- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Re: Allowing external established connections to V...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-09-2016 10:44 AM
тАО06-09-2016 10:44 AM
Allowing external established connections to VLAN
Hello,
I am configuring an HP 1920 switch and want to achive this:
Devices in VLAN 20 have only access to IP network of VLAN interface 20 (192.168.20.0) and to IP network of VLAN 1 (192.,168.1.0). Devices in other networks (e.g. 192.168.10.0) should be able to establish connections in VLAN 20.
So far I achieved everything except the established connections from other networks.
This is the ACL been used:
Advanced ACL 3500, named -none-, 4 rules,
ACL's step is 5
rule 0 permit tcp established source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 6 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 deny ip
Attached to the test port in this way:
Interface: GigabitEthernet1/0/13
In-bound Policy:
acl 3500, Successful
From a device attached to port 13 using IP 192.168.20.109 I can't ping 192.168.10.x, I can ping 192.168.20.x. This what I wanted. But I am not able to ping from another device (192.168.10.167) connected at port 11 to 192.168.20.109 although access in this direction should work as of rule 0. There is no packet-filter or QOS policy used at port 11.. As soon as I remove the packet filter from port 13 I can ping to 192.168.20.109 from 192.168.10.167. So there must be something wrong with the ACL 3500.
I hope someone here can help me figuring out the right settings.
Regards,
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-09-2016 08:16 PM
тАО06-09-2016 08:16 PM
Re: Allowing external established connections to VLAN
Your ACL Denys traffic from 192.168.20.0 to 192.168.10.0, so of course you can't get a ping response back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2016 01:37 AM
тАО06-10-2016 01:37 AM
Re: Allowing external established connections to VLAN
For my understanding rule 0 allows traffic from 192.168.20.0 back to 192.168.10.0 for connctions initiated from 192.168.10.0 because of the tcp established statement.
Just to be sure it is clear what I want to achieve:
Devices in VLAN 20 have only access to IP network of VLAN interface 20 (192.168.20.0) and to IP network of VLAN 1 (192.,168.1.0). Devices in other networks (e.g. 192.168.10.0 VLAN 10) should be able to establish connections to VLAN 20.
Do you know how to achieve this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2016 07:50 AM
тАО06-11-2016 07:50 AM
Re: Allowing external established connections to VLAN
The L3 switch is not a statefull firewall.
Established only works for TCP, but this doesn't check session state in the device, but simply matches a bit in TCP packet.
For allowing one-way ping , you might get away using echo-reply and echo-request in FW rules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-13-2016 05:00 PM
тАО06-13-2016 05:00 PM
Re: Allowing external established connections to VLAN
I've actually had to do something like that before - they wanted ICMP blocked, but I pointed out that RFC1191 requires ICMP Type3, Code4 messages to be passed and blocking them made them non-compliant with the RFC (turns their routers into black hole routers for large packets with DNF bit set to 1).
I don't know if you can use an ACL to define different rules for different types of ICMP messages...?
All in all, ACLs aren't really the way to deal with this kind of thing. Authenticating users onto the network and setting permissions on hosts is the way to do this.