HPE Community
Switches, Hubs, and Modems
1753792 Members
7043 Online
108799 Solutions
New Discussion юеВ

Re: ACL problem on 5300xl

 
SOLVED
Go to solution
Marcus J
Frequent Advisor

тАО03-13-2007 06:31 AM

тАО03-13-2007 06:31 AM

ACL problem on 5300xl

Hi i have a ACL problem on a 5300xl.
I only want some hosts to be able to access clients in vlan 21.
See my config, and plz explain why its not working.


Running configuration:

; J4819A Configuration Editor; Created on release #E.10.44

hostname "SE-SW-001"

snmp-server contact " "

snmp-server location "Serverrum"

max-vlans 256

time timezone 60

time daylight-time-rule Middle-Europe-and-Portugal

connection-rate-filter sensitivity low

ip access-list extended "100"
permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

exit

module 1 type J4907A
module 2 type J4907A
module 3 type J4907A

ip default-gateway 10.206.22.1
sntp server 207.46.130.100
ip routing
ip arp-age 30
timesync sntp
sntp unicast



vlan 11
name "VLAN11"
untagged A3-A4
ip address 128.1.50.41 255.255.0.0
tagged A1
ip igmp
exit

vlan 22
name "VLAN22"
untagged A5,A8-A14,B1,B3-B10,B12-B16,C1,C3-C10,C12-C16
ip address 10.206.22.254 255.255.255.0
tagged A1
ip igmp
exit

vlan 23
name "VLAN23"
ip address 10.206.23.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 25
name "VLAN25"
ip address 10.206.25.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 20
name "VLAN20"
no ip address
ip igmp
exit

vlan 24
name "VLAN24"
ip address 10.206.24.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 21
name "VLAN21"
ip address 10.206.21.254 255.255.255.128
tagged A1
ip access-group "100" in
exit


ip route 0.0.0.0 0.0.0.0 10.206.22.1
filter connection-rate A1-A16,B1-B16,C1-C16 notify-only
spanning-tree
spanning-tree priority 0
password manager
password operator



0 Kudos
4 REPLIES 4
Matt Hobbs
Honored Contributor

тАО03-13-2007 10:00 AM

тАО03-13-2007 10:00 AM

Solution

Re: ACL problem on 5300xl

Change the ACL applied on VLAN 21 from in to out.

ip access-group "100" out
Marcus J
Frequent Advisor

тАО03-13-2007 08:03 PM

тАО03-13-2007 08:03 PM

Re: ACL problem on 5300xl

Hi Matt!

why should it be "out" direction?

I only want those six machines to be able to reach the 10.206.21.128/25 network located behind vlan 21... shouldn't that be direction "in".

plz explain.

Thanks.
0 Kudos
Matt Hobbs
Honored Contributor

тАО03-13-2007 09:09 PM

тАО03-13-2007 09:09 PM

Re: ACL problem on 5300xl

With your ACL:

ip access-list extended "100"
permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

The fist half is the source which will be coming 'in' via another VLAN. It will be leaving 'out' 10.206.21.218.

That's probably not the best way of explaining it.

What helped me understand this better was the ACL theory section in the IP Routing Foundations course - ftp://ftp.hp.com/pub/networking/training/IRF_SG_061305.zip
Marcus J
Frequent Advisor

тАО03-14-2007 11:41 PM

тАО03-14-2007 11:41 PM

Re: ACL problem on 5300xl

I tried "out" instead of "in" and it worked nicely.

Many thanks matt!
I'll give you points...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.