Wired Intelligent Edge

Hi all, 

i use Aruba MAS S1500 for swichiting in my network. i created two VLANs one for the management and the second for client, and i enabled IP nat inside for each interface vlan so i can reach the internet through DSL without any problem.

Now i need so disable inter vlan routing cause clients can reach hosts on the management vlan.

please i need neccesary command line to make that happen, schould i creat an access list ? or doing nat for a specific destination? 

looking forward to hear back from you guys

You can use access-lists for that. Just tested the following configuration, where vlan 900 is my 'management' VLAN (192.168.90.1), and the office VLANs are 10.0.0.0/8 and 192.168.32.0/24:

ip access-list stateless isolate-management
  network 10.20.0.0 255.255.0.0 any any  deny
  network 192.168.32.0 255.255.255.0 any any  deny
  any any any  permit
(ArubaS1500-12P) #interface vlan 900
(ArubaS1500-12P) (vlan "900") #ip access-group out isolate-management
(ArubaS1500-12P) (config) #show running-config
....
interface vlan "900"
 ip access-group out "isolate-management"
 ip address 192.168.90.1 255.255.255.0
!
....

When pinging from 192.168.32.20 (Office) to 192.168.90.100 (management net), the ping stops when I enter the ip access-group out command, and starts again when I remove it with: no ip access-group out

Does this answer your requirments??

Hi hrobers, thanks for your reply
I did same manipulation as you, but still able ping management hosts, here is network details 
 -------- show run ---------

....
interface vlan "100"

ip nat inside

description "MGMT-GW"

ip address 172.16.100.1 255.255.255.0

!

interface vlan "200"

ip nat inside

description "CLIENT-GW"

ip address 172.16.200.1 255.255.255.0

-------- ACL config ---------

(ARUBA) (config) # ip access-list stateless ACL1

(ARUBA) (config-stateless-ACL1)#network 172.16.200.0 255.255.255.0 any any deny

(ARUBA) (config-stateless-ACL1)#any any any permit

(ARUBA) (config) #interface vlan 100

(ARUBA) (vlan "100") #ip access-group out ACL1 
------------show run ------
....
interface vlan "100"

ip nat inside

ip access-group out ACL1 
description "MGMT-GW"

ip address 172.16.100.1 255.255.255.0

Either with this config still able to ping from VLAN 200 to VLAN 100

i think that the ip nat inside is causing the problem.

If possible maybe you can set the ACL inbound on the client interface. I have no experience with the MAS switches. From a router/switch point of view i would place the ACL on vlan 200 inbound insteed of outbound on vlan 100.

Like this.

ip access-list stateless ACL2

(config-stateless-ACL1)#network 172.16.200.0 255.255.255.0 172.16.100.0 255.255.255.0 any deny

(config-stateless-ACL1)#any any any permit

(config) #interface vlan 200

(vlan "100") #ip access-group in ACL2 

Hi mrzero, you're right, this work perfectly fine, really simple it's like cisco ACL concept.

and i'm agree !!  IP nat inside my not let hrobers' solution work, so applying ACL inside source interface vlan work for sure.