- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- ACL for VLANS on a Procurve 5406zl
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-23-2010 09:09 AM
тАО11-23-2010 09:09 AM
ACL for VLANS on a Procurve 5406zl
This is our current config:
; J8697A Configuration Editor; Created on release #K.14.41
hostname "ProCurve Switch 5406zl"
module 1 type J8705A
module 2 type J8706A
interface A21
speed-duplex 1000-full
exit
interface A22
flow-control
exit
interface A23
flow-control
exit
interface B2
speed-duplex 1000-full
exit
interface B3
speed-duplex 1000-full
exit
interface B5
flow-control
exit
interface B9
speed-duplex 1000-full
exit
interface B10
flow-control
exit
ip default-gateway 172.30.7.253
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged A12,A21-A24,B5-B24
ip address 192.168.0.1 255.255.255.0
no untagged A1-A11,A13-A20,B1-B4
exit
vlan 2
name "Student"
untagged A1,A3-A4,A6-A9,A16
ip address 172.30.11.252 255.255.252.0
tagged A5,A10-A12,A21-A24,B2-B12
exit
vlan 3
name "Staff"
untagged A2,A13-A15,A17-A20,B1
ip address 172.30.7.252 255.255.252.0
tagged A5,A10-A12,A21-A24,B2-B12
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
no ip ssh
snmp-server community "public" unrestricted
snmp-server host 172.30.4.33 "public"
snmp-server host 172.30.4.19 "public"
password manager
password operator
Any help would be greatly appreciated!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-23-2010 11:27 AM
тАО11-23-2010 11:27 AM
Re: ACL for VLANS on a Procurve 5406zl
your requirements can be accomplished using extended access-list. Check out "Advanced Access Security Guide" for your routing switch and create an ACL like this.
To set up unidirectional connection setup you can use the "etsablished" option in the extended ACL:
ProCurve(config)# ip access-list extended < name-str | 100-199 >
ProCurve(config-ext-nacl)# < deny | permit >
< ip | ip-protocol | ip-protocol-nbr >
< any | host
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ tcp | udp ]
< any | host
[comparison-operator < value >] ]
< any | host
[comparison-operator < value >]
[established]
< igmp >
< any | host
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ igmp-packet-type ]
< icmp >
< any | host
< any | host < DA > | DA/< mask-length > | DA < mask >>1
[ [< 0 - 255 > [ 0 - 255 ] ] | icmp-message ]
[precedence < priority >]
[tos < tos- setting >]
[log]
see: http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ATG-Mar10-K_14_52.pdf
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2010 04:46 AM
тАО11-24-2010 04:46 AM
Re: ACL for VLANS on a Procurve 5406zl
I am able to creat an ACL, but am still puzzled how you then apply it to a specific vlan?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2010 05:20 AM
тАО11-24-2010 05:20 AM
Re: ACL for VLANS on a Procurve 5406zl
each access-list needs to be applied to an VLAN interface to become active:
i.e.
access-list "ACL_10_in" should be applied in inbound direction on VLAN 10:
vlan 10
ip access-group ACL_10_IN in
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-29-2010 02:22 AM
тАО11-29-2010 02:22 AM
Re: ACL for VLANS on a Procurve 5406zl
I have created the following config and it uploaded OK, unfortunatly I only have the one switch of this kind and its on a live network so testing time is limited. Before I book downtime, does it look OK?
; J8697A Configuration Editor; Created on release #K.14.41
hostname "ProCurve Switch 5406zl"
ip access-list extended "ToAdmin"
10 remark "Allow pupilfserv to Admin"
10 permit ip 172.30.11.165 0.0.0.0 172.30.4.0 0.0.3.255
15 remark "Allow activman to Admin"
15 permit ip 172.30.11.139 0.0.0.0 172.30.4.0 0.0.3.255
20 remark "Allow epsonserver to Admin"
20 permit ip 172.30.11.152 0.0.0.0 172.30.4.0 0.0.3.255
25 remark "Allow WEBserver to Admin"
25 permit ip 172.30.11.141 0.0.0.0 172.30.4.0 0.0.3.255
30 remark "Allow DCacademic1 to Admin"
30 permit ip 172.30.11.166 0.0.0.0 172.30.4.0 0.0.3.255
35 remark "Allow DCacademic2 to Admin"
35 permit ip 172.30.11.160 0.0.0.0 172.30.4.0 0.0.3.255
40 remark "Allow vdivcenter to Admin"
40 permit ip 172.30.11.187 0.0.0.0 172.30.4.0 0.0.3.255
45 remark "Allow FSERVER to Admin"
45 permit ip 172.30.11.145 0.0.0.0 172.30.4.0 0.0.3.255
50 remark "Allow PRINTSERVER to Admin"
50 permit ip 172.30.11.146 0.0.0.0 172.30.4.0 0.0.3.255
55 remark "Allow Expresso to Admin"
55 permit ip 172.30.11.147 0.0.0.0 172.30.4.0 0.0.3.255
60 remark "Allow AppServ to Admin"
60 permit ip 172.30.11.149 0.0.0.0 172.30.4.0 0.0.3.255
65 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "ToAcademic"
10 remark "Allow to Academic"
10 permit ip 172.30.4.0 0.0.3.255 172.30.8.0 0.0.3.255
20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J8705A
module 2 type J8706A
interface A7
flow-control
exit
interface A15
flow-control
exit
interface A21
speed-duplex 1000-full
exit
interface A22
flow-control
exit
interface A23
flow-control
exit
interface B2
speed-duplex 1000-full
exit
interface B3
speed-duplex 1000-full
exit
interface B5
flow-control
exit
interface B9
speed-duplex 1000-full
exit
interface B10
flow-control
exit
interface B12
flow-control
exit
ip default-gateway 172.30.7.252
ip routing
no ip source-route
vlan 1
name "DEFAULT_VLAN"
untagged A12,A21-A24,B5-B24
ip address 192.168.0.1 255.255.255.0
no untagged A1-A11,A13-A20,B1-B4
exit
vlan 2
name "Student"
untagged A1-A9
ip address 172.30.11.252 255.255.252.0
tagged A10-A12,A21-A24,B2-B12
ip access-group "ToAdmin" in
exit
vlan 3
name "Staff"
untagged A13-A20,B1
ip address 172.30.7.252 255.255.252.0
tagged A10-A12,A21-A24,B2-B12
ip access-group "ToAcademic" in
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
mirror 1 port A1
no ip ssh
interface B12
monitor all both mirror 1
exit
snmp-server community "public" unrestricted
snmp-server host 172.30.4.33 "public"
snmp-server host 172.30.4.19 "public"
snmp-server contact "ICT Services" location "SS Server Room"
primary-vlan 3
management-vlan 1
password manager
password operator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-06-2010 01:20 AM
тАО12-06-2010 01:20 AM
Re: ACL for VLANS on a Procurve 5406zl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-06-2010 07:01 AM
тАО12-06-2010 07:01 AM
Re: ACL for VLANS on a Procurve 5406zl
can't see any problems, should be fine.
Cheers,
Michael