Link to home
Start Free TrialLog in
Avatar of pzozulka
pzozulka

asked on

ProCurve Switch: Block internet access for VLAN

We need to create a new VLAN on our ProCurve switch which will need to be able to communicate with other VLANs, but needs to be blocked from accessing the internet.

Is this something that is possible to do on a ProCurve switch, or is this a config that needs to be taken care of at a higher level (i.e. firewall/router)?
Avatar of Infamus
Infamus

Is this a layer 2 or layer 3 switch?

What is the model number?

Also, if you have a firewall, you can create a policy to block the new subnet from accessing the internet.
You could perhaps configure source-port security depending on model of switch. See the attached pdf for info.
SourcePort-Security-Guide.pdf
The reason I asked about layer 2 or layer 3 is that you won't be able to route between the vlans if you have layer 2 switch after creating a new vlan.

You will then need a router to handle intervlan routing and you will need to create ACL on the router.

If you have layer 3, you can simply create ACL to block the internet traffic or you can do it from the firewall.
Avatar of pzozulka

ASKER

Actually both. The core switches are layer 3 (5304xl), and the others are layer 2 switches (2600). However, since VLANs spread across switches in a logical way, since the core switches are layer 3, they take care of the intervlan routing -- or so I believe.

In any case, since we are dealing with a layer 3 environment, can you provide the commands to create ACL on layer 3 switch to block the internet traffic?
Since I don't know how your vlans are setup here's a simple example.

http://blog.ghai.us/bob/?p=238

You can allow all of your vlan subnets and deny everything else on the new vlan statement.
SOLUTION
Avatar of Infamus
Infamus

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Would I apply this to all the switches or just the layer 3 switches? Keeping in mind that the devices connecting to this vlan would be connecting directly to the layer 2 switches.
just the core switch which is the vtp server.

If you are running vtp in transparent mode, then you have to create and apply to each new vlan.
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for jumping in craig...

I agree weith you.
Thanks to both of you for your input. Beyond the two core switches (L3), there is a Sonicwall firewall NSA E3500 (NAT'ing done here), and beyond that is a Cisco router.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial