Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL for VLANS on a Procurve 5406zl

James Hatch
Occasional Visitor

ACL for VLANS on a Procurve 5406zl

I am trying to setup some ACL's for the above switch to take over routing duties from an aging cisco router. We have two VLANS "Staff" and "Student", staff VLAN should have full access to student VLAN. Student VLAN should be denied access to staff VLAN, except student servers with static IP's which I presume will need listing in the ACL?
This is our current config:

; J8697A Configuration Editor; Created on release #K.14.41

hostname "ProCurve Switch 5406zl"
module 1 type J8705A
module 2 type J8706A
interface A21
speed-duplex 1000-full
exit
interface A22
flow-control
exit
interface A23
flow-control
exit
interface B2
speed-duplex 1000-full
exit
interface B3
speed-duplex 1000-full
exit
interface B5
flow-control
exit
interface B9
speed-duplex 1000-full
exit
interface B10
flow-control
exit
ip default-gateway 172.30.7.253
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged A12,A21-A24,B5-B24
ip address 192.168.0.1 255.255.255.0
no untagged A1-A11,A13-A20,B1-B4
exit
vlan 2
name "Student"
untagged A1,A3-A4,A6-A9,A16
ip address 172.30.11.252 255.255.252.0
tagged A5,A10-A12,A21-A24,B2-B12
exit
vlan 3
name "Staff"
untagged A2,A13-A15,A17-A20,B1
ip address 172.30.7.252 255.255.252.0
tagged A5,A10-A12,A21-A24,B2-B12
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
no ip ssh
snmp-server community "public" unrestricted
snmp-server host 172.30.4.33 "public"
snmp-server host 172.30.4.19 "public"
password manager
password operator


Any help would be greatly appreciated!!
6 REPLIES
Michael_Breuer
Esteemed Contributor

Re: ACL for VLANS on a Procurve 5406zl

Hi James,

your requirements can be accomplished using extended access-list. Check out "Advanced Access Security Guide" for your routing switch and create an ACL like this.

To set up unidirectional connection setup you can use the "etsablished" option in the extended ACL:

ProCurve(config)# ip access-list extended < name-str | 100-199 >
ProCurve(config-ext-nacl)# < deny | permit >
< ip | ip-protocol | ip-protocol-nbr >
< any | host | SA/< mask-length > | SA < mask >>1
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ tcp | udp ]
< any | host | SA/< mask-length > | SA < mask >>1
[comparison-operator < value >] ]
< any | host | DA/< mask-length > | DA < mask >>1
[comparison-operator < value >]
[established]
< igmp >
< any | host | SA/< mask-length > | SA < mask >>1
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ igmp-packet-type ]
< icmp >
< any | host | SA/< mask-length > | SA < mask >>1
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ [< 0 - 255 > [ 0 - 255 ] ] | icmp-message ]
[precedence < priority >]
[tos < tos- setting >]
[log]

see: http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ATG-Mar10-K_14_52.pdf

Cheers,

Michael


Ingentive Networks GmbH
James Hatch
Occasional Visitor

Re: ACL for VLANS on a Procurve 5406zl

Thats for the response Michael.
I am able to creat an ACL, but am still puzzled how you then apply it to a specific vlan?

Thanks
Michael_Breuer
Esteemed Contributor

Re: ACL for VLANS on a Procurve 5406zl

Hi James,

each access-list needs to be applied to an VLAN interface to become active:

i.e.

access-list "ACL_10_in" should be applied in inbound direction on VLAN 10:

vlan 10
ip access-group ACL_10_IN in

Cheers,

Michael

Ingentive Networks GmbH
James Hatch
Occasional Visitor

Re: ACL for VLANS on a Procurve 5406zl

Thanks Michael,
I have created the following config and it uploaded OK, unfortunatly I only have the one switch of this kind and its on a live network so testing time is limited. Before I book downtime, does it look OK?

; J8697A Configuration Editor; Created on release #K.14.41

hostname "ProCurve Switch 5406zl"
ip access-list extended "ToAdmin"
10 remark "Allow pupilfserv to Admin"
10 permit ip 172.30.11.165 0.0.0.0 172.30.4.0 0.0.3.255
15 remark "Allow activman to Admin"
15 permit ip 172.30.11.139 0.0.0.0 172.30.4.0 0.0.3.255
20 remark "Allow epsonserver to Admin"
20 permit ip 172.30.11.152 0.0.0.0 172.30.4.0 0.0.3.255
25 remark "Allow WEBserver to Admin"
25 permit ip 172.30.11.141 0.0.0.0 172.30.4.0 0.0.3.255
30 remark "Allow DCacademic1 to Admin"
30 permit ip 172.30.11.166 0.0.0.0 172.30.4.0 0.0.3.255
35 remark "Allow DCacademic2 to Admin"
35 permit ip 172.30.11.160 0.0.0.0 172.30.4.0 0.0.3.255
40 remark "Allow vdivcenter to Admin"
40 permit ip 172.30.11.187 0.0.0.0 172.30.4.0 0.0.3.255
45 remark "Allow FSERVER to Admin"
45 permit ip 172.30.11.145 0.0.0.0 172.30.4.0 0.0.3.255
50 remark "Allow PRINTSERVER to Admin"
50 permit ip 172.30.11.146 0.0.0.0 172.30.4.0 0.0.3.255
55 remark "Allow Expresso to Admin"
55 permit ip 172.30.11.147 0.0.0.0 172.30.4.0 0.0.3.255
60 remark "Allow AppServ to Admin"
60 permit ip 172.30.11.149 0.0.0.0 172.30.4.0 0.0.3.255
65 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "ToAcademic"
10 remark "Allow to Academic"
10 permit ip 172.30.4.0 0.0.3.255 172.30.8.0 0.0.3.255
20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J8705A
module 2 type J8706A
interface A7
flow-control
exit
interface A15
flow-control
exit
interface A21
speed-duplex 1000-full
exit
interface A22
flow-control
exit
interface A23
flow-control
exit
interface B2
speed-duplex 1000-full
exit
interface B3
speed-duplex 1000-full
exit
interface B5
flow-control
exit
interface B9
speed-duplex 1000-full
exit
interface B10
flow-control
exit
interface B12
flow-control
exit
ip default-gateway 172.30.7.252
ip routing
no ip source-route
vlan 1
name "DEFAULT_VLAN"
untagged A12,A21-A24,B5-B24
ip address 192.168.0.1 255.255.255.0
no untagged A1-A11,A13-A20,B1-B4
exit
vlan 2
name "Student"
untagged A1-A9
ip address 172.30.11.252 255.255.252.0
tagged A10-A12,A21-A24,B2-B12
ip access-group "ToAdmin" in
exit
vlan 3
name "Staff"
untagged A13-A20,B1
ip address 172.30.7.252 255.255.252.0
tagged A10-A12,A21-A24,B2-B12
ip access-group "ToAcademic" in
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
mirror 1 port A1
no ip ssh
interface B12
monitor all both mirror 1
exit
snmp-server community "public" unrestricted
snmp-server host 172.30.4.33 "public"
snmp-server host 172.30.4.19 "public"
snmp-server contact "ICT Services" location "SS Server Room"
primary-vlan 3
management-vlan 1
password manager
password operator
James Hatch
Occasional Visitor

Re: ACL for VLANS on a Procurve 5406zl

I still have yet to test the config, anyone see any problems with it?
Michael_Breuer
Esteemed Contributor

Re: ACL for VLANS on a Procurve 5406zl

Hello James,

can't see any problems, should be fine.

Cheers,

Michael
Ingentive Networks GmbH