HPE Community
LAN Routing
1752290 Members
4779 Online
108786 Solutions
New Discussion

ip routing and acl default behavior

 
Jorch67
Occasional Advisor

‎02-28-2018 04:09 AM

‎02-28-2018 04:09 AM

ip routing and acl default behavior

Hello,

I'm bit new to HP switching and because I have acute problem I have to ask quick and some what easy question:

I have two 5406 stacked together acting also dhcp-service, default gateways and IGMP Querier for 9 vlan's.

There is "ip routing" enabled in stack with "ip route 0.0.0.0 0.0.0.0 10.170.92.1" command wich seems to define gateway to wan...

Also there is extended acl's for every vlan (assigned in int vlan xx configuration with command "ip access-group ACLxx in") where I try to isolate couple vlan's totally from network that they cannot be seen outside their own vlan. Stack should only act as an igmp querier and dhcp-server for those "isolated vlans".

Thoug I have denied icmp (eg. ping) between 10.10.10.0/24 network (wich lives in vlan 10 with stack configured ip 10.10.10.1) and 10.10.20.0/20 (wich lives vlan 20 with stack configured ip 10.10.20.1) 

There is proper IGMP denial ACL rule is in both vlans (1 deny icmp 10.10.x.0 0.0.255.255 0.0.0.0 255.255.255.255) but still I can ping client 10.10.10.130 from client 10.10.20.250(?!?!?!?)

Questions are:

By default, does "ip routing" feature create routers between all connected networks in stack or do I have some kind of misconfiguration? (where do i find documentation about this? Is there command reference for cli of this switching os?)

What is default behavior of extended ACL? If there is no matching configuration line in acl, does acl drop packet or pass it forward by default?

I will be really appreciated if somebody can answers these qustions!

 

0 Kudos
1 REPLY 1
Jorch67
Occasional Advisor

‎03-04-2018 02:06 AM

‎03-04-2018 02:06 AM

Re: ip routing and acl default behavior

Have to answer to myself...

Yes, by default ip routing feature creates routes between every connect ip networks and floods traffic between vlans

ACL, when applied to port/vlan/etc, will drop packet if no matching permit ace are found.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.