Aruba & ProVision-based
Showing results for 
Search instead for 
Did you mean: 

Issues with ACL's on HP Procurve 5400zl

Occasional Visitor

Issues with ACL's on HP Procurve 5400zl

A series of different requirements has ended with me having to apply some restrictive ACL's on my HP switch.  Generally I leave all the security to my firewalls, but in this scenario I need to restrict access on the switch.  

The switch has a bunch of vlans that can talk to eachother with a firewall passing the traffic down the line

To give some basic background, the VLAN I want to restrict is 57 (

Primary VLAN is 4 (

default gateway for VLAN57 is which is on hp switch with route bound for firewall's ip of

I want vlan57 to be able to get out to the internet without being able to talk to any other vlans

When I apply the below ACL's I cannot communicate with anything

ip access-list extended "101"
10 permit ip
20 permit ip
30 permit ip
40 permit ip
50 deny ip
60 deny ip
70 permit ip

if I put a "permit ip any any" to the end it allows all traffic regardless of the two deny entries it allows all traffic.... 

The above acl is bound to VLAN57 out.  I created an acl with permit ip any any and bound to vlan57 in, just in case there was an explcit deny once I applied the outbound rules.  

I'm a little out of my depth here as I have never really played with ACL's like this.  I'm more of a firewall guy and last time I did this kind of ACL work was when I got my CCNA (12 years ago).  

Somehow I feel like I'm doing this completely wrong, any help would be appreciated.




Honored Contributor

Re: Issues with ACL's on HP Procurve 5400zl

You need to apply it "in".

It's the VLAN57 that is enforcing it, it is looking at traffic coming "in" from ports that are in VLAN57.

Occasional Visitor

Re: Issues with ACL's on HP Procurve 5400zl

When you say apply it in?  Do you mean I should apply it "in" for the primary vlan on the switch (in this case VLan4)

Everything I am trying doesn't seem to work at all.  I'm getting pretty frustrated.  Even a simple test to block traffic doesn't work

Instead of applying the rule to VLAN57 I tried a test on vlan53

"deny ip

permit ip any any"

 I applied this rule to vlan53 but all traffic still passed from 57.  I thought that if one rule is satisfied it skips the rest of the acl?

Respected Contributor

Re: Issues with ACL's on HP Procurve 5400zl

Apply the ACL in IN direction of VLAN57