside the IOT vlan should be able talk to the rest of my VLANs defined on the HP 5900AF
- However certain IP addreses on the other VLANs should be able to access the IOT VLAN
- The ROLR on the HP 5900 is my firewall. Hopefullly the hosts in the IOT VLAN will still be able to access the internet but I am starting to think this might not be necessary.
Just looking for some design ideas to get me started.
Much appreciated