Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

ACL on ProCurve 5400 serie

ACL on ProCurve 5400 serie

Hi All,


I'm trying to implement an extended ACL, but the behaviour is not what I expected.
I want to control the traffic from subnet 10.22.30./24 to network
When I activate the config below.

I block all the traffic from to
Even if i make a ACE permit ip

The traffic from to is blocked.
The traffic from to is filtered as expected.

I do not want to filter the traffic from to

Please check the config:


ip access-list extended "X-name"
   10 remark "Allow RDP"
   10 permit tcp eq 3389
   20 remark "Allow to serverX"
   20 permit tcp eq 2356
   30 permit tcp eq 1433
   40 remark "Allow serverX to serverX"
   40 permit tcp eq 80
   50 permit tcp eq 80
   100 deny ip log
interface B10
ip access-group X-name in

vlan 1
   name "DEFAULT_VLAN"
   untagged A1,B1,B5,B11-B23,F1
   ip address
   tagged A2,F2
   no untagged B2-B4,B6-B10,B24

vlan 10
   name "Name"
   untagged B10
   ip address


What do I miss? Please help....?

Frequent Advisor

Re: ACL on ProCurve 5400 serie

hi, do you know where is your source interfaces and destination interfaces or vlan?

I think B10 is the interface of your servers, however, you also need to permit your source to use these ports.

I think you also need to config out as well as below.


interface B10
ip access-group X-name in

ip access-group X-name out


Frequent Advisor

Re: ACL on ProCurve 5400 serie

Instead of applying the access group on the interface apply it to the vlan -in


Vlan 10 ip access-group "x-name" in


With regards to why this did not work:

permit ip

"This line is not applied to the "in bound" side of the interface because B10 is a member of VLAN 10.  There are no packets with a source of coming into the interface.


It seems backwards until you understand the in/out direction is in reference to the interface not the switch itself.  So inbound traffic on interface 10 will be from (source) your  and not source  This may work if you apply that statment to your out... but if I remember correctly you should try to avoid applying ACL to out bound traffic.


You can also try a test without specifying the port numbers.  Just to see if it is working correctly to the server on all ports.. then once you verify your statment is working correctly move on to the specific ports.

   20 permit tcp
   30 permit tcp


Good Luck


Re: ACL on ProCurve 5400 serie

Thanks for the replies.
I try to avoid applying ACL's to the interfaces that belong to VLAN 1. That means that I have to create multiple ACL's and I only want to to filter traffic from network . I cannot imagine that I have to create all kind of ACL's to achieve that.
There is no option to apply an ACL on an interface in the outbound direction.
As i understood, if you apply an ACL on the VLAN, that port functionality doesn't work.

Is it an option to add an additional ACL on the VLAN 10, like this:

permit ip


And place this ACL in the outbound direction:

int vlan 10 ip access-group 'add-ACL' out



Please advise...

Frequent Advisor

Re: ACL on ProCurve 5400 serie

When I said "all ports" I didn't mean all interfaces I was refering to all TCP/UDP ports.  


I use an ACL to restrict access from a "guest" network to just a few resources and the internet.  I created the ACL and applied it to the "in" side of my VLAN and it works great.


Your examples shows you have the ACL applied to the interface itself and I was just saying try remove it from the interface and apply it to your VLAN 10.


Yes your proposed ACL applied to the "out" of the VLAN 10 interface should work 


So to test apply your ip access-list extended X-name to the "in" side of VLAN 10 and then apply int vlan 10 ip access-group 'add-ACL' out