Limiting a single VLAN for external access only using ACL HP Procurve

Hello Experts

I am trying to configure a switch to provide multiple vlans for users, as well as a private vlan for guest Wi-Fi. VLAN 15 has the DHCP server

VLAN 1 – Not used
VLAN A – IP set, used for clients in building A. IP helper address set
VLAN B – IP set, used for clients in building B. IP helper address set
VLAN C – IP set, used for guest Wi-Fi. IP helper address set

Currently all VLANs can talk to each other, our data center, our main office, and the internet.

I would like to limit traffic on VLAN C to only be able to go out to the internet but not reach any of our internal network. Since IP routing is enabled on the switch it is letting all traffic pass. I know I will have to use an ACL to limit this but I don’t quite understand ACL’s.

Ideally I would like to use the DHCP server on VLAN A but if that will not work I can set up another DHCP server on VLAN C. I am using a Ruckus Zone Director and access points for the Wi-Fi. This device can understand VLAN tags so in Building A the access points will be tagged with VLAN A and C, building B will be tagged with B and C.

I am using HP Procurve 2920 Layer 3 switch in both buildings A and B. The buildings are connected with a wireless bridge.


Thank you for your help,
Sam
laurenofisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryant SchaperCommented:
Set an ACL to deny ip vlan a to vlan b

Example deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

Before that you could use a permit to allow dhcp

The ruckus controller should be able to does this well I believe as it serves as the traffic cop for the wifi network. But it has been awhile sense I used the controller.  Ruckus is awesome.
laurenofisAuthor Commented:
Can I apply that to just VLAN C? Would I also have to put a rule to limit the other 30 VLANs on the network (Other locations, Data center, ect).
Bryant SchaperCommented:
yes, the deny statement is based source and then destination.   You can probably summary the other side as a deny as well instead of 30 additional statements.
laurenofisAuthor Commented:
I ended up creating a new network for external users through the firewall and tagged it as a seperate vlan going to my Access Point. This way they are 100% external and I have them running on a seperate internet connection as well.

Thanks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
laurenofisAuthor Commented:
The other answers provided did not work
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.