Comware

 View Only

  • 1.  ACLs to permit routing only between pairs of VLANs

    Posted Jun 27, 2011 05:44 PM

    Hi all

     

    I'm a bit confused about ACLs and routing with an E5406zl. Any help and ideas appreciated.

     

    I have 4 VLANs connected to an E5406zl.

     

    vlan 30

       name "OFFICE"

       ip address 10.30.10.11 255.255.255.0

       exit

    vlan 31

       name "OFFICE_NLB"

       ip address 10.31.10.11 255.255.255.0

       exit

    vlan 40

       name "SERVER"

       ip address 10.40.10.11 255.255.255.0

       exit

    vlan 41

       name "SERVER_NLB"

       ip address 10.41.10.11 255.255.255.0

       exit

     

    VLANs 31 and 41 are connected to my Microsoft TMG firewalls.

    I use NLB to have a redundant setup for my TMG firewalls.

    I need these separate NLB VLANs, to prevent flooding of ARP multicasts into the OFFICE and SERVER VLANs.

     

    I want the traffic to flow like this:

    Workstation > 30 > 31 > TMG > 41 > 40 > Server

    and vice versa.

     

    Traffic must not flow like this:

    Workstation > 30 > 40 > Server

     

    Actually I want to allow any traffic only between 30 and 31 but no other VLAN.

    And between 40 and 41 but no other VLAN.

     

    What routes and ACLs would i need?

    Or am I on a wrong way?

     

    Thanks in advance

    Bouli



  • 2.  RE: ACLs to permit routing only between pairs of VLANs

    Posted Jun 27, 2011 06:11 PM
    Hello,

    I think you will need to apply access-list like this:
    But I don't remember the exact commands.

    Vlan 30
    access-list permit 10.31.10.0 0.255.255.255

    Vlan 31
    access-list permit 10.30.10.0 0.255.255.255

    Vlan 40
    access-list permit 10.41.10.0 0.255.255.255

    Vlan 41
    access-list permit 10.40.10.0 0.255.255.255

    Best regards



  • 3.  RE: ACLs to permit routing only between pairs of VLANs

    Posted Jun 28, 2011 09:10 AM

    Hi Luciano

     

    I forgot to mention that my Firewall will route the traffic between 31 and 41, I don't want to use NAT.

    I know the commands for the ACLs, but I think I can't distinguish if a packet is coming from 30 directly to 40 or via Firewall from 41 to 40.

     

    Example Packet:

    Source: 10.30.10.210

    Destination: 10.40.10.35

     

    Doesn’t the packet looks the same when it flows from 30 to 40 as if it flows from 41 to 40?

    And if I understand ACLs right, they will only inspect the source and destination addresses of the packet. There seems no way to say allow traffic only between VLAN 30 and 31 no matter what the source and destination of the packets are?

     

    Regards



  • 4.  RE: ACLs to permit routing only between pairs of VLANs

    Posted Jun 28, 2011 08:09 PM

    Hello bouli3,

     

    Coud you attach the topology you are using on your network so we can analyse and try to sugest a solution ?

     

    Best Regards,



  • 5.  RE: ACLs to permit routing only between pairs of VLANs

    Posted Jun 29, 2011 01:19 PM
      |   view attached

    Hi, I attached a topology picture. Best Regards



Related Content