- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: VLAN to VLAN ACLs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2016 01:23 AM
тАО02-10-2016 01:23 AM
Hi all, I've got a HP 5500 HI switch, that I've successfully created multiple VLANS on. I have a curriculum VLAN, with a subnet of 172.16.28.0/22 and an accounts VLAN which is 192.168.10.0/24. I've created the VLAN interfaces for each one (172.16.28.1 for curriculum and 192.168.10.1 for accounts) and devices that are untagged on each VLAN are getting correct IP addresses from the DHCP server and are able to ping other VLANs and devices. I now want to create an ACL that will prevent devices on the Curriculum VLAN from connecting to the Accounts VLAN. I've created an advanced ACL, which denies access from the source subnet to the desination subnet, then applied to the accounts VLAN interface as an inbound packet filter but I'm still able to ping the accounts vlan interface and any devices on the accounts VLAN. I've attached the current config below, which shows the Accounts VLAN (10) and the Curriculum VLAN (30). Could anyone shed some light on what I'm doing wrong?
Thanks in advance.
#
version 5.20.99, Release 5501P20
#
sysname HP
#
dhcp relay server-group 1 ip 10.1.0.149
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
password-recovery enable
#
acl number 2000
rule 0 deny source 172.16.28.0 0.0.3.255
#
acl number 3001
rule 10 deny ip source 172.16.28.0 0.0.3.255 destination 192.168.10.0 0.0.0.255
#
vlan 1
#
vlan 10
description Accounts
#
vlan 20
description Servers
#
vlan 30
description Curriculum
#
vlan 40
description Printers
#
vlan 60
description IT Admin
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$1Q8Fu74tA+WUcpcTGeKWn2/UizAb4H3k7Q==
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 10.1.3.67 255.255.0.0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
packet-filter 3001 inbound
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface30
ip address 172.16.28.1 255.255.252.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface40
ip address 192.168.40.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface60
ip address 192.168.60.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20 30 40 60
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/4
port link-mode bridge
#
interface GigabitEthernet1/0/5
port link-mode bridge
#
interface GigabitEthernet1/0/6
port link-mode bridge
#
interface GigabitEthernet1/0/7
port link-mode bridge
#
interface GigabitEthernet1/0/8
port link-mode bridge
#
interface GigabitEthernet1/0/9
port link-mode bridge
#
interface GigabitEthernet1/0/10
port link-mode bridge
#
interface GigabitEthernet1/0/11
port link-mode bridge
#
interface GigabitEthernet1/0/12
port link-mode bridge
#
interface GigabitEthernet1/0/13
port link-mode bridge
#
interface GigabitEthernet1/0/14
port link-mode bridge
#
interface GigabitEthernet1/0/15
port link-mode bridge
#
interface GigabitEthernet1/0/16
port link-mode bridge
#
interface GigabitEthernet1/0/17
port link-mode bridge
#
interface GigabitEthernet1/0/18
port link-mode bridge
#
interface GigabitEthernet1/0/19
port link-mode bridge
#
interface GigabitEthernet1/0/20
port link-mode bridge
#
interface GigabitEthernet1/0/21
port link-mode bridge
#
interface GigabitEthernet1/0/22
port link-mode bridge
#
interface GigabitEthernet1/0/23
port link-mode bridge
#
interface GigabitEthernet1/0/24
port link-mode bridge
port access vlan 30
#
interface GigabitEthernet1/0/25
port link-mode bridge
#
interface GigabitEthernet1/0/26
port link-mode bridge
#
interface GigabitEthernet1/0/27
port link-mode bridge
#
interface GigabitEthernet1/0/28
port link-mode bridge
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/29
port link-mode bridge
#
interface Ten-GigabitEthernet1/0/30
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.2
#
dhcp enable
#
ssh server enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
user-interface vty 0 15
#
return
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2016 08:08 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2016 08:17 AM
тАО02-10-2016 08:17 AM
Re: VLAN to VLAN ACLs
Hi Alexis, that's it! It never occured to me that the inbound applied to coming in to the curriculum VLAN at the switch interface level, rather than the destination VLAN.
As usual, it's always obvious when you know how!!
Thanks so much,
Michael