- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- ACL's on ProCurve5304 Switch
Switches, Hubs, and Modems
1753839
Members
8854
Online
108806
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2007 12:12 AM
тАО05-11-2007 12:12 AM
I am just starting to apply VLANS to our network. At present, I have the default VLAN 1
and have added a guest VLAN 116.
I want guests to be able to access internet services (which may involve more than just port 80) but I don't want the guests to access anything else on my networks.
I have tried the following:
The following works but is limited to port 80 only, and we want guests to be able to use any ports we allow through our firewall for example 23, 510,1352 and let the firewall block any disallowed ports.
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit tcp 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 eq http (this permits any into 10.1.116.0 network)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to cache)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (this denys 10.1.116.0 network to all other devices)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
VLAN 116 ip access-group 100 in
So I changed tcp to ip: but now I can connect to any device and network that I did not permit for the 10.1.116.0 network.
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address to vlan 116's 10.1.116.0 network)***
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 (this allows 10.1.116.0 network access to cache)
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 (this allows 10.1.116.0 network access to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (thiis denys 10.116.1.116.0 to everything else)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
VLAN 116 ip access-group 100 in
***permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address IN to vlan 116's 10.1.116.0 network) I THINK THIS LINE IS ALLOWING ACCESS TO ALL OTHER DEVICES BUT I DO NOT UNDERSTAND WHY
IF I TELNET TO 10.102.2.100 FROM THE 10.1.116.0 NETWORK IT IS SUCCESSFUL EVEN THOUGH I DON'T HAVE:
PERMIT IP 10.1.116.0 0.0.0.255 10.102.2.100 0.0.0.0 IN MY ACL ????????why can I telnet to this device?????????
and have added a guest VLAN 116.
I want guests to be able to access internet services (which may involve more than just port 80) but I don't want the guests to access anything else on my networks.
I have tried the following:
The following works but is limited to port 80 only, and we want guests to be able to use any ports we allow through our firewall for example 23, 510,1352 and let the firewall block any disallowed ports.
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit tcp 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 eq http (this permits any into 10.1.116.0 network)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to cache)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (this denys 10.1.116.0 network to all other devices)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
VLAN 116 ip access-group 100 in
So I changed tcp to ip: but now I can connect to any device and network that I did not permit for the 10.1.116.0 network.
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address to vlan 116's 10.1.116.0 network)***
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 (this allows 10.1.116.0 network access to cache)
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 (this allows 10.1.116.0 network access to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (thiis denys 10.116.1.116.0 to everything else)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
VLAN 116 ip access-group 100 in
***permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address IN to vlan 116's 10.1.116.0 network) I THINK THIS LINE IS ALLOWING ACCESS TO ALL OTHER DEVICES BUT I DO NOT UNDERSTAND WHY
IF I TELNET TO 10.102.2.100 FROM THE 10.1.116.0 NETWORK IT IS SUCCESSFUL EVEN THOUGH I DON'T HAVE:
PERMIT IP 10.1.116.0 0.0.0.255 10.102.2.100 0.0.0.0 IN MY ACL ????????why can I telnet to this device?????????
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2007 04:57 AM
тАО05-11-2007 04:57 AM
Solution
Hi
If you want to allow internet traffic from one Vlan, then you have to look for your Default Route.
I assume you have a default route to the firewall: 10.101.2.103, and i assume you are are using a proxy to redirect all internet traffic to pass by a Cache box: 10.101.2.107.
In this case, your 2 entries for firewall and cache are incorrect:
-------------------------------------------
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0 (this allows 10.1.116.0 network access to cache - change 255.255.255.255)
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0 (this allows 10.1.116.0 network access to firewall - change 255.255.255.255)
-------------------------------------------
So your ACL should be like this after rearranging some entries also:
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
----------------------------------------
Also you should be sure to have a route back from the firewall network 10.101.1.0/24 to Vlan116 network 10.1.116.0/24.
Good Luck !!!
If you want to allow internet traffic from one Vlan, then you have to look for your Default Route.
I assume you have a default route to the firewall: 10.101.2.103, and i assume you are are using a proxy to redirect all internet traffic to pass by a Cache box: 10.101.2.107.
In this case, your 2 entries for firewall and cache are incorrect:
-------------------------------------------
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0 (this allows 10.1.116.0 network access to cache - change 255.255.255.255)
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0 (this allows 10.1.116.0 network access to firewall - change 255.255.255.255)
-------------------------------------------
So your ACL should be like this after rearranging some entries also:
ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
----------------------------------------
Also you should be sure to have a route back from the firewall network 10.101.1.0/24 to Vlan116 network 10.1.116.0/24.
Good Luck !!!
Science for Everyone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-14-2007 03:04 AM
тАО05-14-2007 03:04 AM
Re: ACL's on ProCurve5304 Switch
Tried the following and still could not access the internet. But reason is listed below.
ip access-list extended 105
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
We set each pc's default gateway to be the router, and Internet Explorer uses this to get to firewall. However, if I change Internet Explorer Internet Options to use a Proxy server (10.101.2.107) then the above works.
thanks again
ip access-list extended 105
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
We set each pc's default gateway to be the router, and Internet Explorer uses this to get to firewall. However, if I change Internet Explorer Internet Options to use a Proxy server (10.101.2.107) then the above works.
thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-14-2007 05:33 AM
тАО05-14-2007 05:33 AM
Re: ACL's on ProCurve5304 Switch
Since all our computers do not have Proxy server setup in their Internet Explorer and we don't want to change that: I have rewritten the ACL to deny the 10.1.116.0 network to all other 10.0.0.0 networks and permit all other networks. This is exactly what I wanted and it works.
ip access-list extended 106
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-list extended 106
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP