Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Are HPE ACLs Stateful?

 
SOLVED
Go to solution
Highlighted
Skaffen
Occasional Advisor

Are HPE ACLs Stateful?

Hi

I want to prevent devices on a /24 vlan talking to each other, and only let them talk to another /16 range.

vlan 300 is the 172.20.200.0/24 is the isolated subnet

10.64.0.0/16 is the main network.

ip access-list extended "iso-inst"
10 permit ip 172.20.200.0 0.0.0.255 10.64.0.0 0.0.255.255 log
20 permit icmp 172.20.200.0 0.0.0.255 10.64.0.0 0.0.255.255 log
30 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
40 deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit

vlan 300 ip access-group iso-inst vlan-in

The explicit deny all all entries are just for logging purposes.

This correctly prevents the 172.20.200.0/24 devices talking to each other, and they can access the 10.64.0.0/16  network. But I don't understand why, seeing how I don't have another access-group to allow the return traffic. Devices on the 10.64.0.0/16 network can also initiate traffic to the 172.20.200.0/24 network.

What am I not understandng correctly?

 

 

3 REPLIES 3
jguse
HPE Pro
Solution

Re: Are HPE ACLs Stateful?

Hello,

That's because the ACL was applied in one direction only - which is "vlan-in". That means it will apply to packets coming IN to the switch on that VLAN (300) and permit them to go OUT to 10.64.x.x since that matches your ACL. The ACL is only applying in that direction, and does not apply to the return traffic at all.

The reason it blocks traffic between clients in the VLAN 300 is because you've applied "vlan-in" instead of just "in", and vlan-in applies to bridged packets (eg. L2 traffic within VLAN 300) as well. Since the traffic travelling within the same VLAN will have a Source and Destination IP in the same subnet, and your ACL does not permit that, it will be dropped.

Check for example the help text on the switch when you enter ? after the name of your access-group:

in - Apply the IPv4 ACL to packets that this device has routed from this VLAN onto another VLAN.
vlan-in - Apply the IPv4 ACL for bridged and routed inbound packets on this VLAN.
out - Apply the IPv4 ACL to packets that this device has routed from another VLAN onto this VLAN.

If you wanted to block the path back, then an "out" ACL would need to be applied to the VLAN 300. It will apply to traffic the switch is sending OUT onto this VLAN (from any other).

Hope that explains it for you.

Best regards,
Justin

Working @ HPE
Accept or Kudo
Highlighted
Nitish_N
HPE Pro

Re: Are HPE ACLs Stateful?

Hi,

ACL in this switch is not stateful but stateless. We need to explicitly rule for other way traffic.

Thanks,

-N


Accept or Kudo
Highlighted
Skaffen
Occasional Advisor

Re: Are HPE ACLs Stateful?

Hi Justin.


@jguse wrote:

If you wanted to block the path back, then an "out" ACL would need to be applied to the VLAN 300. It will apply to traffic the switch is sending OUT onto this VLAN (from any other).


Thanks for explaining that clearly.  That sentence finally made it click for me. I've been looking at it with the in and out referring to the vlan, not the switch.

Thanks again