ProCurve Switch: Block internet access for VLAN

pzozulka used Ask the Experts™
We need to create a new VLAN on our ProCurve switch which will need to be able to communicate with other VLANs, but needs to be blocked from accessing the internet.

Is this something that is possible to do on a ProCurve switch, or is this a config that needs to be taken care of at a higher level (i.e. firewall/router)?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Is this a layer 2 or layer 3 switch?

What is the model number?

Also, if you have a firewall, you can create a policy to block the new subnet from accessing the internet.
You could perhaps configure source-port security depending on model of switch. See the attached pdf for info.
The reason I asked about layer 2 or layer 3 is that you won't be able to route between the vlans if you have layer 2 switch after creating a new vlan.

You will then need a router to handle intervlan routing and you will need to create ACL on the router.

If you have layer 3, you can simply create ACL to block the internet traffic or you can do it from the firewall.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Actually both. The core switches are layer 3 (5304xl), and the others are layer 2 switches (2600). However, since VLANs spread across switches in a logical way, since the core switches are layer 3, they take care of the intervlan routing -- or so I believe.

In any case, since we are dealing with a layer 3 environment, can you provide the commands to create ACL on layer 3 switch to block the internet traffic?
Since I don't know how your vlans are setup here's a simple example.

You can allow all of your vlan subnets and deny everything else on the new vlan statement.
Let's say you have three vlans.

vlan3 (new vlan)

ip access-list extended "No_Internet"
10 remark "No_Internet"
15 permit
20 permit
30 deny ip

vlan 3 ip access-group No_Internet in


Would I apply this to all the switches or just the layer 3 switches? Keeping in mind that the devices connecting to this vlan would be connecting directly to the layer 2 switches.
just the core switch which is the vtp server.

If you are running vtp in transparent mode, then you have to create and apply to each new vlan.
Top Expert 2014
I would do it at the internet router if you can.  That mitigates the chances of you inadvertently blocking access to something on your LAN.  However if you can't do it at the internet router/firewall the key is to apply the ACL at the interface on the L3 switch.
VTP doesn't really matter here (sorry Infamus :-) I see where you're going though!).

You will probably only have one L3 switch where all of the VLANs meet.  Do it there.

Something like this would work (assuming your LAN uses 10.x.y.z addressing and the new VLAN (99 in this example) uses

ip access-list extended No_Internet_VLAN99
 permit ip
 deny ip any
vlan 99
 ip access-group No_Internet_VLAN99 in

Open in new window

Out of interest, what router/firewall do you have connected to your internet circuit?
thanks for jumping in craig...

I agree weith you.


Thanks to both of you for your input. Beyond the two core switches (L3), there is a Sonicwall firewall NSA E3500 (NAT'ing done here), and beyond that is a Cisco router.
To make it simple, I would block from firewall.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial