Configuring Inter VLAN ACL on HP Switch

Hi,

I have an HP E5412zl in routed mode with various VLANs.

I have a scenario where I have VLAN 1, 2 and 3.

I'm trying to restrict VLAN 1 so that it can't communicate with the subnets on VLAN2 and VLAN3. However, I still want VLAN 2 and 3 to be able to communicate with VLAN1 when needed.

With the above configuration VLAN 1 should only be able to access the internet, not VLAN 2 and 3.

I know the basic syntax for creating named extended ACLs but I can't seem to get it right in applying it to the VLANs and making it work like the above.

Thanks.
RFVDBAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Don JohnstonConnect With a Mentor InstructorCommented:
It's the exact format and syntax as Cisco ACL's.
0
 
Don JohnstonInstructorCommented:
Here's the problem:

In order for VLAN 2 and 3 to be able to talk to VLAN 1, then the traffic from VLAN 1 must be able to get to VLAN 2 and 3.  Therefor VLAN 1 must be able to talk to VLANs 2 & 3.

Now there's a work-around to this, but it's not perfect.  You can allow TCP traffic from 1 to 2 & 3 only if it's a response.  And you can do the same with ICMP echo replies.  But there's not much you can do about UDP traffic.

So if you don't have any UDP traffic, you're all set.
0
 
RFVDBAuthor Commented:
Hi donjohnston,

Yeah, I don't think UDP traffic is really a concern security wise. I don't think hackers can really do anything with just UDP.

I'm trying to create a DMZ on this VLAN on the switch.

So the Layer 3 HP switch can't do what a router/firewall can do with stateful inspection between subnets? I guess I'll take whatever it can do.

Thanks!
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
RFVDBAuthor Commented:
Is it using the "Established" ACL parameter, similar to the old Cisco ACLs? I've used that in the past years ago on Cisco routers, just not sure if that's an option on the HP switch or if there's something better.
0
 
Don JohnstonInstructorCommented:
Yes, that's how it's done.

And that's your only option (for this type of task) on an HP switch.
0
 
RFVDBAuthor Commented:
OK, do you know where I can find some good documentation on doing it on an HP switch?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.