Beginning Nov 15, 2021, the Networking Forum discussion boards moved to the Aruba Airheads community

Click here to learn more

Want to Remove ACL

SOLVED

Hi,

I have HPE-5510 switch configured with ACL. Since in ACL I have configured that the switch should be accessible only from the mentioned IPs. But now since I have to migrate switch to other location, I need to remove ACL, I tried it but then switch becomes inaccessible.

Kindly advise as to how to remove ACL and its rules so that I can access Switch from any PC ?

Here is the configuration of ACL

acl number 3012
rule 5 permit ip source 172.16.12.62 0
rule 10 permit ip source 172.16.12.66 0
rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0
rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0
rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0
rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0
rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0
rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0
rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0
rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15
rule 60 permit ip

Manish

9 REPLIES 9

Hi @ManishChawda !

How and where the ACL is applied?

I am an HPE employee

Hi @ManishChawda, as suggested by @Ivan_B where the ACL number 3012 was applied?

Please post the output of these three commands:

display acl all
display acl 3012 
display packet-filter

I'm not an HPE Employee

Kudos and Accepted Solution banner

Hi,

ACL is applied in L3 Switch HPE-5510 to all PC's except 2 PC's so that only from that 2 PC's I can access HPE-5510. Kindly advise.

Below is the output.

[UMHPE5510L3-112]display acl all

Advanced IPv4 ACL 3012, 12 rules,

ACL's step is 5, start ID is 0

rule 5 permit ip source 172.16.12.31 0

rule 6 permit ip source 172.16.12.32 0

rule 10 permit ip source 172.16.12.66 0

rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0

rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0

rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0

rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0

rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0

rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0

rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0

rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15

rule 60 permit ip

-----------

[UMHPE5510L3-112]display acl 3012

Advanced IPv4 ACL 3012, 12 rules,

ACL's step is 5, start ID is 0

rule 5 permit ip source 172.16.12.31 0

rule 6 permit ip source 172.16.12.32 0

rule 10 permit ip source 172.16.12.66 0

rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0

rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0

rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0

rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0

rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0

rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0

rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0

rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15

rule 60 permit ip

---------

[UMHPE5510L3-112]display packet-filter interface

Interface: Vlan-interface12

Inbound policy:

IPv4 ACL 3012

TBH I don't see how removing the ACL 3012 can block access to anything. Not sure what steps did you follow to remove it, but I would try:

system-view
interface Vlan12
undo packet-filter 3012 inbound

and test. At this time do not remove the ACL itself. If everything is fine after running abovementioned commands, then remove the ACL itself by:

system-view
undo acl number 3012

I am an HPE employee

At first you need to remove the qos-profile from the interfaces where the rule is applied; before you need to delete the ACL binded to the qos-profile and then you could delete the ACL, if needed.

I Haq

Hi,

Thanks for the reply.

This was configured by one of the partner. I will surely try but since I am at remote location so when I will physically visit the location I will try. I will update you ASAP.

One more thing, can you give me commands to configure the same ACL step-by-step.

Manish

In order to configure same ACL with same number use following commands:

system-view
acl number 3012
rule 5 permit ip source 172.16.12.31 0
rule 6 permit ip source 172.16.12.32 0
rule 10 permit ip source 172.16.12.66 0
rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0
rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0
rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0
rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0
rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0
rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0
rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0
rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15
rule 60 permit ip

I am an HPE employee

...and if you want to (re)apply the (re)configured ACL 3012 to VLAN id 12 then you have also to do:

system-view
interface Vlan12
packet-filter 3012 inbound

otherwise the ACL 3012 is just configured BUT not applied.

I'm not an HPE Employee

Kudos and Accepted Solution banner

Hi,

Thanks for all!. I will try once visiting the location and update you till then kudos and accepting solution.

Thanks