Aruba & ProVision-based

Re: ACL not working on 5406zl fw K.15.07.0008


ACL not working on 5406zl fw K.15.07.0008

Hi all,


I have testclients on vlan 22,

I have a testserver environment on vlan 33,


I want to restrict the client to:

1. Get an ip address from the dhcp server on vlan 44.

1. Get DNS from the dns server on vlan 44.

2. Restrict the clients on vlan 22 to access only the testservers on vlan 33


ip access-list extended "Access-to-Testservers"
   10 permit udp eq 68 eq 67
   20 permit udp eq 53 eq 53
   30 permit ip


vlan 22
   name "TEST-CLIENTS"
   tagged B2,C17-C20,C22-C24,D3,L1,Trk1
   ip helper-address

   ip address

   ip access-group "Access-to-Testservers" in


As soon as I apply the access-group:

1. I can still get an ip-address for the test-clients

2. I can NOT reach the servers in

3. I can't even ping the default gateway of the client subnet !?


Without access-group everything goes.


There must be an obvious mistake I'm making?


Thanx Jaap


Re: ACL not working on 5406zl fw K.15.07.0008


the solution in reverse order:


Problem 3) A ping is an ICMP message encapsulated in IP. Your last rule only allows IP packets with destination If you want to ping the default gateway the destination is which is not allowed.


Anyway I believe you want all stations in VLAN 22,, to communicate with each other. Hence, there should also be a rule like


40 permit ip


Then you can ping the default router, too. Anyway it is always a bad idea to forbid ICMP messages, because the are a fundamental basis of the internet protocol and much more than only a "ping". (For example ICMP type 3 - "Destination unreachable"). So you should also allow ICMP messages from and to everywhere


50 permit icmp


Or at least restricted to all of your own network.



Problem 2) That is a consequence of problem 1). If you want to reach servers in, the stations in can only do so via their default router. If the cannot reach their default router due to problem 1) the cannot reach the servers. Hence, if you solved 1) problem 2) should be solved, too.


Problem 3) I do not see the problem. You wanted DHCP to work, you say it works. Where is the problem?


Additional remark: ACL 20 doesn't make very much sense to me. I assume you want the stations from VLAN 22,, to be able to query the DNS server. But the outgoing port on the client is normally not 53 but some arbitrary port choosen > 1024. Hence the rule should read


20 permit udp eq 53


(No "eq 53" in the first place.)