- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: ACL setup on Procurve 8212
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-26-2010 12:22 PM
тАО10-26-2010 12:22 PM
ACL setup on Procurve 8212
I'm pretty good with the procurves, but have never done acl's...
I'm googling.. but figured i'd start a thread anyways.
So -
vlan 80 needs to get to the internet (all ports ar efine, FW will determine ports)
Vlan 80 needs to get to -
firewall - 10.10.10.1
DNS - 10.10.10.76
DNS - 10.10.10.70
I dont want them getting to any of our other networks or sister companies on the MPLS.
This includes all 10.11.0.0/16 or 10.12.0.0/16 networks. Or any of the other 10.10.1-9.0/24 networks that are local.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 01:29 AM
тАО10-27-2010 01:29 AM
Re: ACL setup on Procurve 8212
A couple of things there.
Your vlan 80 clients won't need to reach the firewall (their traffic is routed to the firewall but the _destination address_ is somewhere on the internet).
What it would be easiest to do is this (assuming the 8212 is the gateway for vlan 80 clients) :
- Permit access to DNS servers
- Deny access to all other 10.* networks
- Permit access to anything else
You would apply this as an inbound ACL on the switch (the direction of the ACL is with respect to the switch, i.e. an inbound ACL on vlan 80 is filtering traffic inbound to the switch from clients on vlan 80)
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 02:08 AM
тАО10-27-2010 02:08 AM
Re: ACL setup on Procurve 8212
if your IP network in VLAN 80 is i.e. 1.1.1.0/24 then the ACL could be like this:
ip access-list extended ACL_80_IN
deny ip 1.1.1.0 0.0.0.255 10.11.0.0 0.0.255.255
deny ip 1.1.1.0 0.0.0.255 10.12.0.0 0.0.255.255
permit ip any any
vlan 80
ip access-group ACL_80_IN in
In this case the clients can't access the MPLS networks, but everywhere else. You have to do the permit any any, otherwise access to internet won't work.
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 08:47 AM
тАО10-27-2010 08:47 AM
Re: ACL setup on Procurve 8212
deny ip 10.10.80.0 0.0.0.255 10.0.0.0 0.0.255.255
i have about 40 networks I would need to add to the deny, some 10's some 192 and some 172's...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 01:13 PM
тАО10-27-2010 01:13 PM
Re: ACL setup on Procurve 8212
ip access-list extended "ACL_VLAN80_IN"
10 permit ip 10.3.80.0 0.0.0.255 10.3.0.76 0.0.0.0
20 permit ip 10.3.80.0 0.0.0.255 10.3.0.70 0.0.0.0
30 deny ip 10.3.80.0 0.0.0.255 10.3.0.0 0.0.255.255
40 deny ip 10.3.80.0 0.0.0.255 10.4.0.0 0.0.255.255
50 deny ip 10.3.80.0 0.0.0.255 10.0.0.0 0.0.255.255
60 deny ip 10.3.80.0 0.0.0.255 10.1.0.0 0.0.255.255
70 deny ip 10.3.80.0 0.0.0.255 10.2.0.0 0.0.255.255
80 deny ip 10.3.80.0 0.0.0.255 10.15.0.0 0.0.255.255
90 deny ip 10.3.80.0 0.0.0.255 10.16.0.0 0.0.255.255
100 deny ip 10.3.80.0 0.0.0.255 172.16.0.0 0.0.255.255
110 deny ip 10.3.80.0 0.0.0.255 172.17.0.0 0.0.255.255
120 deny ip 10.3.80.0 0.0.0.255 172.18.0.0 0.0.255.255
130 deny ip 10.3.80.0 0.0.0.255 172.19.0.0 0.0.255.255
140 deny ip 10.3.80.0 0.0.0.255 172.20.0.0 0.0.255.255
150 deny ip 10.3.80.0 0.0.0.255 192.168.100.0 0.0.254.255
160 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
vlan 80
ip access-group ACL_VLAN80_IN in
wri mem
And i can still get everywhere on vlan 80...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 02:26 PM
тАО10-27-2010 02:26 PM
Re: ACL setup on Procurve 8212
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 02:29 PM
тАО10-27-2010 02:29 PM
Re: ACL setup on Procurve 8212
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2010 02:30 PM
тАО10-27-2010 02:30 PM
Re: ACL setup on Procurve 8212
clients on vlan 80 use 10.3.80.0/24
The VLAn 80 DGW is 10.3.80.100 (one of many VLANs on the 8212)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2010 01:24 AM
тАО10-28-2010 01:24 AM
Re: ACL setup on Procurve 8212
One thing to remember with routed ACL's is that they do not filter any traffic with a destination address that lives on the switch itself, i.e. if you ping other gateways on your 8200 that will still work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2010 02:19 PM
тАО10-28-2010 02:19 PM
Re: ACL setup on Procurve 8212
i can ping 10.3.0.93 and 10.4.0.12, both should not be reachable if the rules are correct.