Routing and ACL – Blocking Intra-VLAN Forwarding

acldellhprouting

In a mixed network of Dell and HP/Aruba devices, we would like to block all communication between client computers, and only allow them to communicate with servers located on a different VLAN*.

There are two core switches, Dell S4048-ON (bundled OS), with servers attached, and other "edge" switches connected to the clients. One pair of edge switches are connected with a loop configuration, for high availability (unrelated to this).
network diagram

I have solved it inside any of the "edge" switches, which are HP 2920 and 2810:

filter source-port named-filter "uplink-only" drop 1-44
filter source-port 1-44 named-filter "uplink-only"

However, the client VLAN (VLAN 3) is available on the uplink to the core routers. So the intra-VLAN packets will appear on the other edge switches.

The core switches are currently configured without ACL, simply routing between VLAN 1 and 3.

The question is then how to implement an ACL for the Core switches to prevent forwarding packets within VLAN 3 — but allow routed traffic from that VLAN. For redundancy purposes, it is necessary to forward VLAN1 between ports as is done now, allowing a link do go down in the redundantly configured swithces. Also, DHCP must be available to the clients, from another server on VLAN 1, using the "ip helper-address" option.

Alternative solutions to the general problem of blocking traffic between clients are of course welcome.

*The reason is to improve security when the client devices may not always be configured securely.

Best Answer

Since your clients are connected by the edge switches you'll need to filter unwanted traffic there - before the core switches.

How exactly that can be done depends on the models/series you use.

With current models (2530 or so) you could apply an ACL to the VLAN to stop inter-VLAN communication. E.g. for 192.168.3.0/24 in VLAN 3:

ip access-list extended no3
100 deny ip 192.168.3.0/24 192.168.3.0/24
999 permit any any
exit
vlan 3 ip access-group no3 vlan-in

If you need to disable manually changed IP addresses only you could either force DHCP-assigned addresses only (dhcp-snooping) or allow only proper traffic:

ip access-list extended no3
100 deny ip 192.168.3.0/24 192.168.3.0/24
110 permit ip 192.168.3.0/24 any
120 permit ip any 192.168.3.0/24
999 deny any any
exit
vlan 3 ip access-group no3 vlan-in

Obviously, this is for IPv4 only, IPv6 needs an ACL of its own.

filter source-port works intra-switch only, so you'd need the same function in the core switch as you've discovered. (Alternatively, you can split the L2 segments as Ron M.'s comment suggests.)

[edit]

2920 and 2810 switches series don't support VLAN ACLs yet, so you need to apply them to each edge port: interface <n> access-group no3 in. Generally, you should filter unwanted traffic as soon as possible = on the edge switches.

Related Topic