Requirement:
In this scenario, a switch and two clients are considered.
Topology: Switch VLANs : 90, 93, 94, 95
Solution:By default in the HPE Provision (PVOS) or Procurve switches routing is disabled and we need to enable IP routing option to have the Inter VLAN communication achieved. In scenarios, where the customer wants the inter VLANs communication should be denied only for specific VLANs, we cannot disable the IP routing, as it will stop all the inter VLAN communication. We must write ACLs to deny the inter VLAN communication and apply it on the VLANs.
Configuration:Scenario: All the clients connecting on the switch should be able to reach to VLAN 95 which is the default gateway of the switch and should not be able to communicate to the other VLANs.
1. Create ACLs for all the VLANs denying the subnet for the VLAN for which we need to deny Inter VLAN communication
ip access-list extended "IsolateVLAN90"
10 deny ip 0.0.0.0 255.255.255.255 192.168.93.1 0.0.0.0
20 deny ip 0.0.0.0 255.255.255.255 192.168.94.1 0.0.0.0
30 deny ip 0.0.0.0 255.255.255.255 192.168.93.0 0.0.0.255
40 deny ip 0.0.0.0 255.255.255.255 192.168.94.0 0.0.0.255
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "IsolateVLAN93"
10 deny ip 0.0.0.0 255.255.255.255 192.168.90.0 0.0.0.255
20 deny ip 0.0.0.0 255.255.255.255 192.168.94.0 0.0.0.255
30 deny ip 0.0.0.0 255.255.255.255 192.168.90.1 0.0.0.0
40 deny ip 0.0.0.0 255.255.255.255 192.168.94.1 0.0.0.0
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "IsolateVLAN94"
10 deny ip 0.0.0.0 255.255.255.255 192.168.90.0 0.0.0.255
20 deny ip 0.0.0.0 255.255.255.255 192.168.93.0 0.0.0.255
30 deny ip 0.0.0.0 255.255.255.255 192.168.90.1 0.0.0.0
40 deny ip 0.0.0.0 255.255.255.255 192.168.93.1 0.0.0.0
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
2. Map the ACLs to the specific VLAN for incoming and outgoing traffic.
vlan 90
name "VLAN90"
untagged 1
ip access-group "IsolateVLAN90" vlan-in
ip access-group "IsolateVLAN90" vlan-out
ip address 192.168.90.1 255.255.255.0
exit
vlan 93
name "VLAN93"
untagged 2
ip access-group "IsolateVLAN93" vlan-in
ip access-group "IsolateVLAN93" vlan-out
ip address 192.168.93.1 255.255.255.0
exit
vlan 94
name "VLAN94"
ip access-group "IsolateVLAN94" vlan-in
ip access-group "IsolateVLAN94" vlan-out
ip address 192.168.94.1 255.255.255.0
exit
vlan 95
name "VLAN95"
ip address 192.168.100.15 255.255.255.0
exit
VerificationAruba-2540-48G-PoEP-4SFPP# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.90.0/24 VLAN90 90 connected 1 0
192.168.93.0/24 VLAN93 93 connected 1 0
192.168.94.0/24 VLAN94 94 connected 1 0
192.168.100.0/24 VLAN95 95 connected 1 0
IP routing is enabled on switch
ip default-gateway 192.168.100.1
ip routing
Test 1:
IP address assigned to PC02 --> 192.168.90.40 (VLAN 90)
IP address assigned to PC03--> 192.168.93.30 (VLAN 93)
No ACL applied to any VLAN
Test 2:
IP address assigned to PC02 --> 192.168.90.40 (VLAN 90)
IP address assigned to PC03 --> 192.168.93.30 (VLAN 93)
ACLs to deny inter VLAN routing applied to the VLAN 90,93
Test 3:
IP address assigned to PC02 --> 192.168.90.40 (VLAN 90)
IP address assigned to PC03 -->192.168.100.60 (VLAN 95)
ACLs to deny inter VLAN routing applied to the VLAN 90, 93
Outputs :
- We were able to ping switch interfaces for different VLAN with source interface
Aruba-2540-48G-PoEP-4SFPP# ping 192.168.90.1
192.168.90.1 is alive, time = 1 ms
Aruba-2540-48G-PoEP-4SFPP# ping 192.168.90.1 source 93
192.168.90.1 is alive, time = 1 ms
Aruba-2540-48G-PoEP-4SFPP# ping 192.168.90.1 source 94
192.168.90.1 is alive, time = 1 ms
- Connected the client to VLAN 90 and VLAN 93
- Tested the ping to the Switch interface for all VLAN from the client connected in VLAN 90
- The ping was only successful to VLAN 90, to other VLAN interfaces ping failed
C:\Users\ERT>ping 192.168.90.1
Pinging 192.168.90.1 with 32 bytes of data:
Reply from 192.168.90.1: bytes=32 time<1ms TTL=255
Reply from 192.168.90.1: bytes=32 time<1ms TTL=255
Reply from 192.168.90.1: bytes=32 time<1ms TTL=255
Reply from 192.168.90.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.90.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\ERT>ping 192.168.93.1
Pinging 192.168.93.1 with 32 bytes of data:
Reply from 192.168.100.15: Destination net unreachable.
C:\Users\ERT>ping 192.168.94.1
Pinging 192.168.94.1 with 32 bytes of data:
Reply from 192.168.100.15: Destination net unreachable.
- Pinged the from the client connected in VLAN 93 to client connected in VLAN 90
- Ping was successful
C:\Users\ERT>ping 192.168.90.40
Pinging 192.168.90.40 with 32 bytes of data:
Reply from 192.168.90.40: bytes=32 time=1ms TTL=127
Reply from 192.168.90.40: bytes=32 time<1ms TTL=127
Reply from 192.168.90.40: bytes=32 time<1ms TTL=127
- Applied the ACL to VLAN 90 and 93 for restricting the inter VLAN traffic
- Initiated the ping from the client in VLAN 93 to the client in VLAN 90
- Ping was blocked
C:\Users\ERT>ping 192.168.90.40
Pinging 192.168.90.40 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.90.40:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
- Changed the PC03 IP to VLAN 95
- Initiated the ping from client in VLAN 95 to client in VLAN 90
- Ping was successful
C:\Users\ERT>ping 192.168.90.40
Pinging 192.168.90.40 with 32 bytes of data:
Reply from 192.168.90.40: bytes=32 time=1ms TTL=127
Reply from 192.168.90.40: bytes=32 time<1ms TTL=127