- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- ACL issue on Procurve 5406zl
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2016 08:43 PM
11-28-2016 08:43 PM
ACL issue on Procurve 5406zl
Hi
I have been attempting to apply the following ACL to a VLAN interface on one of my 5406zl's without success. My scenario is:
I am using VLAN 100 for our servers vlan. I am attempting to limit access to servers based on specific TCP port requirements and in testing, I have test switch connected to one of the untagged ports in the vlan with an address of 10.64.44.10. I have been attempting to apply an acl to deny port 80 traffic from my internal network to this host and only allow port 443.
It appears that when I apply my ACL 100 to the vlan interface, on the switch that the test switch (10.64.44.10) is connected to, the acl doesnt work. If I apply it to the physical interface C5 that the network switch is connected to it works. I need to apply the acl to the vlan interface as I have a number of servers with differing tcp port requirements ( ie sql, web/ssh etc) and would like to control access on a vlan basis not per port. Am I missing something here in relation to the traffic flow? I have tried both in and out rules on the vlan interface without success and have also transposed the acl rule to have source/destination the other way around
vlan 100
name "VLAN100"
untagged C5,C14
tagged C20-C24
ip access-group "100" in
ip address 10.64.44.11 255.255.255.0
ip access-list extended "100"
10 deny tcp 10.64.44.10 0.0.0.0 10.64.0.0 0.0.255.255 eq 80 log
20 permit tcp 10.64.44.10 0.0.0.0 10.64.0.0 0.0.255.255 eq 443 log
exit
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2016 08:47 PM
11-28-2016 08:47 PM
Re: ACL issue on Procurve 5406zl
Oh forgot to mention, our server infrastructure is virtual and we use a number of trunk ports to connect to our esx servers. The trunks are not applied to the vlan as yet as I am only testing to one host.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-29-2016 07:08 PM
11-29-2016 07:08 PM
Re: ACL issue on Procurve 5406zl
I think you have the acl the wrong way round.
I think you want:
deny from Subnet to Server port 80
permit from Subnet to Server port 443
Then, best practice is to block it closest to source, which would involve applying it "IN" on the VLAN interface of all VLAN interfaces that are NOT the VLAN interface that the Server sits in.
For practical reasons, it might be easier applying it just the once on the VLAN interface that the Server is in, in which case you apply it as "OUT".