ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL issue on Procurve 5406zl

clintonrd30
Occasional Visitor

ACL issue on Procurve 5406zl

Hi

I have been attempting to apply the following ACL to a VLAN interface on one of my 5406zl's without success.  My scenario is:

I am using VLAN 100 for our servers vlan.  I am attempting to limit access to servers based on specific TCP port requirements and in testing, I have  test switch connected to one of the untagged ports in the vlan with an address of 10.64.44.10.  I have been attempting to apply an acl to deny port 80 traffic from my internal network to this host and only allow port 443. 

It appears that when I apply my ACL 100 to the vlan interface, on the switch that the test switch (10.64.44.10) is connected to, the acl doesnt work.  If I apply it to the physical interface  C5 that the network switch is connected to it works.  I need to apply the acl to the vlan interface as I have a number of servers with differing tcp port requirements ( ie sql, web/ssh etc) and would like to control access on a vlan basis not per port.  Am I missing something here in relation to the traffic flow?  I have tried both in and out rules on the vlan interface without success and have also transposed the acl rule to have source/destination the other way around

vlan 100
   name "VLAN100"
   untagged C5,C14
   tagged C20-C24
   ip access-group "100" in
   ip address 10.64.44.11 255.255.255.0

 

ip access-list extended "100"
     
     10 deny tcp 10.64.44.10 0.0.0.0 10.64.0.0 0.0.255.255 eq 80 log
     20 permit tcp 10.64.44.10 0.0.0.0 10.64.0.0 0.0.255.255 eq 443 log
        exit

2 REPLIES
clintonrd30
Occasional Visitor

Re: ACL issue on Procurve 5406zl

Oh forgot to mention, our server  infrastructure is virtual and we use a number of trunk ports to connect to  our esx servers.  The trunks are not applied to the vlan as yet as I am only testing to one host.

Vince-Whirlwind
Honored Contributor

Re: ACL issue on Procurve 5406zl

I think you have the acl the wrong way round.

I think you want:

deny from Subnet to Server port 80
permit from Subnet to Server port 443

Then, best practice is to block it closest to source, which would involve applying it "IN" on the VLAN interface of all VLAN interfaces that are NOT the VLAN interface that the Server sits in.
For practical reasons, it might be easier applying it just the once on the VLAN interface that the Server is in, in which case you apply it as "OUT".