HPE Community
Aruba & ProVision-based
1752806 Members
5587 Online
108789 Solutions
New Discussion

ACL not working on 5406zl fw K.15.07.0008

 
ONVZ
Advisor

‎03-22-2013 07:22 AM

‎03-22-2013 07:22 AM

ACL not working on 5406zl fw K.15.07.0008

Hi all,

 

I have testclients on vlan 22, 10.10.16.0/24

I have a testserver environment on vlan 33, 10.10.17.0/24

 

I want to restrict the client to:

1. Get an ip address from the dhcp server on vlan 44. 10.10.18.0/24

1. Get DNS from the dns server on vlan 44. 10.10.18.0/24

2. Restrict the clients on vlan 22 to access only the testservers on vlan 33

 

ip access-list extended "Access-to-Testservers"
   10 permit udp 10.10.16.0 255.255.255.0 eq 68 10.10.18.1 0.0.0.0 eq 67
   20 permit udp 10.10.16.0 255.255.255.0 eq 53 10.10.18.1 0.0.0.0 eq 53
   30 permit ip 10.10.16.0 255.255.255.0 10.10.17.0 255.255.255.0
   exit

 

vlan 22
   name "TEST-CLIENTS"
   tagged B2,C17-C20,C22-C24,D3,L1,Trk1
   ip helper-address 10.10.18.1

   ip address 10.10.16.254 255.255.255.0

   ip access-group "Access-to-Testservers" in

 

As soon as I apply the access-group:

1. I can still get an ip-address for the test-clients

2. I can NOT reach the servers in 10.10.17.0/24

3. I can't even ping the default gateway of the client subnet !?

 

Without access-group everything goes.

 

There must be an obvious mistake I'm making?

 

Thanx Jaap

0 Kudos
1 REPLY 1
HEKnet
Advisor

‎03-26-2013 07:38 AM

‎03-26-2013 07:38 AM

Re: ACL not working on 5406zl fw K.15.07.0008

Hello,

the solution in reverse order:

 

Problem 3) A ping is an ICMP message encapsulated in IP. Your last rule only allows IP packets with destination 10.10.17.0/24. If you want to ping the default gateway the destination is 10.10.16.254 which is not allowed.

 

Anyway I believe you want all stations in VLAN 22, 10.10.16.0/24, to communicate with each other. Hence, there should also be a rule like

 

40 permit ip 10.10.16.0 255.255.255.0 10.10.16.0 255.255.255.0

 

Then you can ping the default router, too. Anyway it is always a bad idea to forbid ICMP messages, because the are a fundamental basis of the internet protocol and much more than only a "ping". (For example ICMP type 3 - "Destination unreachable"). So you should also allow ICMP messages from and to everywhere

 

50 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

Or at least restricted to all of your own network.

 

 

Problem 2) That is a consequence of problem 1). If you want to reach servers in 10.10.17.0/24, the stations in 10.10.16.0/24 can only do so via their default router. If the cannot reach their default router due to problem 1) the cannot reach the servers. Hence, if you solved 1) problem 2) should be solved, too.

 

Problem 3) I do not see the problem. You wanted DHCP to work, you say it works. Where is the problem?

 

Additional remark: ACL 20 doesn't make very much sense to me. I assume you want the stations from VLAN 22, 10.10.16.0/24, to be able to query the DNS server. But the outgoing port on the client is normally not 53 but some arbitrary port choosen > 1024. Hence the rule should read

 

20 permit udp 10.10.16.0 255.255.255.0 10.10.18.1 0.0.0.0 eq 53

 

(No "eq 53" in the first place.)

 

Matthias

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.