Vlan Separation issue

Publication Date:  2014-11-24 Views:  282 Downloads:  0
Issue Description
Currently customer has layer three switch S5700 and four vlans configured in the switch. All vlans can access to each other as no limitation is set in the switch. Now, customer requires us to separate them as below:
1. Vlan 2,3 can access each other
2. Vlan 4,5 can access each other
3. Vlan in criteria (1) and (2) can’t access each other.

Current S5700 config:
interface Vlanif2
ip address 10.2.2.1 255.255.255.0
#
interface Vlanif3
ip address 10.3.3.1 255.255.255.0
#
interface Vlanif4
ip address 10.4.4.1 255.255.255.0
#
interface Vlanif5
ip address 10.5.5.1 255.255.255.0
#

Handling Process
Since all vlan have set an IP and it is layer three switch, I use “traffic filter” technology to separate the vlan.

Solution
First, configure the IP range that the vlan can access.
acl number 3002
rule 5 permit ip source 10.2.2.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
rule 10 permit ip source 10.2.2.0 0.0.0.255 destination 10.3.3.0 0.0.0.255
rule 15 deny ip
acl number 3003
rule 5 permit ip source 10.3.3.0 0.0.0.255 destination 10.3.3.0 0.0.0.255
rule 10 permit ip source 10.3.3.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
rule 15 deny ip
acl number 3004
rule 5 permit ip source 10.4.4.0 0.0.0.255 destination 10.4.4.0 0.0.0.255
rule 10 permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5.0 0.0.0.255
rule 15 deny ip
acl number 3005
rule 5 permit ip source 10.5.5.0 0.0.0.255 destination 10.5.5.0 0.0.0.255
rule 10 permit ip source 10.5.5.0 0.0.0.255 destination 10.4.4.0 0.0.0.255
rule 15 deny ip

Set the traffic filter technology in inbound direction
traffic-filter vlan 2 inbound acl 3002
traffic-filter vlan 3 inbound acl 3003
traffic-filter vlan 4 inbound acl 3004
traffic-filter vlan 5 inbound acl 3005

END