MoonLive
asked on
Block/Drop Internet request for specific VLAN.
I have HP Procurve switch in my network. I have a network setup for a security camera that doesn't need to be accessible to the Internet. It seems that the camera continuously accesses the Internet for some reason. The packet has been a drop from the SonicWall since there is no rule setup for the network. I would like to setup HP procurve switch to not forwad those request. what is the command or rule to do that? I have a core switch as a gateway of all network and the security camera is in VLAN.
ASKER
Is there any way do it from the switch level? I have to touch 200 cameras if I have to use device configuration.
I don't know HP procurves that well. if they support acls, then just add a block rule
maybe this helps:
http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch10s05.html
it is the doc on acls for hp
http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch10s05.html
it is the doc on acls for hp
remove the default route 0.0.0.0/0 from youre procuve and add static routes to the procurve from the net works you need to route the interface to
ASKER
I have two lines on the hp switch.
ip default-gateway 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Those line needs to be removed?
and I guess I have to add a static route like this: ip route 10.0.12.0 255.255.255.0 10.0.0.1
10.0.12.0 is my data network. Because there is no static route for vlan 200 (10.0.200.0 /24) is not stated, it won't go anywhere.
Is that right statement?
Thanks
ip default-gateway 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Those line needs to be removed?
and I guess I have to add a static route like this: ip route 10.0.12.0 255.255.255.0 10.0.0.1
10.0.12.0 is my data network. Because there is no static route for vlan 200 (10.0.200.0 /24) is not stated, it won't go anywhere.
Is that right statement?
Thanks
I assume the HP is the default gateway for your subnets?
removing the default gateway will kill your internet for all subnets.
unless you replace them with routemaps, although ot sure of this hp does do routemaps
removing the default gateway will kill your internet for all subnets.
unless you replace them with routemaps, although ot sure of this hp does do routemaps
yer better of using acls
ASKER
That is what I was wondering.
What could be way to do with ACLs?
What could be way to do with ACLs?
maybe this helps:
http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch10s05.html
it is the doc on acls for hp
http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch10s05.html
it is the doc on acls for hp
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
de default gateway you use for management is the switch is running only layer 2
the default route in layer 3 mode.
as case owner mentioned, the procurve switch is only for security cams. no layer 3 functionality required.
just remove the ip route 0.0.0.0 /0 and keep the ip default gateway. and the cam's dont have a default route anymore.
the default route in layer 3 mode.
as case owner mentioned, the procurve switch is only for security cams. no layer 3 functionality required.
just remove the ip route 0.0.0.0 /0 and keep the ip default gateway. and the cam's dont have a default route anymore.
alternatively, just add a static route on the sonicwall for the camera subnet to get rid of IP spoof messages, and add a LAN t WAN deny rule
source = camera subnet
destination = any
service = any
action = discard
source = camera subnet
destination = any
service = any
action = discard
Benjamin, if he has multiple VLANs, removing the default route on the core switch, kills internet for all the other VLANs...
J Spoor why dont handle it on the source device. that's my way of working. solve problems on the source.
Benjamin, that's what I stated in the very first post...
"if the cameras support static routes,
remove the default route on them, and replace them with static routes for your other network(s) istead"
But he has over 200 cameras
"if the cameras support static routes,
remove the default route on them, and replace them with static routes for your other network(s) istead"
But he has over 200 cameras
that was my question to the topic owner. does it do layer 3. if it does, then he has to create a return route and block traffic.
let's wait for the topic owner to confirm what the switch is doing. L2 or L3 ?
let's wait for the topic owner to confirm what the switch is doing. L2 or L3 ?
ASKER
Thanks for Benjamin and J, the core switch is L3 and default routed ip default-gateway 10.0.0.1.
Now, most of all other switches are all L2 switch with multiple VLAN configured.
Now, most of all other switches are all L2 switch with multiple VLAN configured.
ASKER
If I create ACL list below, will that work?
ip access-list extened "block-internet"
deny ip 10.0.200.0 255.255.255.0 0.0.0 255.255.255.255
exit
Apply to VLAN 200
ip access-group "block-internet"
exit
ip access-list extened "block-internet"
deny ip 10.0.200.0 255.255.255.0 0.0.0 255.255.255.255
exit
Apply to VLAN 200
ip access-group "block-internet"
exit
I think 0.0.0 255.255.255.255 should be 0.0.0.0 0.0.0.0 instead
pls keep I mind that will also block the cameras to the rest of the vlans
ASKER
If that is the case, this may work?
ip access-list extened "block-internet"
deny ip 10.0.200.0 255.255.255.0 0.0.0 0.0.0.0
permit 10.0.200.0 255.255.255.0
exit
ip access-list extened "block-internet"
deny ip 10.0.200.0 255.255.255.0 0.0.0 0.0.0.0
permit 10.0.200.0 255.255.255.0
exit
I thik you need a permit per other vlan
eg
permit 10.0.200.0 255.255.255.0 10.1.0.0 255.255.0.0
or smth, dependent on your ip scheme
eg
permit 10.0.200.0 255.255.255.0 10.1.0.0 255.255.0.0
or smth, dependent on your ip scheme
and the order of permits and denies may be important
ASKER
I end up using the following:
ip access-list extended "Block-Internet"
10 permit ip 10.0.200.0 0.255.255.255 10.0.12.0 0.0.255.255
20 deny tcp 10.0.200.0 0.255.255.255 0.0.0.0 0.0.0.0
30 deny udp 10.0.200.0 0.255.255.255 0.0.0.0 0.0.0.0
exit
This allow me to block the traff goes out and manage the 10.0.200.0 network from data network.
Thanks for your help. I hope this helps someone.
ip access-list extended "Block-Internet"
10 permit ip 10.0.200.0 0.255.255.255 10.0.12.0 0.0.255.255
20 deny tcp 10.0.200.0 0.255.255.255 0.0.0.0 0.0.0.0
30 deny udp 10.0.200.0 0.255.255.255 0.0.0.0 0.0.0.0
exit
This allow me to block the traff goes out and manage the 10.0.200.0 network from data network.
Thanks for your help. I hope this helps someone.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
remove the default route on them, and replace them with static routes for your other network(s) istead