Problem with Extended ACL

Neonium · ‎11-14-2017

Hi,

I have a problem with an Extended ACL. I have 3 external locations that are accessible via a 4th location. Each of the 3 locations is connected to location 4 via OSPF. At all 3 locations there is the vlan 1000. For testing there is also the location 4. The 3 or 4 locations are nowhere to go except to the other sites in the Vlan 1000
The locations have the following IP settings for the Vlan 1000

Location 1:
IP: 10.60.210.254/24
Comware Switch HPE 5800-24G-SFP

Location 2:
IP: 10.60.211.254/24
5406Rzl2

Location 3:
IP: 10.60.213.254/24
5406Rzl2

Location 4:
IP: 10.60.212.254/24
5406zl

Today I tried to connect site 3 to 4. Unfortunately, the ACL rules do not work.

Config Location 3:

ip access-list extended "KW-in"
     10 permit ip 10.60.210.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     20 permit ip 10.60.211.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "KW-out"
     10 permit ip 10.60.213.0 0.0.0.255 10.60.210.0 0.0.0.255 log
     20 permit ip 10.60.213.0 0.0.0.255 10.60.211.0 0.0.0.255 log
     30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

vlan 1000
   name "KW-Transfer"
   tagged B15-B16
   ip access-group "KW-in" in
   ip access-group "KW-out" out
   ip address 10.60.213.254 255.255.255.0
   exit

Config Location 4

ip access-list extended "KW-in"
     10 permit ip 10.60.210.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     20 permit ip 10.60.211.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "KW-out"
     10 permit ip 10.60.212.0 0.0.0.255 10.60.210.0 0.0.0.255 log
     20 permit ip 10.60.212.0 0.0.0.255 10.60.211.0 0.0.0.255 log
     30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
     40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

vlan 1000
   name "KWTransfer-Test"
   tagged A5,A11-A12,Trk1
   ip access-group "KW-in" in
   ip access-group "KW-out" out
   ip address 10.60.212.254 255.255.255.0
   exit

where is my mistake? For information, the devices do not sit directly on the switch but are still distributed to other switches.

network_king · ‎02-28-2018

Basically ACL's work at Layer 3.... have you called these ACL's on layer 3 interfaces..? If yes, are those ports serving the purpose of blocking/allowing traffic to respective source & destinations.

As your query seems to be configuration assitance. You may either contact our pre-sales team or open a support case if you believe configuration is not expected as per document,

Please refer documents below for respective switches.

5800 series : https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02647469

5400 series : https://support.hpe.com/hpsc/doc/public/display?docId=c04943057

I am an HPE Employee

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Problem with Extended ACL

Problem with Extended ACL

Re: Problem with Extended ACL