HPE Community
Aruba & ProVision-based
1753460 Members
4361 Online
108794 Solutions
New Discussion

5406ZL - ACL vlan to one host routing - block the reverse communication

 
Jean-Philippe-S
New Member

‎04-29-2013 02:13 AM

‎04-29-2013 02:13 AM

5406ZL - ACL vlan to one host routing - block the reverse communication

Hi, i'm a newbie with ACL and switching...

 

My configuration:

 

HP5406ZL

VLAN1: 10.0.1.0

VLAN2: 10.0.2.0

VLAN3: 10.0.3.0

 

What i'm looking for:

 

VLAN2 have to communicate only with one host (10.0.1.2) on VLAN1

VLAN2 should not communicate with VLAN3

VLAN1 have to communicate with all the VLAN2

 

What i'v done:

 

VLANs configuration:

 

vlan 1
   name "VLAN_SERVER"
   no untagged A10-A12,A17,A19
   untagged A2-A9,A13-A16,A18,A20-A24,B1-B23
   tagged A1,B24
   ip address 10.0.1.242 255.255.255.0
   exit
vlan 2
   name "CLINIQUE"
   untagged A11,A17
   tagged A1,A4,A21,B24
   ip access-group "test1" in
   ip address 10.0.2.242 255.255.255.0
   exit

 

ACLs configuration:

 

ip access-list extended "test1"
     10 permit ip 10.0.2.0 0.0.0.255 10.0.2.0 0.0.0.255
     20 permit ip 10.0.2.0 0.0.0.255 10.0.1.2 0.0.0.0

     30 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
     40 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255
     50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

     50 remark "for internet access"
   exit

 

Results, with this configuration:

 

- Vlan2 communicate with vlan2 (ok)

- Vlan2 communicate only with the host 10.0.1.2 (ok)

- Vlan2 can't communicate with vlan3 (ok)

- Vlan2 communicate with internet (ok)

- Vlan1 can't communicate with vlan2 (ko)

 

Note: 10.0.1.2 can communicate with vlan2 (ok) but i expect that all vlan1 can communicate with vlan2 and it doesn't work :-( ...

 

Where is my mistake for this last point?

 

 

Many thanks for your help.

0 Kudos
1 REPLY 1
dmesser-hhs
Frequent Advisor

‎04-29-2013 11:41 AM

‎04-29-2013 11:41 AM

Re: 5406ZL - ACL vlan to one host routing - block the reverse communication

 

Hello,

You gave the statement 40 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255.  This will block any traffic from Vlan2 to VLAN1 (exception: because your previous statement to allow traffic to 10.0.1.2)

Also your statement 30 is incorrect:

   30 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

 

You have applied this access group to the "in-bound" side of your VLAN2.  This inbound traffic will not have a source address of 10.0.1.x  it will always have a source of 10.0.2.x.  This statement is not going to have any matches.  If you reverse the statement you will be allowing all traffic from 10.0.2.x to  10.0.1.x .

 

Next-  I am confused because in 40 you DENY all traffic from 10.0.2.0 to 10.0.x.x.  So you have allowed traffic from 10.0.2.x  to 10.0.1.2 in statement 20 but then you deny all other traffic to this VLAN.

This is fine if you only need VLAN2 hosts to pass traffic to that one server.  But you state that VLAN1 must communicate to all VLAN2.

 

Spoiler

What I'm looking for:

 

VLAN2 have to communicate only with one host (10.0.1.2) on VLAN1

VLAN2 should not communicate with VLAN3

VLAN1 have to communicate with all the VLAN2

Your first and your third statement are in conflict...

In your 3rd requirement you state that VLAN1 have to communicate with all VLAN2.  If this is the case then all of VLAN2 must be able to communicate with all VLAN1.

Here is what I would do:

ip access-list extended "test1"
     10 permit ip 10.0.2.0 0.0.0.255 10.0.2.0 0.0.0.255  (allows vlan2 to Vlan2)

     20 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255  (allows vlan2 to Vlan1)

     30 deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255      (blocks Vlan2 to Vlan3)
     50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

     50 remark "for internet access"
<implicit deny any any>    (blocks anything not defined above)

exit

 

If you do indeed only want to ONLY allow traffic from Vlan2 to that one server 10.0.1.2 then replace my 20 statment with your original 20 permit ip 10.0.2.0 0.0.0.255 10.0.1.2 0.0.0.0... 

 

I hope this helps.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.