Comware

 View Only
last person joined: 4 days ago 

Expand all | Collapse all

IOT vlan design ideas

This thread has been viewed 26 times
  • 1.  IOT vlan design ideas

    Posted Feb 08, 2023 12:27 PM
    I have defined a vlan on my 5900AF that I intend to use as a place for internet of things hosts. I gave the vlan a gateway ip address. From here the vlan is propogated throughout my network which are all Arubas past the 5900 AF. My wish list is

    - Nothing inside the IOT vlan should be able talk to the rest of my VLANs defined on the HP 5900AF
    - However certain IP addreses on the other VLANs should be able to access the IOT VLAN
    - The ROLR on the HP 5900 is my firewall. Hopefullly the hosts in the IOT VLAN will still be able to access the internet but I am starting to think this might not be necessary.

    Just looking for some design ideas to get me started.

    Much appreciated


  • 2.  RE: IOT vlan design ideas

    MVP GURU
    Posted Feb 08, 2023 01:32 PM
    Hi! ACL is the answer, ACL protecting your VLAN dedicated to IoT devices, ACL to protect all others VLANs, ACL if your HPE 5900AF is the router for its directly connected VLANs (I suppose it is because you specified that (a) it has more VLANs and (b) the ROLR points to your Firewall which is your NHG to all other non directly connected networks).


  • 3.  RE: IOT vlan design ideas

    Posted Feb 08, 2023 03:46 PM
    Thanks parnassus I will give this a try.


  • 4.  RE: IOT vlan design ideas

    Posted Jan 30, 2024 11:18 AM

    parnassus,

    I have had "zero" luck in finding any layer 2 acl examples to work with. Can you point me to some relevant examples?

    Thanks




  • 5.  RE: IOT vlan design ideas

    Posted Jan 30, 2024 02:49 PM
    So I did some digging around and I am thinking this might be the way to solve this.
    So for my test I am trying to stop IP from subnet 1  getting to subnets 2 and 3.
    I also need subnet 1 to get to my firewall which happens to live on subnet 2.
    acl number 3000 "IOT VLAN restrictions"
    rule 0 deny ip source subnet1 0.255.255.255 destination subnet2 0.255.255.255
    rule 2 deny ip source subnet1 0.255.255.255 destination subnet3 0.255.255.255
    rule 3 permit ip source subnet1 0.255.255.255 destination firewall IP 0.0.0.0
    rule 4 permit ip (?)
    interface Vlan-interface75
    ip-address subnet1 255.255.255.0
    packet-filter 3000 outbound
    If anyone could point out any mistakes I would appreciate it.
    Thanks 



  • 6.  RE: IOT vlan design ideas

    Posted Feb 16, 2024 05:35 AM

    Hi Eric

    It seems that you don't get the wildcard concept :

    if your subnet 1 is masked 255.255.255.0, the the corresponding wildcard is 0.0.0.255

    Be sure you set packet-filter filter route in interface vlan75

    You can also globally modify the packet-filter default deny 

    that is : when no rule matches, then deny.

    This way you know (and see in your config) that if it is not explicitly allowed, then it's denied

    It may be interesting to add the counting parameter to your rules, to see which one matched, and how many times.

    ------------------------------
    Frederic
    ------------------------------