- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Aruba 3500y Extended ACL between VLAN does not wor...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2020 04:52 AM
тАО02-11-2020 04:52 AM
Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
Hello,
I have some troubles to implement extended ACL between VLAN. I would like to control the traffic and so only permit allowed traffic.
I am starting from a simple configuration with 2 VLAN :
- VLAN 10 : 192.168.10.0/24
- VLAN 20 : 192.168.20.0/24
I would like :
- all members of VLAN 10 to access to host 192.168.20.21 on port 22
- all members of VLAN 20 to access to host 192.168.10.11 on port 80
First of all, I have created two access-list :
ip access-list extended "vlan10-in"
10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
ip access-list extended "vlan20-in"
10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80
Then I've applied the first access-list to the VLAN 10 :
vlan 10
name "vlan10"
untagged 1
ip access-group "vlan10-in" in
ip address 192.168.10.1 255.255.255.0
At this step it works, I can access 192.168.20.21 on port 22 but not on any other port
Then, I've done the same thing for VLAN 20 :
vlan 20
name "vlan20"
untagged 2
ip access-group "vlan20-in" in
ip address 192.168.20.1 255.255.255.0
And then, nothing works...
I suppose that I does'nt work because of the implicit deny on each access-list which block each other.
I tried to add two new access-list and to modify vlan to only filter on inbound packet :
ip access-list extended "vlan10-out"
10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-list extended "vlan20-out"
10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
vlan 10
name "vlan10"
untagged 1
ip access-group "vlan10-in" in
ip access-group "vlan10-out" out
ip address 192.168.10.1 255.255.255.0
vlan 20
name "vlan20"
untagged 2
ip access-group "vlan20-in" in
ip access-group "vlan20-out" out
ip address 192.168.20.1 255.255.255.0
But it does'nt work better...
If someone have some ideas it would be great !
Thank you very much,
Thierry.
- Tags:
- Extended ACL
- VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2020 01:40 AM
тАО02-12-2020 01:40 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
No one has an idea? I'm really stuck with this.
Thank you very much !
Thierry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2020 06:22 AM
тАО02-17-2020 06:22 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
Hello everyone,
Is this the right community board for this kind of issue ?
Regards,
Thierry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 10:28 AM
тАО02-18-2020 10:28 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.
This is off the top of my head:
ip access-list extended "vlan10-in"
10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
20 permit tcp 192.168.10.11 0.0.0.0 eq 80 192.168.20.0 0.0.0.255 established
ip access-list extended "vlan20-in"
10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80
20 permit tcp 192.168.20.21 0.0.0.0 eq 22 192.168.10.0 0.0.0.255 established
You may have issues if whatever is serving web pages on port 80 hands the response off to another socket and doesn't send replies all from port 80. In that case, you'd have to loosen the restriction, and remove the "eq 80" from the reciprocal (established) line I added.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 10:33 PM
тАО02-18-2020 10:33 PM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
Hi PJM,
Sadly, it's what I thought... I have hundred of rules to implement, this will not be maintainable...
Thank you very much for your reply.
Thierry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2020 02:29 AM
тАО02-19-2020 02:29 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
Hi Thierry,
Thank you for writing your query.
I agree with PJM it becomes an issue as traffic is to sent to and from.
Creating rules in both direction and matching them is recommended and standard practise so that we ACL can work as expected.
Please write back for any further queries regarding the same we would be happy to assist with .
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2020 06:30 AM
тАО02-19-2020 06:30 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
Hi,
Thank you again for your answer.
As I told before, I have a very large number of ACL to implement (hundreds from VLAN1 to VLAN2 and the same in the other way) and if we need to add the return traffic, I think it will be to hard to maintain.
In other HPE devices, is there a way to automaticaly allow returned packets ?
Regards,
Thierry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-26-2020 04:01 AM
тАО02-26-2020 04:01 AM
Re: Aruba 3500y Extended ACL between VLAN does not work (implicit deny)
The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.
Are you sure about that requirement?
I'm not an HPE Employee