- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: Issues with ACL's on HP Procurve 5400zl
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2016 12:17 PM
06-15-2016 12:17 PM
Issues with ACL's on HP Procurve 5400zl
A series of different requirements has ended with me having to apply some restrictive ACL's on my HP switch. Generally I leave all the security to my firewalls, but in this scenario I need to restrict access on the switch.
The switch has a bunch of vlans that can talk to eachother with a firewall passing the traffic down the line
To give some basic background, the VLAN I want to restrict is 57 (192.168.57.0/24)
Primary VLAN is 4 (192.168.4.0/24)
default gateway for VLAN57 is 192.168.57.254 which is on hp switch with route 0.0.0.0/0 bound for firewall's ip of 192.168.4.204
I want vlan57 to be able to get out to the internet without being able to talk to any other vlans
When I apply the below ACL's I cannot communicate with anything
ip access-list extended "101"
10 permit ip 192.168.57.0 0.0.0.255 192.168.57.254 0.0.0.0
20 permit ip 192.168.57.0 0.0.0.255 192.168.4.254 0.0.0.0
30 permit ip 192.168.57.0 0.0.0.255 192.168.4.204 0.0.0.0
40 permit ip 192.168.57.0 0.0.0.255 10.1.0.1 0.0.0.0
50 deny ip 192.168.57.0 0.0.0.255 192.168.0.0 0.0.255.255
60 deny ip 192.168.57.0 0.0.0.255 10.1.0.0 0.0.255.255
70 permit ip 192.168.57.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
if I put a "permit ip any any" to the end it allows all traffic regardless of the two deny entries it allows all traffic....
The above acl is bound to VLAN57 out. I created an acl with permit ip any any and bound to vlan57 in, just in case there was an explcit deny once I applied the outbound rules.
I'm a little out of my depth here as I have never really played with ACL's like this. I'm more of a firewall guy and last time I did this kind of ACL work was when I got my CCNA (12 years ago).
Somehow I feel like I'm doing this completely wrong, any help would be appreciated.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2016 05:47 PM
06-15-2016 05:47 PM
Re: Issues with ACL's on HP Procurve 5400zl
You need to apply it "in".
It's the VLAN57 that is enforcing it, it is looking at traffic coming "in" from ports that are in VLAN57.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 09:04 AM
06-16-2016 09:04 AM
Re: Issues with ACL's on HP Procurve 5400zl
When you say apply it in? Do you mean I should apply it "in" for the primary vlan on the switch (in this case VLan4)
Everything I am trying doesn't seem to work at all. I'm getting pretty frustrated. Even a simple test to block traffic doesn't work
Instead of applying the rule to VLAN57 I tried a test on vlan53
"deny ip 192.168.57.0/24 192.168.53.0/24
permit ip any any"
I applied this rule to vlan53 but all traffic still passed from 57. I thought that if one rule is satisfied it skips the rest of the acl?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 02:01 PM
06-16-2016 02:01 PM
Re: Issues with ACL's on HP Procurve 5400zl
Apply the ACL in IN direction of VLAN57