HPE Community
Aruba & ProVision-based
1752800 Members
5772 Online
108789 Solutions
New Discussion юеВ

Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

 
kaioh31
Occasional Collector

тАО02-11-2020 04:52 AM

тАО02-11-2020 04:52 AM

Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hello,

I have some troubles to implement extended ACL between VLAN. I would like to control the traffic and so only permit allowed traffic.

I am starting from a simple configuration with 2 VLAN :

  • VLAN 10 : 192.168.10.0/24
  • VLAN 20 : 192.168.20.0/24

I would like :

  • all members of VLAN 10 to access to host 192.168.20.21 on port 22
  • all members of VLAN 20 to access to host 192.168.10.11 on port 80

First of all, I have created two access-list :

 

ip access-list extended "vlan10-in"
  10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
ip access-list extended "vlan20-in"
  10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80

 

Then I've applied the first access-list to the VLAN 10 :

 

vlan 10
  name "vlan10"
  untagged 1
  ip access-group "vlan10-in" in
  ip address 192.168.10.1 255.255.255.0

 

At this step it works, I can access 192.168.20.21 on port 22 but not on any other port

Then, I've done the same thing for VLAN 20 :

 

vlan 20
  name "vlan20"
  untagged 2
  ip access-group "vlan20-in" in
  ip address 192.168.20.1 255.255.255.0

 

And then, nothing works...

I suppose that I does'nt work because of the implicit deny on each access-list which block each other.

I tried to add two new access-list and to modify vlan to only filter on inbound packet :

 

ip access-list extended "vlan10-out"
  10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-list extended "vlan20-out"
  10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

vlan 10
  name "vlan10"
  untagged 1
  ip access-group "vlan10-in" in
  ip access-group "vlan10-out" out
  ip address 192.168.10.1 255.255.255.0

vlan 20
  name "vlan20"
  untagged 2
  ip access-group "vlan20-in" in
  ip access-group "vlan20-out" out
  ip address 192.168.20.1 255.255.255.0

 

But it does'nt work better...

If someone have some ideas it would be great !

Thank you very much,

Thierry.

0 Kudos
7 REPLIES 7
kaioh31
Occasional Collector

тАО02-12-2020 01:40 AM

тАО02-12-2020 01:40 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hello,
No one has an idea? I'm really stuck with this.
Thank you very much !
Thierry
0 Kudos
kaioh31
Occasional Collector

тАО02-17-2020 06:22 AM

тАО02-17-2020 06:22 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hello everyone,

Is this the right community board for this kind of issue ?

Regards,

Thierry

0 Kudos
pjm-nps
Occasional Advisor

тАО02-18-2020 10:28 AM

тАО02-18-2020 10:28 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.

This is off the top of my head:

ip access-list extended "vlan10-in"
  10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
  20 permit tcp 192.168.10.11 0.0.0.0 eq 80 192.168.20.0 0.0.0.255 established
ip access-list extended "vlan20-in"
  10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80
  20 permit tcp 192.168.20.21 0.0.0.0 eq 22 192.168.10.0 0.0.0.255 established

 

You may have issues if whatever is serving web pages on port 80 hands the response off to another socket and doesn't send replies all from port 80. In that case, you'd have to loosen the restriction, and remove the "eq 80" from the reciprocal (established) line I added.

 

0 Kudos
kaioh31
Occasional Collector

тАО02-18-2020 10:33 PM

тАО02-18-2020 10:33 PM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hi PJM,

Sadly, it's what I thought... I have hundred of rules to implement, this will not be maintainable...

Thank you very much for your reply.

Thierry.

0 Kudos
3Naga
Advisor

тАО02-19-2020 02:29 AM

тАО02-19-2020 02:29 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hi Thierry,

Thank you for writing your query.

I agree with PJM it becomes an issue as traffic is to sent to and from.

Creating rules in both direction and matching them is recommended and standard practise so that we ACL can work as expected.

Please write back for any further queries regarding the same we would be happy to assist with .

 

Thanks,

 


Accept or Kudo
0 Kudos
kaioh31
Occasional Collector

тАО02-19-2020 06:30 AM

тАО02-19-2020 06:30 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

Hi,

Thank you again for your answer.

As I told before, I have a very large number of ACL to implement (hundreds from VLAN1 to VLAN2 and the same in the other way) and if we need to add the return traffic, I think it will be to hard to maintain.

In other HPE devices, is there a way to automaticaly allow returned packets ?

Regards,
Thierry.

0 Kudos
parnassus
Honored Contributor

тАО02-26-2020 04:01 AM

тАО02-26-2020 04:01 AM

Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)

The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.

Are you sure about that requirement?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.