Aruba & ProVision-based
1748180 Members
4383 Online
108759 Solutions
New Discussion

Re: 5412 ACL not working

 
jhardin80
New Member

5412 ACL not working

So I have a 5412 that has several VLANs. On one VLAN, I want to deny internet access to about 11 hosts but I want to allow one IP address to that VLAN among some other subnets. This is what I have so far and no matter if I apply it to the "in" or "out" it doesn't seem to allow the one IP address in. I can get it to block the internet just fine from the hosts but it seems to skip over the allow for the single IP and go straight to the deny on port 80 for some reason. 

 

Basically I need no internet access from all these hosts except to my other subnets and to that single IP address.

 

ip access-list extended "102"
1 permit ip 0.0.0.0 255.255.255.255 65.114.156.69 0.0.0.0
2 permit ip 0.0.0.0 255.255.255.255 10.51.0.0 0.0.255.255
3 permit ip 0.0.0.0 255.255.255.255 10.56.0.0 0.0.255.255
4 permit ip 0.0.0.0 255.255.255.255 10.57.0.0 0.0.255.255
21 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
22 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
23 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
24 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
25 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
26 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
27 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
28 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
29 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
30 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
31 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
41 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
42 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
43 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
44 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
45 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
46 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
47 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
48 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
49 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
50 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
51 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

I apply this to my VLAN (on both switches since I have VRRP) like this:

 

vlan 100
name "Windows Servers"
untagged E9,H1,H10,H16,H22,J11,J17,J20
tagged H7,Trk5
ip access-group "102" in
ip address 10.57.100.1 255.255.254.0
vrrp vrid 100
virtual-ip-address 10.57.100.1
priority 255
enable
exit
exit

 

1 REPLY 1
jhardin80
New Member

Re: 5412 ACL not working

Come to find out it was working but my program was trying to hit two other IP addresses so I added those to the allow portion and now everythng is working!!!