LAN Routing

RACL difficulties

New Member

RACL difficulties

I have a few VLANs across a pair of 8212s and a 5412.

Specifically I have a LAN vlan, 23 and a server VLAN, 45 that I am trying to lock down to a few specific IPs


So I can add a standard access list:


ip access-list standard "45-out"
   10 permit
   11 permit


and apply this to vlan 45 on the way out

vlan 45 ip access-group 45-out out


however with this applied, VLAN 45 cannot see anything other than those 2 hosts.


What I would like is for VLAN 45 to be able to route anywhere, but only for some specific hosts to see machines on VLAN 45.


What am I missing?


Thanks for any help



Esteemed Contributor

Re: RACL difficulties

Hi Tom,

Let's see if i'm understanding your explanation right: I read your statement as saying that you want to allow all outbound access from VLAN 45, but only selected inbound access to VLAN 45.  What you need to achieve this is a stateful firewall with connection tracking.

I haven't done this on my E5400s, but if my reading of the manual is correct, what you need to do is do filtering on the the way in to VLAN 45, and allow those two IP addresses AND any established connections (using an extended ACL with the "established" flag).  This means that connections that have already been initiated from VLAN 45 should pass.

I don't know how sophisticated the ProCurve connection tracking is - hopefully it will understand UDP and ICMP exchanges as well as the documented support of TCP connections.


Hope that helps.





Super Advisor

Re: RACL difficulties

established keyword only applies to TCP connections.