Exactly! On port 6 the incoming traffic is coming from the firewall and there will be no matches with the source IP of the QNAPNAS. This ACL is blocking everything from the firewall. If you dont see the option "out" after access-group, it means that 2530 doesnt support port ACL in outbound direction.
Then in this case you should apply the ACL to the port where you connect the end device that should be controlled -QNAPNAS. BUt keep in mind that this ACL only allows NTP traffic and blocks all other traffic. If this is all that is needed for the QNAPNAS then it is OK but if other types of traffic should be allowed you should add more rules.
Hello,
Yes, I also checked. An ACL on 2530 can be applied only inbound on ports and VLANs. That means it is applied on packets entering the switch via the specified interface. Not on packets which are scheduled to leave the switch out of this ports. The implicit deny rule at the end also controlls only inbound traffic. Outbond traffic is not affected.
Hello,
This shouldnt be the case and it is strange if it happens. Maybe you can share some details on how exactly you determined this?
We have to keep in mind that most communication protocols especially TCP based are 2 way communication. In order for a session to be established you typically need some sort of a handshake (for example the TCP 3 way handshake) and ongoing acknowledgement between the communicating computers. If one direction is blocked by the ACL this handshake cannot be performed and the session cannot establish no matter from which peer (that means in which direction) the session is started. The result would be that the protocol is blocked and this may lead to wrong conclusions about how the ACL is functioning. This could be a possible explenation.
Hello Emil_G
Interface 6 - connects to the FW (IP Addr: 192.168.100.1 also gateway for the subnet)
Interface 5 - connects to a QNAPNAS. (192.168.100.5)
Interface 4 - connects to another HP Aruba Switch (192.168.100.3)
NTP Server is sitting on 192.168.1.3 (accessible via 2530G interface 6 only)
I'm sitting on 192.168.200.2 (accessible via 2530G interface 6 only)
Tested using the following scenario on interface 6, with no other ACLS on any other interfaces
ip access-list extended "Permit QNAP MGT Page from QNAP to NTP"
10 permit tcp 192.168.200.2 0.0.0.0 192.168.100.5 0.0.0.0 eq 443
20 permit tcp 192.168.200.2 0.0.0.0 192.168.100.5 0.0.0.0 eq 80
exit
The above ACL could only be applied inbound to interface 6
I (sitting on 192.168.200.2) was able to connect to the ports 80, 443 on 192.168.100.5
But I could not update the NTP server time on 192.168.1.5 with the above ACL applied to interface 6.
What about Interface 5?
I didn't apply any ACLs on Interface 5 so this should allow all port access.
That's how I came to a conclusion (whether rightfully or wrongfully), the 2530G's ACL implicit deny rule blocks all traffic whether in or out.