Switches, Hubs, and Modems
1748138 Members
3884 Online
108758 Solutions
New Discussion

5406zl ACLs HELP!!!

 
AAPP Toledo
Frequent Advisor

5406zl ACLs HELP!!!

Hi to All,

I'm working with a HP Procurve 5406zl and I need to add an Access List in some ips, but it's impossible 'cause always when allocate the ACL to the VLAN the network fall :(.

The mask's lan it´s a /22 (255.255.252.0).

Ok... These following IPs "10.128.180.19, 10.128.180.105 and 10.128.180.41" ONLY will have to access to 10.128.183.226

And... These following IPs "10.128.180.14 and 10.128.180.12" ONLY will have to access to 10.128.183.227.

How should the ACL would have to create?

Many thanks in advance and greetings from Spain.
5 REPLIES 5
Massimo Poletti_1
Frequent Advisor

Re: 5406zl ACLs HELP!!!

Hi

In my opinion the ACLs work only on interVLAN traffic.

In other words the ACLs filter the traffic that flows from a VLAN to another VLAN (routing must be active on switch)

The rule you want is a more a firewall rule than a ACL.

Someone else agrees with me?

Regards
Massimo
AAPP Toledo
Frequent Advisor

Re: 5406zl ACLs HELP!!!

Ciao Massimo...

Yeap... I know... it's a Firewall Rule.. but in my work don't use a Firewall.. but ALL the traffic passing by an ONLY vlan (180).

So... this was my 'extended access list':

6 deny ip 0.0.0.0 255.255.255.255 10.128.183.227 0.0.0.0
7 deny ip 0.0.0.0 255.255.255.255 10.128.183.226 0.0.0.0
10 permit ip 10.128.180.41 0.0.0.0 10.128.183.226 0.0.0.0
11 permit ip 10.128.180.105 0.0.0.0 10.128.183.226 0.0.0.0
20 permit ip 10.128.180.14 0.0.0.0 10.128.183.227 0.0.0.0
21 permit ip 10.128.180.12 0.0.0.0 10.128.183.227 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

And it was applied to the VLAN:

vlan 180
name "PCs Impresoras"
untagged B1-B17,B19-B24,C1-C12,D1,D3,D5,D7,D12-D13,D17
ip address 10.128.180.8 255.255.252.0
tagged Trk1-Trk5,Trk10
ip access-group "Firewall Impresoras" in
ip access-group "Firewall Impresoras" out
ip access-group "Firewall Impresoras" connection-rate-filter
exit


Is this OK? What's wrong?

Thanks a lot in advance....
Massimo Poletti_1
Frequent Advisor

Re: 5406zl ACLs HELP!!!

My experience on ACLs is on 5300 and I'm not so skilled. 5400 seems to be a little different.

Anyway, I gave a look to Access Security Guide (K.14.52), page 10-11 (terminology):
the filtered traffic is always inbound on something.

Your traffic is in the same VLAN, so It is not suitable for RACL or VACL.
In my opinion you should do the task with static port ACL (page 10-87).

Ciao
Massimo


Pamela Deline
New Member

Re: 5406zl ACLs HELP!!!

The first two lines of your ACL block all traffic. The ACL has hit a match and will not go any further down the ACL. Remove THE FIRST TWO LINES
AAPP Toledo
Frequent Advisor

Re: 5406zl ACLs HELP!!!

Hi to All,

Thanks 4 your reply Pamela, but your solution doesn't work :(. I've delete the two first lines but all the IP's can reach/ping the 'supposed restricted IPs' :(.

Grazie Mille Massimo... with your comment I've discover the 'port-security' command and sounds really cool.. 'cause I can autorized MACs by ports and I guess it might be a good solution for what I want.

I'll tell you if it works ;)

Davvero ... molte grazie per la tua collaborazione.


Cheers from Madrid.


Mariano.