topic Re: ACCESS LIST ON HP PROCURVE 5304XL in Switches, Hubs, and Modems

ACCESS LIST ON HP PROCURVE 5304XL

Eskinder Mesfin — Sat, 24 Oct 2009 05:02:45 GMT

i just set up hp procurve 5304xl as a coreswitch and configure vlan and ip routing on it.There is one vlan for servers /hosted vlan/ and 5 others vlan,like vlan 100,200,300... what i want is , i want to restrict vlan 200 to access only two servers
from the servers/hosted vlan.
hosted vlan is 10.1.1.0/24 subnet
the other vlan are in 10.1.[2/3/4/5].0/24 subnet
so i created an access list like
ip accesslist exten 110
deny ip 10.1.4.0/24 10.1.1.4/24
deny ip 10.1.4.0/24 10.1.1.8/24
permit ip any any
exit
and apply this to hosted vlan
like
vlan 1 ip access-gr 110 in

but it does not work what shall i do

Re: ACCESS LIST ON HP PROCURVE 5304XL

Shadow13 — Sat, 24 Oct 2009 10:57:23 GMT

ip accesslist exten 110
deny ip 10.1.4.0/24 10.1.1.4/24
deny ip 10.1.4.0/24 10.1.1.8/24
permit ip any any

by this you denied 10.1.4.0/24 subnet from accessing 10.1.1.4 and 10.1.1.8 and access any other ip

can you please tell me exactly what subnets you want to deny.
and please post your vlan configuration.

"i want to restrict vlan 200 to access only two servers
from the servers/hosted vlan. "

from this i understand that you want vlan 200 to only access 2 servers, is that right ?

Re: ACCESS LIST ON HP PROCURVE 5304XL

Eskinder Mesfin — Mon, 26 Oct 2009 05:27:20 GMT

Here is my configurations attached and i want to restrict vlan 200 /10.1.2.0/24 subnet from accessing the server with ip address 10.1.1.2 and allow any other.PLz help me how i should protect these subnet from accessing that server.

Re: ACCESS LIST ON HP PROCURVE 5304XL

Pieter 't Hart — Mon, 26 Oct 2009 14:51:56 GMT

>>>
ip access-list extended "110"
exit
ip access-list extended "120"
deny ip 10.1.2.1 0.0.0.255 10.1.1.2 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
vlan 100
ip access-group "100" in
exit
<<<

There is some mismatch here....
ACL-110 is empty
ACL-120 is not referred to (in attached config)
ACL-100 does not exist

you may want to change
vlan 100
ip access-group "100" in
to
vlan 100
ip access-group "120" in

Pieter

Re: ACCESS LIST ON HP PROCURVE 5304XL

cenk sasmaztin — Mon, 26 Oct 2009 18:03:53 GMT

please test this config

ip access-list extended "120"
deny ip 10.1.2.0 0.0.0.255 10.1.1.2 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 2 type J4878B
module 1 type J4907A
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "INTERNET"
untagged A1,A3-A16,B1-B4
ip address 10.1.0.2 255.255.255.0
no untagged A2
exit
vlan 100
name "HOSTEDSEV"
ip address 10.1.1.1 255.255.255.0
tagged A1,A14
exit
vlan 200
name "OTS"
untagged A2
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.1.1.4
ip helper-address 10.1.0.1
tagged A1,A14
ip access-group "120" in
exit
vlan 300
name "4_AFRI"
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.1.1.4
ip helper-address 10.1.0.1
tagged A1,A14
exit
vlan 400
name "ACCESS"
ip address 10.1.4.1 255.255.255.0
ip helper-address 10.1.1.4
ip helper-address 10.1.0.1
tagged A1,A14
exit
vlan 500
name "eZ_call"
ip address 10.1.5.1 255.255.255.0
ip helper-address 10.1.1.4
ip helper-address 10.1.0.1
tagged A1,A14
exit
ip route 0.0.0.0 0.0.0.0 10.1.0.1
router rip
exit
password manager