- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- ACL not working on 5406zl fw K.15.07.0008
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2013 07:22 AM
03-22-2013 07:22 AM
ACL not working on 5406zl fw K.15.07.0008
Hi all,
I have testclients on vlan 22, 10.10.16.0/24
I have a testserver environment on vlan 33, 10.10.17.0/24
I want to restrict the client to:
1. Get an ip address from the dhcp server on vlan 44. 10.10.18.0/24
1. Get DNS from the dns server on vlan 44. 10.10.18.0/24
2. Restrict the clients on vlan 22 to access only the testservers on vlan 33
ip access-list extended "Access-to-Testservers"
10 permit udp 10.10.16.0 255.255.255.0 eq 68 10.10.18.1 0.0.0.0 eq 67
20 permit udp 10.10.16.0 255.255.255.0 eq 53 10.10.18.1 0.0.0.0 eq 53
30 permit ip 10.10.16.0 255.255.255.0 10.10.17.0 255.255.255.0
exit
vlan 22
name "TEST-CLIENTS"
tagged B2,C17-C20,C22-C24,D3,L1,Trk1
ip helper-address 10.10.18.1
ip address 10.10.16.254 255.255.255.0
ip access-group "Access-to-Testservers" in
As soon as I apply the access-group:
1. I can still get an ip-address for the test-clients
2. I can NOT reach the servers in 10.10.17.0/24
3. I can't even ping the default gateway of the client subnet !?
Without access-group everything goes.
There must be an obvious mistake I'm making?
Thanx Jaap
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2013 07:38 AM
03-26-2013 07:38 AM
Re: ACL not working on 5406zl fw K.15.07.0008
Hello,
the solution in reverse order:
Problem 3) A ping is an ICMP message encapsulated in IP. Your last rule only allows IP packets with destination 10.10.17.0/24. If you want to ping the default gateway the destination is 10.10.16.254 which is not allowed.
Anyway I believe you want all stations in VLAN 22, 10.10.16.0/24, to communicate with each other. Hence, there should also be a rule like
40 permit ip 10.10.16.0 255.255.255.0 10.10.16.0 255.255.255.0
Then you can ping the default router, too. Anyway it is always a bad idea to forbid ICMP messages, because the are a fundamental basis of the internet protocol and much more than only a "ping". (For example ICMP type 3 - "Destination unreachable"). So you should also allow ICMP messages from and to everywhere
50 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Or at least restricted to all of your own network.
Problem 2) That is a consequence of problem 1). If you want to reach servers in 10.10.17.0/24, the stations in 10.10.16.0/24 can only do so via their default router. If the cannot reach their default router due to problem 1) the cannot reach the servers. Hence, if you solved 1) problem 2) should be solved, too.
Problem 3) I do not see the problem. You wanted DHCP to work, you say it works. Where is the problem?
Additional remark: ACL 20 doesn't make very much sense to me. I assume you want the stations from VLAN 22, 10.10.16.0/24, to be able to query the DNS server. But the outgoing port on the client is normally not 53 but some arbitrary port choosen > 1024. Hence the rule should read
20 permit udp 10.10.16.0 255.255.255.0 10.10.18.1 0.0.0.0 eq 53
(No "eq 53" in the first place.)
Matthias