ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Issues with ACL's on HP Procurve 5400zl

CWard1983
Occasional Visitor

Issues with ACL's on HP Procurve 5400zl

A series of different requirements has ended with me having to apply some restrictive ACL's on my HP switch.  Generally I leave all the security to my firewalls, but in this scenario I need to restrict access on the switch.  

The switch has a bunch of vlans that can talk to eachother with a firewall passing the traffic down the line

To give some basic background, the VLAN I want to restrict is 57 (192.168.57.0/24)

Primary VLAN is 4 (192.168.4.0/24)

default gateway for VLAN57 is 192.168.57.254 which is on hp switch with route 0.0.0.0/0 bound for firewall's ip of 192.168.4.204

I want vlan57 to be able to get out to the internet without being able to talk to any other vlans

When I apply the below ACL's I cannot communicate with anything

ip access-list extended "101"
10 permit ip 192.168.57.0 0.0.0.255 192.168.57.254 0.0.0.0
20 permit ip 192.168.57.0 0.0.0.255 192.168.4.254 0.0.0.0
30 permit ip 192.168.57.0 0.0.0.255 192.168.4.204 0.0.0.0
40 permit ip 192.168.57.0 0.0.0.255 10.1.0.1 0.0.0.0
50 deny ip 192.168.57.0 0.0.0.255 192.168.0.0 0.0.255.255
60 deny ip 192.168.57.0 0.0.0.255 10.1.0.0 0.0.255.255
70 permit ip 192.168.57.0 0.0.0.255 0.0.0.0 255.255.255.255
exit

if I put a "permit ip any any" to the end it allows all traffic regardless of the two deny entries it allows all traffic.... 

The above acl is bound to VLAN57 out.  I created an acl with permit ip any any and bound to vlan57 in, just in case there was an explcit deny once I applied the outbound rules.  

I'm a little out of my depth here as I have never really played with ACL's like this.  I'm more of a firewall guy and last time I did this kind of ACL work was when I got my CCNA (12 years ago).  

Somehow I feel like I'm doing this completely wrong, any help would be appreciated.

 

 

 

3 REPLIES
Vince-Whirlwind
Honored Contributor

Re: Issues with ACL's on HP Procurve 5400zl

You need to apply it "in".

It's the VLAN57 that is enforcing it, it is looking at traffic coming "in" from ports that are in VLAN57.

CWard1983
Occasional Visitor

Re: Issues with ACL's on HP Procurve 5400zl

When you say apply it in?  Do you mean I should apply it "in" for the primary vlan on the switch (in this case VLan4)

Everything I am trying doesn't seem to work at all.  I'm getting pretty frustrated.  Even a simple test to block traffic doesn't work

Instead of applying the rule to VLAN57 I tried a test on vlan53

"deny ip 192.168.57.0/24 192.168.53.0/24

permit ip any any"

 I applied this rule to vlan53 but all traffic still passed from 57.  I thought that if one rule is satisfied it skips the rest of the acl?

16again
Respected Contributor

Re: Issues with ACL's on HP Procurve 5400zl

Apply the ACL in IN direction of VLAN57