Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Access Lists and Vlans with 5300xl

Martijn Mol
Occasional Visitor

Access Lists and Vlans with 5300xl

Hello,

Hopefully someone can help me with the following problem.

We've got 2 vlans on a switch:
Vlan 1: 192.168.78.0
Vlan 2: 192.168.77.0

Right now I can do anything from vlan 1 to vlan 2 and vica versa.

I want to deny all traffic except telnet from vlan 1 to vlan 2 (port 23). To realise this i've made an extended acl '100' with the following rule:
permit tcp 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255 eq 23

and i've binded the access list to outbound traffic of vlan 1.

But telnet doesn't work.
Do i forget something

Does anyone has experience with acl on hp switches?
Or have some examples for me?

I've already studied the manual.

Martijn Mol









9 REPLIES
Martijn Mol
Occasional Visitor

Re: Access Lists and Vlans with 5300xl

i've made a fault in the post:
permit tcp 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255 eq 23
has to be permit tcp 192.168.78.0 0.0.0.255 192.168.77.0 0.0.0.255 eq 23
Martijn Mol
Occasional Visitor

Re: Access Lists and Vlans with 5300xl

i've made a fault in the post:
permit tcp 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255 eq 23
has to be permit tcp 192.168.78.0 0.0.0.255 192.168.77.0 0.0.0.255 eq 23
Markku Leinio
Valued Contributor

Re: Access Lists and Vlans with 5300xl

You should bind it to VLAN 1 inbound:

vlan 1
ip access-group 100 in

This means: "When traffic comes to this switch in VLAN 1, check the list." Your setting only checks traffic that leaves the switch from VLAN 1.

Those "in" and "out" specifications are not checked when the traffic flows (from one VLAN to another) inside the switch. They are checked only when the traffic enters or leaves the switch.

Other choice would be

vlan 2
ip access-group 100 out

but this would not be as efficient (why route some traffic if it will eventually be dropped).
Martijn Mol
Occasional Visitor

Re: Access Lists and Vlans with 5300xl

Thanks a lot for your response. It works but i still don't understand how it works.

If i want to telnet from vlan 1 to vlan 2 than that's data that leaves vlan 1, so i thought that was outbound traffic for vlan 1.

Good you please try to explain me?

Kind regards,

Martijn Mol




Jerome Henry
Honored Contributor

Re: Access Lists and Vlans with 5300xl

In fact, you have to remember thant switches work on level 2 (Mac address). Implementing ACL means layer 3.
So the point to think is : who'll decide ?
VLAn 1' job is not to decide who's after (VLAN2or another), but to transmit packets.
AS Markku explained, the tool that is the most concerned by this access list, is VLAN that is receiving data and has to decide if it can get in or not.
HP has configurations examples that may be helpful for your understanding :
http://www.hp.com/rnd/support/config_examples/93xx_6308.htm
It's quite well explained.
hth
J
You can lean only on what resists you...
Markku Leinio
Valued Contributor

Re: Access Lists and Vlans with 5300xl

Martijn,

how to put it, access-lists are not kind of used when a packet is routed inside the 5300XL switch. The access-lists are only applied when the data enters ("ip access-group xxx in") or leaves ("ip access-group xxx out") the switch.

Example:

Ports A1-A6 are in VLAN 1 (network A), ports A13-18 are in VLAN 2 (network B).

We have:

vlan 1
ip access-group 100 in
ip access-group 101 out
vlan 2
ip access-group 102 out

Meaning:

List 100 is checked on packets that enter the switch from ports A1-A6.

List 101 is checked on packets that leave the switch from ports A1-A6.

List 102 is checked on packets that leave the switch from ports A13-A18.


Now, if a packet from network A is routed to network B, two lists are applied: list 100 and list 102.

When a host in network B (VLAN 2) replies to a host in network A (VLAN 1), only list 101 is used.

If a packet is coming from some other VLAN, like VLAN 3 and going to network B (VLAN 2), only list 102 is used.

Access-lists are only consulted for routed traffic (IP routing must be enabled) or traffic destined to the switch itself.

Hope this helps some more. Check also the examples, if there are some for access-lists.
Markku Leinio
Valued Contributor

Re: Access Lists and Vlans with 5300xl

In the first sentences (in the previous reply) I meant to say that the boundary in which the access-lists are checked or used is the switch ports (interfaces).

When saying (in ip access-group command) "in" that really means packet coming into the switch, and out is meaning packets going out of the switch.
Martijn Mol
Occasional Visitor

Re: Access Lists and Vlans with 5300xl

Thanks for all the good help.
I have it working now!

Jerome Henry
Honored Contributor

Re: Access Lists and Vlans with 5300xl

Great Martijn,
glad it works ! :]]
Why not assigning points to Markku, who did most of the job ?
J
You can lean only on what resists you...