Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL on ProCurve 5400 serie

ACL on ProCurve 5400 serie

Hi All,

 

I'm trying to implement an extended ACL, but the behaviour is not what I expected.
I want to control the traffic from subnet 10.22.30./24 to network 10.10.0.0/16
When I activate the config below.

I block all the traffic from 10.10.0.0/16 to 10.22.30.0/24
Even if i make a ACE permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255.

The traffic from 10.10.0.0/16 to 10.22.30.0/24 is blocked.
The traffic from 10.22.30.0/24 to 10.10.0.0/16 is filtered as expected.

I do not want to filter the traffic from 10.10.0.0/16 to 10.22.30.0/24

Please check the config:

 

ip access-list extended "X-name"
   10 remark "Allow RDP"
   10 permit tcp 10.22.30.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 3389
   20 remark "Allow to serverX"
   20 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0 eq 2356
   30 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0 eq 1433
   40 remark "Allow serverX to serverX"
   40 permit tcp 10.22.30.14 0.0.0.0 10.10.10.95 0.0.0.0 eq 80
   50 permit tcp 10.22.30.15 0.0.0.0 10.10.10.95 0.0.0.0 eq 80
   100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
   exit
interface B10
ip access-group X-name in
exit

vlan 1
   name "DEFAULT_VLAN"
   untagged A1,B1,B5,B11-B23,F1
   ip address 10.10.0.1 255.255.0.0
   tagged A2,F2
   no untagged B2-B4,B6-B10,B24
   exit

vlan 10
   name "Name"
   untagged B10
   ip address 10.22.30.1 255.255.255.0
   exit

 

What do I miss? Please help....?

4 REPLIES
YenLin
Frequent Advisor

Re: ACL on ProCurve 5400 serie

hi, do you know where is your source interfaces and destination interfaces or vlan?

I think B10 is the interface of your servers, however, you also need to permit your source to use these ports.

I think you also need to config out as well as below.

========================

interface B10
ip access-group X-name in

ip access-group X-name out

========================

dmesser-hhs
Frequent Advisor

Re: ACL on ProCurve 5400 serie

Instead of applying the access group on the interface apply it to the vlan -in

 

Vlan 10 ip access-group "x-name" in

 

With regards to why this did not work:

permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255

"This line is not applied to the "in bound" side of the interface because B10 is a member of VLAN 10.  There are no packets with a source of 10.10.0.0/16 coming into the interface.

 

It seems backwards until you understand the in/out direction is in reference to the interface not the switch itself.  So inbound traffic on interface 10 will be from (source) your 10.22.30.0/24  and not source 10.10.0.0/16.  This may work if you apply that statment to your out... but if I remember correctly you should try to avoid applying ACL to out bound traffic.

 

You can also try a test without specifying the port numbers.  Just to see if it is working correctly to the server on all ports.. then once you verify your statment is working correctly move on to the specific ports.

   20 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0
   30 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0

 

Good Luck

Dominic

Re: ACL on ProCurve 5400 serie

Thanks for the replies.
I try to avoid applying ACL's to the interfaces that belong to VLAN 1. That means that I have to create multiple ACL's and I only want to to filter traffic from network 10.22.30.0/24 . I cannot imagine that I have to create all kind of ACL's to achieve that.
There is no option to apply an ACL on an interface in the outbound direction.
As i understood, if you apply an ACL on the VLAN, that port functionality doesn't work.

Is it an option to add an additional ACL on the VLAN 10, like this:

permit ip 10.10.0.0/24 10.22.30.0/24

 

And place this ACL in the outbound direction:

int vlan 10 ip access-group 'add-ACL' out

 

 

Please advise...

dmesser-hhs
Frequent Advisor

Re: ACL on ProCurve 5400 serie

When I said "all ports" I didn't mean all interfaces I was refering to all TCP/UDP ports.  

 

I use an ACL to restrict access from a "guest" network to just a few resources and the internet.  I created the ACL and applied it to the "in" side of my VLAN and it works great.

 

Your examples shows you have the ACL applied to the interface itself and I was just saying try remove it from the interface and apply it to your VLAN 10.

 

Yes your proposed ACL applied to the "out" of the VLAN 10 interface should work 

 

So to test apply your ip access-list extended X-name to the "in" side of VLAN 10 and then apply int vlan 10 ip access-group 'add-ACL' out