Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL problem on 5300xl

SOLVED
Go to solution
Marcus J
Frequent Advisor

ACL problem on 5300xl

Hi i have a ACL problem on a 5300xl.
I only want some hosts to be able to access clients in vlan 21.
See my config, and plz explain why its not working.


Running configuration:

; J4819A Configuration Editor; Created on release #E.10.44

hostname "SE-SW-001"

snmp-server contact " "

snmp-server location "Serverrum"

max-vlans 256

time timezone 60

time daylight-time-rule Middle-Europe-and-Portugal

connection-rate-filter sensitivity low

ip access-list extended "100"
permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127

permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

exit

module 1 type J4907A
module 2 type J4907A
module 3 type J4907A

ip default-gateway 10.206.22.1
sntp server 207.46.130.100
ip routing
ip arp-age 30
timesync sntp
sntp unicast



vlan 11
name "VLAN11"
untagged A3-A4
ip address 128.1.50.41 255.255.0.0
tagged A1
ip igmp
exit

vlan 22
name "VLAN22"
untagged A5,A8-A14,B1,B3-B10,B12-B16,C1,C3-C10,C12-C16
ip address 10.206.22.254 255.255.255.0
tagged A1
ip igmp
exit

vlan 23
name "VLAN23"
ip address 10.206.23.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 25
name "VLAN25"
ip address 10.206.25.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 20
name "VLAN20"
no ip address
ip igmp
exit

vlan 24
name "VLAN24"
ip address 10.206.24.254 255.255.255.0
ip helper-address 10.206.22.133
tagged A1
ip igmp
exit

vlan 21
name "VLAN21"
ip address 10.206.21.254 255.255.255.128
tagged A1
ip access-group "100" in
exit


ip route 0.0.0.0 0.0.0.0 10.206.22.1
filter connection-rate A1-A16,B1-B16,C1-C16 notify-only
spanning-tree
spanning-tree priority 0
password manager
password operator



4 REPLIES
Matt Hobbs
Honored Contributor
Solution

Re: ACL problem on 5300xl

Change the ACL applied on VLAN 21 from in to out.

ip access-group "100" out
Marcus J
Frequent Advisor

Re: ACL problem on 5300xl

Hi Matt!

why should it be "out" direction?

I only want those six machines to be able to reach the 10.206.21.128/25 network located behind vlan 21... shouldn't that be direction "in".

plz explain.

Thanks.
Matt Hobbs
Honored Contributor

Re: ACL problem on 5300xl

With your ACL:

ip access-list extended "100"
permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127
permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

The fist half is the source which will be coming 'in' via another VLAN. It will be leaving 'out' 10.206.21.218.

That's probably not the best way of explaining it.

What helped me understand this better was the ACL theory section in the IP Routing Foundations course - ftp://ftp.hp.com/pub/networking/training/IRF_SG_061305.zip
Marcus J
Frequent Advisor

Re: ACL problem on 5300xl

I tried "out" instead of "in" and it worked nicely.

Many thanks matt!
I'll give you points...