- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: VLAN ACLs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2017 02:47 AM - edited тАО02-03-2017 03:16 AM
тАО02-03-2017 02:47 AM - edited тАО02-03-2017 03:16 AM
Hi,
I am trying to restrict traffic on a vlan using ACLs on a 5400R zl2 Switch.
Any host on VLAN 210 should not have access to hosts on VLAN 1, except host 10.3.2.10
I have the following configuration:
; J9850A Configuration Editor; Created on release #KB.16.03.0003 ; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45 hostname "HP-5406Rzl2" module A type j9990a module B type j9990a ip access-list extended "vlan210-acl" 10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0 20 permit icmp 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0 30 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 255.255.255.0 40 deny icmp 0.0.0.0 255.255.255.255 10.3.2.0 255.255.255.0 50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 60 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
ip route 0.0.0.0 0.0.0.0 10.3.2.1 ip routing snmp-server community "public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "Administration (1)" no untagged B1-B9 untagged A1-A24,B10-B24 ip address 10.3.2.101 255.255.255.0 exit vlan 210 name "Restricted (210)" untagged B1 tagged B19 ip access-group "vlan210-acl" in ip address 10.200.10.1 255.255.255.0 dhcp-server exit device-profile name "default-ap-profile" cos 0 exit dhcp-server pool "vlan210-pool" authoritative default-router "10.200.10.1" dns-server "8.8.8.8,8.8.4.4" domain-name "vlan210.pool" network 10.200.10.0 255.255.255.0 range 10.200.10.10 10.200.10.250 exit dhcp-server enable activate software-update disable activate provision disable password manager
But when I plug my laptop into a port on VLAN210 I am able to access all hosts on VLAN 1 despite the ACL:-(
What am I missing?
Mikael, Denmark
ACMX, ACDX, ACCP, CWAP, CWSP, CWNA, MCSA
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2017 11:43 AM
тАО02-03-2017 11:43 AM
SolutionRemember that ACLs use inverse subnet masks, you're doing an AND on the host portion of the subnet. In your example you will not hit rule 30, it will fall through to rule 50 (permit ip any any). The mask for 10.3.2.0/24 is 0.0.0.255. The CLI will translate /24 into 0.0.0.255 (deny ip any 10.3.2.0/24) so I always use the CIDR format when configuring ACLs.
Try:
ip access-list extended "test1"
10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0
20 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 0.0.0.255
30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
When in doubt I will add "log" to the end of the ACE to determine which rules are being hit, then display the statistics for them.
HP-Switch-5406Rzl2(config-ext-nacl)# show statistics aclv4 test1 vlan 210 in
Hit Counts for ACL test1
Total
( 39174 ) 10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0 log
( 19587 ) 20 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 0.0.0.255 log
( 0 ) 30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Also note that your rules 20/40/60 are covered by 10/30/50, respectively.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2017 03:30 PM
тАО02-03-2017 03:30 PM
Re: VLAN ACLs
and it works!
Thanks, Michael, for a quick and excellent response!
Mikael, Denmark
ACMX, ACDX, ACCP, CWAP, CWSP, CWNA, MCSA