Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5308xl acls/vlan setup

sutech
Occasional Visitor

5308xl acls/vlan setup

I am trying to get ACLs working on our 5308xl switch to filter traffic to a couple of servers we have located on the switch. The switch is connected by uplink over a standard ethernet cross over to our core router ATM.

I have created a couple ACLs to filter traffic from specific IPs but this only seems to apply to the management interface IP. I am guessing this is because the box is not performing routing of any kind, so I setup an additional vlan 2 with an IP/mask of 10.252.252.254 255.255.255.0. And untagged the port I had a laptop on B24 in this case for testing. I also set a default gateway of 10.1.1.1 and enabled ip routing. The laptop on vlan2 can ping the vlan2 gateway, but does not route packets past that, and setting a static route for the 10.252.252.0/24 subnet on a machine which is not on the switch and is using the 10.1.1.1 does not allow that machine to ping vlan2's IP of 10.252.252.254.

I have very little experience with vlans and any help would be much appreciated. Thanks.
3 REPLIES
Matt Hobbs
Honored Contributor

Re: 5308xl acls/vlan setup

Have you enabled 'ip routing'? It needs to be enabled for ACL's to function on the 5300. ACL's only apply to traffic that is being routed on this switch.

If you can attach your running-config and a quick network map - it would certainly help someone here to give you an answer on this.
sutech
Occasional Visitor

Re: 5308xl acls/vlan setup

; J4819A Configuration Editor; Created on release #E.10.52

hostname "HP ProCurve Switch 5308xl"
module 1 type J4821A
module 4 type J4907A
module 5 type J4907A
module 6 type J4907A
module 3 type J4821A
module 7 type J4878A
module 2 type J4820A

ip default-gateway 10.1.1.1
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged A1-A4,B1-B24,C1-C4,D1-D16,E1-E16,F2-F16,G1-G4
ip address dhcp-bootp
exit

vlan 2
name "VLAN 200"
untagged F1
ip address 10.252.252.254 255.255.255.0
exit

------------
address assigned through dhcp for the switch is 10.3.1.243
the swich as stated before is connected to our core router where the 10.1.1.1 gateway is also connected
Thanks again.
Mohieddin Kharnoub
Honored Contributor

Re: 5308xl acls/vlan setup

Hi

When IP Routing enabled on a Routing Switch, the default gateway is meanless.

I don't think with your posted configuration the 5300 can ping our Core Router 10.1.1.1, unless you add a static route to it because your Vlan1 IP in different subnet from your Core subnet unless you have /8 subnet which also have a problem in this case because it will overlap with your Vlan2 subnet.

My suggestion is, to assign a static IP to your Vlan 1 and be sure it can reach your Core then show us what are the filters you need by the use of ACLs, where are the servers located (What Vlan) and what do you want to filter exactly?

A network map will also help to understand your topology.

Good Luck !!!

Science for Everyone