I've been reading a lot of threads and sites about setting up VLANs and ACLs as we're looking to go towards this setup in the next few months.
I've set up a test lab scenario with a spare 2810-24 switch (in production it would be a 5406zl) that's aiming to emulate the following setup...
VLAN1 - default VLAN for switch management
VLAN100 - standard servers e.g. DHCP, DNS
VLAN200 - restricted servers
VLAN3 - standard workstations (access to all)
VLAN4 - restricted workstations (can't access VLAN200 or VLAN3)
VLAN5 - printers
VLAN6 - guest wireless, no access to any VLAN, only to get to Internet gateway
VLAN7 - internet gateway of firewall
* DHCP server is 192.168.100.250
* A10-A15 would be fiber connections to satellite cabinets
So with that in mind I've come up with this sample config...
ip access-list standard "PUBLIC_WIFI_ISOLATION"
remark "BLOCKS GUEST WIRELESS TO ALL OTHER VLANS, ALLOWS INTERNET ACCESS ONLY"
remark "ALLOW ACCESS TO DHCP SERVER 192.168.100.250"
10 permit ip 192.168.6.0 0.0.0.255 192.168.100.250 0.0.0.0
remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
30 deny any any
ip access-list standard "RESTRICTED_SERVER_ACCESS"
remark "BLOCKS RESTRICTED MACHINES ACCESS TO RESTRICTED SERVER VLAN AND STANDARD WORKSTATION VLAN, ALLOWS ALL OTHER TRAFFIC"
10 deny ip 192.168.4.0 0.0.0.255 192.168.200.0 0.0.0.255
20 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit any any
CORE SWITCH CONFIGURATION
=========================
hostname "CORE"
dhcp-relay
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.7.10
vlan 1
name "DEFAULT_VLAN"
no untagged A11-A20
tagged A10-A15
ip address 192.168.1.254 255.255.255.0
exit
vlan 100
name "SVR_STANDARD"
untagged A1-A10
ip address 192.168.100.254 255.255.255.0
vlan 200
name "SVR_RESTRICT"
untagged A11-A19
tagged A10-A15
ip address 192.168.200.254 255.255.255.0
exit
vlan 3
name "STANDARD_WKS"
tagged A10-A15
ip helper-address 192.168.100.250
ip address 192.168.3.254 255.255.255.0
exit
vlan 4
name "RESTRICT_WKS"
tagged A10-A15
ip helper-address 192.168.100.250
ip address 192.168.4.254 255.255.255.0
vlan 4 ip access-group "RESTRICTED_SERVER_ACCESS" in
exit
vlan 5
name "PRINT"
tagged A10-A15 (fiber trunk ports to edge switches)
ip helper-address 192.168.100.250
ip address 192.168.5.254 255.255.255.0
exit
vlan 6
name "WLAN_GUEST"
tagged A10-A15
ip address 192.168.6.254 255.255.255.0
vlan 6 ip access-group "PUBLIC_WIFI_ISOLATION" in
exit
vlan 7
name "FIREWALL_GREEN"
untagged A20
tagged A10-A15
ip address 192.168.7.254 255.255.255.0
exit
EDGE SWITCH CONFIGURATION
=========================
hostname "CAB_A_SW01"
vlan1
name "DEFAULT_VLAN"
ip address 192.168.1.2 255.255.255.0
no untagged 1-22
tagged 24
exit
vlan 3
name "STANDARD_WKS"
untagged 1-10
tagged 24
exit
vlan 4
name "RESTRICT_WKS"
untagged 11-20
tagged 24
exit
vlan 5
name "PRINT"
untagged 21
tagged 24
exit
vlan 7
name "WLAN_GUEST"
untagged 22
tagged 24
exit
The main thing I've been trying to make sure is correct is that I've understood the ACL setup correctly in terms of "in" and where the restriction is defined. It seems to be working on the test switch so hopefully all is correct...
P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator