- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- 5412 ACL not working
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-07-2015 08:29 AM
08-07-2015 08:29 AM
5412 ACL not working
So I have a 5412 that has several VLANs. On one VLAN, I want to deny internet access to about 11 hosts but I want to allow one IP address to that VLAN among some other subnets. This is what I have so far and no matter if I apply it to the "in" or "out" it doesn't seem to allow the one IP address in. I can get it to block the internet just fine from the hosts but it seems to skip over the allow for the single IP and go straight to the deny on port 80 for some reason.
Basically I need no internet access from all these hosts except to my other subnets and to that single IP address.
ip access-list extended "102"
1 permit ip 0.0.0.0 255.255.255.255 65.114.156.69 0.0.0.0
2 permit ip 0.0.0.0 255.255.255.255 10.51.0.0 0.0.255.255
3 permit ip 0.0.0.0 255.255.255.255 10.56.0.0 0.0.255.255
4 permit ip 0.0.0.0 255.255.255.255 10.57.0.0 0.0.255.255
21 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
22 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
23 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
24 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
25 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
26 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
27 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
28 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
29 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
30 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
31 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 log
41 deny tcp 10.57.100.120 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
42 deny tcp 10.57.100.121 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
43 deny tcp 10.57.100.124 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
44 deny tcp 10.57.100.125 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
45 deny tcp 10.57.100.126 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
46 deny tcp 10.57.100.127 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
47 deny tcp 10.57.100.128 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
48 deny tcp 10.57.100.129 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
49 deny tcp 10.57.100.220 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
50 deny tcp 10.57.100.221 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
51 deny tcp 10.57.100.222 0.0.0.0 0.0.0.0 255.255.255.255 eq 443 log
80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
I apply this to my VLAN (on both switches since I have VRRP) like this:
vlan 100
name "Windows Servers"
untagged E9,H1,H10,H16,H22,J11,J17,J20
tagged H7,Trk5
ip access-group "102" in
ip address 10.57.100.1 255.255.254.0
vrrp vrid 100
virtual-ip-address 10.57.100.1
priority 255
enable
exit
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-07-2015 09:14 AM
08-07-2015 09:14 AM
Re: 5412 ACL not working
Come to find out it was working but my program was trying to hit two other IP addresses so I added those to the allow portion and now everythng is working!!!
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP