https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705322#M24252 What's the subnet that your clients in VLAN 80 use and is the switch that you applied that ACL to the default gateway for the clients in VLAN 80? Wed, 27 Oct 2010 21:26:21 GMT Mohammed Faiz 2010-10-27T21:26:21Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705317#M24247 I need to setup a ACL (?) on our procurve 8212, to allow access to vlan 80 to get to the internet, our dns servers and nothing else.<BR /><BR />I'm pretty good with the procurves, but have never done acl's...<BR /><BR />I'm googling.. but figured i'd start a thread anyways.<BR /><BR />So -<BR />vlan 80 needs to get to the internet (all ports ar efine, FW will determine ports)<BR />Vlan 80 needs to get to - <BR />firewall - 10.10.10.1<BR />DNS - 10.10.10.76<BR />DNS - 10.10.10.70<BR /><BR />I dont want them getting to any of our other networks or sister companies on the MPLS.<BR />This includes all 10.11.0.0/16 or 10.12.0.0/16 networks. Or any of the other 10.10.1-9.0/24 networks that are local.<BR /><BR />Thanks! Tue, 26 Oct 2010 19:22:55 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705317#M24247 psycho.chicken 2010-10-26T19:22:55Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705318#M24248 Hi,<BR /><BR />A couple of things there.<BR />Your vlan 80 clients won't need to reach the firewall (their traffic is routed to the firewall but the _destination address_ is somewhere on the internet).<BR />What it would be easiest to do is this (assuming the 8212 is the gateway for vlan 80 clients) :<BR /><BR />- Permit access to DNS servers<BR />- Deny access to all other 10.* networks<BR />- Permit access to anything else<BR /><BR />You would apply this as an inbound ACL on the switch (the direction of the ACL is with respect to the switch, i.e. an inbound ACL on vlan 80 is filtering traffic inbound to the switch from clients on vlan 80)<BR /><BR />HTH Wed, 27 Oct 2010 08:29:42 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705318#M24248 Mohammed Faiz 2010-10-27T08:29:42Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705319#M24249 Hello,<BR /><BR />if your IP network in VLAN 80 is i.e. 1.1.1.0/24 then the ACL could be like this:<BR /><BR />ip access-list extended ACL_80_IN<BR /> deny ip 1.1.1.0 0.0.0.255 10.11.0.0 0.0.255.255<BR /> deny ip 1.1.1.0 0.0.0.255 10.12.0.0 0.0.255.255<BR /> permit ip any any <BR />vlan 80<BR /> ip access-group ACL_80_IN in<BR /><BR />In this case the clients can't access the MPLS networks, but everywhere else. You have to do the permit any any, otherwise access to internet won't work.<BR /><BR />Cheers,<BR /><BR />Michael Wed, 27 Oct 2010 09:08:31 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705319#M24249 Michael_Breuer 2010-10-27T09:08:31Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705320#M24250 If i didnt want to allow access to ALL 10.* networks, except for 10.10.80.0/24 could i just do a -<BR /><BR />deny ip 10.10.80.0 0.0.0.255 10.0.0.0 0.0.255.255<BR /><BR />i have about 40 networks I would need to add to the deny, some 10's some 192 and some 172's... Wed, 27 Oct 2010 15:47:49 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705320#M24250 psycho.chicken 2010-10-27T15:47:49Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705321#M24251 So i did this -<BR /><BR />ip access-list extended "ACL_VLAN80_IN"<BR /> 10 permit ip 10.3.80.0 0.0.0.255 10.3.0.76 0.0.0.0<BR /> 20 permit ip 10.3.80.0 0.0.0.255 10.3.0.70 0.0.0.0<BR /> 30 deny ip 10.3.80.0 0.0.0.255 10.3.0.0 0.0.255.255<BR /> 40 deny ip 10.3.80.0 0.0.0.255 10.4.0.0 0.0.255.255<BR /> 50 deny ip 10.3.80.0 0.0.0.255 10.0.0.0 0.0.255.255<BR /> 60 deny ip 10.3.80.0 0.0.0.255 10.1.0.0 0.0.255.255<BR /> 70 deny ip 10.3.80.0 0.0.0.255 10.2.0.0 0.0.255.255<BR /> 80 deny ip 10.3.80.0 0.0.0.255 10.15.0.0 0.0.255.255<BR /> 90 deny ip 10.3.80.0 0.0.0.255 10.16.0.0 0.0.255.255<BR /> 100 deny ip 10.3.80.0 0.0.0.255 172.16.0.0 0.0.255.255<BR /> 110 deny ip 10.3.80.0 0.0.0.255 172.17.0.0 0.0.255.255<BR /> 120 deny ip 10.3.80.0 0.0.0.255 172.18.0.0 0.0.255.255<BR /> 130 deny ip 10.3.80.0 0.0.0.255 172.19.0.0 0.0.255.255<BR /> 140 deny ip 10.3.80.0 0.0.0.255 172.20.0.0 0.0.255.255<BR /> 150 deny ip 10.3.80.0 0.0.0.255 192.168.100.0 0.0.254.255<BR /> 160 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255<BR /> exit<BR />vlan 80<BR />ip access-group ACL_VLAN80_IN in<BR />wri mem<BR /><BR />And i can still get everywhere on vlan 80... Wed, 27 Oct 2010 20:13:38 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705321#M24251 psycho.chicken 2010-10-27T20:13:38Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705322#M24252 What's the subnet that your clients in VLAN 80 use and is the switch that you applied that ACL to the default gateway for the clients in VLAN 80? Wed, 27 Oct 2010 21:26:21 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705322#M24252 Mohammed Faiz 2010-10-27T21:26:21Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705323#M24253 the gateway the cliente on vlan 80 go to is 10.3.80.100<BR /><BR /> Wed, 27 Oct 2010 21:29:21 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705323#M24253 psycho.chicken 2010-10-27T21:29:21Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705324#M24254 Sorry,<BR /><BR />clients on vlan 80 use 10.3.80.0/24<BR />The VLAn 80 DGW is 10.3.80.100 (one of many VLANs on the 8212)<BR /><BR /> Wed, 27 Oct 2010 21:30:27 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705324#M24254 psycho.chicken 2010-10-27T21:30:27Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705325#M24255 Ok, and when you say the vlan 80 clients can still see everything are you pinging/connecting to other clients on 10.* networks?<BR />One thing to remember with routed ACL's is that they do not filter any traffic with a destination address that lives on the switch itself, i.e. if you ping other gateways on your 8200 that will still work. Thu, 28 Oct 2010 08:24:01 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705325#M24255 Mohammed Faiz 2010-10-28T08:24:01Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705326#M24256 Yes,<BR /><BR />i can ping 10.3.0.93 and 10.4.0.12, both should not be reachable if the rules are correct. Thu, 28 Oct 2010 21:19:42 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705326#M24256 psycho.chicken 2010-10-28T21:19:42Z https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705327#M24257 That does seem strange then. Can you post up the config on that switch? Fri, 29 Oct 2010 08:35:25 GMT https://community.hpe.com/t5/switches-hubs-and-modems/acl-setup-on-procurve-8212/m-p/4705327#M24257 Mohammed Faiz 2010-10-29T08:35:25Z