Avatar of pzozulka
pzozulka
 asked on

ProCurve Switch: Block internet access for VLAN

We need to create a new VLAN on our ProCurve switch which will need to be able to communicate with other VLANs, but needs to be blocked from accessing the internet.

Is this something that is possible to do on a ProCurve switch, or is this a config that needs to be taken care of at a higher level (i.e. firewall/router)?
Switches / HubsNetworkingNetwork Management

Avatar of undefined
Last Comment
Infamus

8/22/2022 - Mon
Infamus

Is this a layer 2 or layer 3 switch?

What is the model number?

Also, if you have a firewall, you can create a policy to block the new subnet from accessing the internet.
tmoore1962

You could perhaps configure source-port security depending on model of switch. See the attached pdf for info.
SourcePort-Security-Guide.pdf
Infamus

The reason I asked about layer 2 or layer 3 is that you won't be able to route between the vlans if you have layer 2 switch after creating a new vlan.

You will then need a router to handle intervlan routing and you will need to create ACL on the router.

If you have layer 3, you can simply create ACL to block the internet traffic or you can do it from the firewall.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
pzozulka

ASKER
Actually both. The core switches are layer 3 (5304xl), and the others are layer 2 switches (2600). However, since VLANs spread across switches in a logical way, since the core switches are layer 3, they take care of the intervlan routing -- or so I believe.

In any case, since we are dealing with a layer 3 environment, can you provide the commands to create ACL on layer 3 switch to block the internet traffic?
Infamus

Since I don't know how your vlans are setup here's a simple example.

http://blog.ghai.us/bob/?p=238

You can allow all of your vlan subnets and deny everything else on the new vlan statement.
SOLUTION
Infamus

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
pzozulka

ASKER
Would I apply this to all the switches or just the layer 3 switches? Keeping in mind that the devices connecting to this vlan would be connecting directly to the layer 2 switches.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Infamus

just the core switch which is the vtp server.

If you are running vtp in transparent mode, then you have to create and apply to each new vlan.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Infamus

thanks for jumping in craig...

I agree weith you.
pzozulka

ASKER
Thanks to both of you for your input. Beyond the two core switches (L3), there is a Sonicwall firewall NSA E3500 (NAT'ing done here), and beyond that is a Cisco router.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.