HPE Community
Aruba & ProVision-based
1752866 Members
4159 Online
108791 Solutions
New Discussion юеВ

Re: VLAN to VLAN ACLs

 
SOLVED
Go to solution
colly72
Occasional Advisor

тАО02-10-2016 01:23 AM

тАО02-10-2016 01:23 AM

VLAN to VLAN ACLs

Hi all, I've got a HP 5500 HI switch, that I've successfully created multiple VLANS on.  I have a curriculum VLAN, with a subnet of 172.16.28.0/22 and an accounts VLAN which is 192.168.10.0/24.  I've created the VLAN interfaces for each one (172.16.28.1 for curriculum and 192.168.10.1 for accounts) and devices that are untagged on each VLAN are getting correct IP addresses from the DHCP server and are able to ping other VLANs and devices.  I now want to create an ACL that will prevent devices on the Curriculum VLAN from connecting to the Accounts VLAN.  I've created an advanced ACL, which denies access from the source subnet to the desination subnet, then applied to the accounts VLAN interface as an inbound packet filter but I'm still able to ping the accounts vlan interface and any devices on the accounts VLAN.  I've attached the current config below, which shows the Accounts VLAN (10) and the Curriculum VLAN (30).  Could anyone shed some light on what I'm doing wrong?

 

Thanks in advance.

 

#
version 5.20.99, Release 5501P20
#
sysname HP
#
dhcp relay server-group 1 ip 10.1.0.149
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
password-recovery enable
#
acl number 2000
rule 0 deny source 172.16.28.0 0.0.3.255
#
acl number 3001
rule 10 deny ip source 172.16.28.0 0.0.3.255 destination 192.168.10.0 0.0.0.255
#
vlan 1
#
vlan 10
description Accounts
#
vlan 20
description Servers
#
vlan 30
description Curriculum
#
vlan 40
description Printers
#
vlan 60
description IT Admin
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$1Q8Fu74tA+WUcpcTGeKWn2/UizAb4H3k7Q==
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 10.1.3.67 255.255.0.0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
packet-filter 3001 inbound
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface30
ip address 172.16.28.1 255.255.252.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface40
ip address 192.168.40.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlan-interface60
ip address 192.168.60.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20 30 40 60
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/4
port link-mode bridge
#
interface GigabitEthernet1/0/5
port link-mode bridge
#
interface GigabitEthernet1/0/6
port link-mode bridge
#
interface GigabitEthernet1/0/7
port link-mode bridge
#
interface GigabitEthernet1/0/8
port link-mode bridge
#
interface GigabitEthernet1/0/9
port link-mode bridge
#
interface GigabitEthernet1/0/10
port link-mode bridge
#
interface GigabitEthernet1/0/11
port link-mode bridge
#
interface GigabitEthernet1/0/12
port link-mode bridge
#
interface GigabitEthernet1/0/13
port link-mode bridge
#
interface GigabitEthernet1/0/14
port link-mode bridge
#
interface GigabitEthernet1/0/15
port link-mode bridge
#
interface GigabitEthernet1/0/16
port link-mode bridge
#
interface GigabitEthernet1/0/17
port link-mode bridge
#
interface GigabitEthernet1/0/18
port link-mode bridge
#
interface GigabitEthernet1/0/19
port link-mode bridge
#
interface GigabitEthernet1/0/20
port link-mode bridge
#
interface GigabitEthernet1/0/21
port link-mode bridge
#
interface GigabitEthernet1/0/22
port link-mode bridge
#
interface GigabitEthernet1/0/23
port link-mode bridge
#
interface GigabitEthernet1/0/24
port link-mode bridge
port access vlan 30
#
interface GigabitEthernet1/0/25
port link-mode bridge
#
interface GigabitEthernet1/0/26
port link-mode bridge
#
interface GigabitEthernet1/0/27
port link-mode bridge
#
interface GigabitEthernet1/0/28
port link-mode bridge
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/29
port link-mode bridge
#
interface Ten-GigabitEthernet1/0/30
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.2
#
dhcp enable
#
ssh server enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
user-interface vty 0 15
#
return

0 Kudos
2 REPLIES 2
AlexisKoch
Advisor

тАО02-10-2016 08:08 AM

тАО02-10-2016 08:08 AM

Solution

Re: VLAN to VLAN ACLs

Hello,

the inbound/outbound is from the switch's point of view. So the frames are entering the switch (inbound) on the curriculum ports. Have you tried to apply the ACL on a curriculum port (1/0/24)?

Regards,

Alexis.

colly72
Occasional Advisor

тАО02-10-2016 08:17 AM

тАО02-10-2016 08:17 AM

Re: VLAN to VLAN ACLs

Hi Alexis, that's it! It never occured to me that the inbound applied to coming in to the curriculum VLAN at the switch interface level, rather than the destination VLAN.

As usual, it's always obvious when you know how!!

Thanks so much,

Michael

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.