- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Are HPE ACLs Stateful?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2019 07:14 PM
тАО07-25-2019 07:14 PM
Hi
I want to prevent devices on a /24 vlan talking to each other, and only let them talk to another /16 range.
vlan 300 is the 172.20.200.0/24 is the isolated subnet
10.64.0.0/16 is the main network.
ip access-list extended "iso-inst"
10 permit ip 172.20.200.0 0.0.0.255 10.64.0.0 0.0.255.255 log
20 permit icmp 172.20.200.0 0.0.0.255 10.64.0.0 0.0.255.255 log
30 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
40 deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit
vlan 300 ip access-group iso-inst vlan-in
The explicit deny all all entries are just for logging purposes.
This correctly prevents the 172.20.200.0/24 devices talking to each other, and they can access the 10.64.0.0/16 network. But I don't understand why, seeing how I don't have another access-group to allow the return traffic. Devices on the 10.64.0.0/16 network can also initiate traffic to the 172.20.200.0/24 network.
What am I not understandng correctly?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-26-2019 05:53 AM
тАО07-26-2019 05:53 AM
SolutionHello,
That's because the ACL was applied in one direction only - which is "vlan-in". That means it will apply to packets coming IN to the switch on that VLAN (300) and permit them to go OUT to 10.64.x.x since that matches your ACL. The ACL is only applying in that direction, and does not apply to the return traffic at all.
The reason it blocks traffic between clients in the VLAN 300 is because you've applied "vlan-in" instead of just "in", and vlan-in applies to bridged packets (eg. L2 traffic within VLAN 300) as well. Since the traffic travelling within the same VLAN will have a Source and Destination IP in the same subnet, and your ACL does not permit that, it will be dropped.
Check for example the help text on the switch when you enter ? after the name of your access-group:
in - Apply the IPv4 ACL to packets that this device has routed from this VLAN onto another VLAN.
vlan-in - Apply the IPv4 ACL for bridged and routed inbound packets on this VLAN.
out - Apply the IPv4 ACL to packets that this device has routed from another VLAN onto this VLAN.
If you wanted to block the path back, then an "out" ACL would need to be applied to the VLAN 300. It will apply to traffic the switch is sending OUT onto this VLAN (from any other).
Hope that explains it for you.
Justin
Working @ HPE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-28-2019 11:44 AM
тАО07-28-2019 11:44 AM
Re: Are HPE ACLs Stateful?
Hi,
ACL in this switch is not stateful but stateless. We need to explicitly rule for other way traffic.
Thanks,
-N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-28-2019 06:46 PM
тАО07-28-2019 06:46 PM
Re: Are HPE ACLs Stateful?
Hi Justin.
@jguse wrote:If you wanted to block the path back, then an "out" ACL would need to be applied to the VLAN 300. It will apply to traffic the switch is sending OUT onto this VLAN (from any other).
Thanks for explaining that clearly. That sentence finally made it click for me. I've been looking at it with the in and out referring to the vlan, not the switch.
Thanks again