- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: 5412 ACL not working
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2015 08:29 AM
08-07-2015 08:29 AM
5412 ACL not working
So I have a 5412 that has several VLANs. On one VLAN, I want to deny internet access to about 11 hosts but I want to allow one IP address to that VLAN among some other subnets. This is what I have so far and no matter if I apply it to the "in" or "out" it doesn't seem to allow the one IP address in. I can get it to block the internet just fine from the hosts but it seems to skip over the allow for the single IP and go straight to the deny on port 80 for some reason.
Basically I need no internet access from all these hosts except to my other subnets and to that single IP address.
ip access-list extended "102"
1 permit ip 0.0.0.0 255.255.255.255 65.114.156.69 0.0.0.0
2 permit ip 0.0.0.0 255.255.255.255 10.51.0.0 0.0.255.255
3 permit ip 0.0.0.0 255.255.255.255 10.56.0.0 0.0.255.255
4 permit ip 0.0.0.0 255.255.255.255 10.57.0.0 0.0.255.255
21 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
22 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
23 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
24 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
25 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
26 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
27 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
28 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
29 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
30 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
31 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
41 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
42 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
43 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
44 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
45 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
46 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
47 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
48 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
49 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
50 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
51 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
I apply this to my VLAN (on both switches since I have VRRP) like this:
vlan 100
name "Windows Servers"
untagged E9,H1,H10,H16,H22,J11,J17,J20
tagged H7,Trk5
ip access-group "102" in
ip address 10.57.100.1 255.255.254.0
vrrp vrid 100
virtual-ip-address 10.57.100.1
priority 255
enable
exit
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2015 09:14 AM
08-07-2015 09:14 AM
Re: 5412 ACL not working
Come to find out it was working but my program was trying to hit two other IP addresses so I added those to the allow portion and now everythng is working!!!