Community
Aruba & ProVision-based

Problem with Extended ACL

 
Neonium
Advisor

‎11-14-2017 05:53 AM

‎11-14-2017 05:53 AM

Problem with Extended ACL

Hi,

I have a problem with an Extended ACL. I have 3 external locations that are accessible via a 4th location. Each of the 3 locations is connected to location 4 via OSPF. At all 3 locations there is the vlan 1000. For testing there is also the location 4. The 3 or 4 locations are nowhere to go except to the other sites in the Vlan 1000
The locations have the following IP settings for the Vlan 1000

Location 1:
IP: 10.60.210.254/24
Comware Switch HPE 5800-24G-SFP

Location 2:
IP: 10.60.211.254/24
5406Rzl2

Location 3:
IP: 10.60.213.254/24
5406Rzl2

Location 4:
IP: 10.60.212.254/24
5406zl

Today I tried to connect site 3 to 4. Unfortunately, the ACL rules do not work.

Config Location 3:

ip access-list extended "KW-in"
     10 permit ip 10.60.210.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     20 permit ip 10.60.211.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "KW-out"
     10 permit ip 10.60.213.0 0.0.0.255 10.60.210.0 0.0.0.255 log
     20 permit ip 10.60.213.0 0.0.0.255 10.60.211.0 0.0.0.255 log
     30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

vlan 1000
   name "KW-Transfer"
   tagged B15-B16
   ip access-group "KW-in" in
   ip access-group "KW-out" out
   ip address 10.60.213.254 255.255.255.0
   exit

Config Location 4

ip access-list extended "KW-in"
     10 permit ip 10.60.210.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     20 permit ip 10.60.211.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "KW-out"
     10 permit ip 10.60.212.0 0.0.0.255 10.60.210.0 0.0.0.255 log
     20 permit ip 10.60.212.0 0.0.0.255 10.60.211.0 0.0.0.255 log
     30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

vlan 1000
   name "KWTransfer-Test"
   tagged A5,A11-A12,Trk1
   ip access-group "KW-in" in
   ip access-group "KW-out" out
   ip address 10.60.212.254 255.255.255.0
   exit

where is my mistake? For information, the devices do not sit directly on the switch but are still distributed to other switches.

0 Kudos
1 REPLY 1
network_king
HPE Pro

‎02-28-2018 12:36 AM - edited ‎02-28-2018 01:21 AM

‎02-28-2018 12:36 AM - edited ‎02-28-2018 01:21 AM

Re: Problem with Extended ACL

Basically ACL's work at Layer 3.... have you called these ACL's on layer 3 interfaces..? If yes, are those ports serving the purpose of blocking/allowing traffic to respective source & destinations.

 

As your query seems to be configuration assitance. You may either contact our pre-sales team or open a support case if you believe configuration is not expected as per document,

 

Please refer documents below for respective switches.

5800 series : https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02647469

5400 series : https://support.hpe.com/hpsc/doc/public/display?docId=c04943057

 

I am an HPE Employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.