Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Acess List behaviour in Procurve 3500 switch

PRSIVA
Occasional Visitor

Acess List behaviour in Procurve 3500 switch

We use a 3500yl switch as a routing switch with many VLANs. All inter VLAN routing is handled by this switch. I have to restrict the hosts of VLAN 11 to access only a few servers, which are sitting in a different VLAN. So I have created a access list with few PERMIT lines. These PERMIT lines allows access only to a few servers for the hosts of VLAN 11. This ACL is enabled on VLAN 11 and its working fine and allows the hosts of VLAN 11 to access the permitted servers. However I have explicitly allowed the hosts of VLAN 11 to access the 3500yl. But I am not able to ping the hosts of VLAN11 from the 3500yl. Whenever I disable the ACL on VLAN 11 interface the 3500yl is able to ping the hosts of VLAN 11. Why it is happening?
7 REPLIES
Mohammed Faiz
Honored Contributor

Re: Acess List behaviour in Procurve 3500 switch

Hi,

Could you post the ACL up or just the line of the ACL that allows VLAN 11 hosts to reach the 3500?
PRSIVA
Occasional Visitor

Re: Acess List behaviour in Procurve 3500 switch

Thanks for the reply. The ACL is given below.
ip access-list standard "10"
10 permit 10.0.0.1 0.0.0.0
20 permit 10.0.0.11 0.0.0.0
25 permit 10.0.2.61 0.0.0.0
26 permit 10.0.0.100 0.0.0.0
27 permit 10.0.6.201 0.0.0.0
30 permit 10.0.2.11 0.0.0.0
40 permit 10.0.2.12 0.0.0.0
50 permit 10.0.2.51 0.0.0.0
51 permit 10.0.2.54 0.0.0.0
60 deny 0.0.0.0 255.255.255.255
exit
10.0.0.11 is the VLAN1 IP address of the 3500 switch.

Thanks,
Mohammed Faiz
Honored Contributor

Re: Acess List behaviour in Procurve 3500 switch

Hi,

Ok so you're using a standard ACL, what direction have you applied the ACL in? And what subnet do the hosts of VLAN 11 live on?
PRSIVA
Occasional Visitor

Re: Acess List behaviour in Procurve 3500 switch

It applied in OUT direction.
VLAN11 subnet is 10.0.10.0. VLAN11 ip address of 3500 is 10.0.10.1 and we cannot ping the hosts of VLAN11 from 3500 if the ACL is applied.
Mohammed Faiz
Honored Contributor

Re: Acess List behaviour in Procurve 3500 switch

Ok, so there are a couple of issues here.
Applying the ACL in the "OUT" directions does not restrict what VLAN 11 hosts can access, it restricts what can talk inbound to the VLAN 11 hosts.
ACL directions are always with respect to the switch, i.e. "OUT" means packets outbound of the switch (which means inbound to VLAN 11).
The reason you can't ping the hosts with your current setup is that the IP of the switch in VLAN 11 is not in the ACL.
If you add in 10.0.10.1 into the ACL you should be fine.
(ACLs don't normally apply to intra-subnet traffic but the exception to the rule is if the communication is to an IP that's on the switch)
PRSIVA
Occasional Visitor

Re: Acess List behaviour in Procurve 3500 switch

I have modified the ACL like this.

ip access-list standard "10"
10 permit 10.0.0.1 0.0.0.0
16 permit 10.0.10.1 0.0.0.0
20 permit 10.0.0.11 0.0.0.0
25 permit 10.0.2.61 0.0.0.0
26 permit 10.0.0.100 0.0.0.0
27 permit 10.0.6.201 0.0.0.0
30 permit 10.0.2.11 0.0.0.0
40 permit 10.0.2.12 0.0.0.0
50 permit 10.0.2.51 0.0.0.0
51 permit 10.0.2.54 0.0.0.0
60 deny 0.0.0.0 255.255.255.255
exit

The second line permits VLAN11 ip address of the switch. But we are still cannot ping the hosts of VLAN11 from the switch
Mohammed Faiz
Honored Contributor

Re: Acess List behaviour in Procurve 3500 switch

It seems I was slightly wrong in the description of ACL behaviour. The switch should not screen any traffic that has a source address on the switch when you are using an outbound ACL so your ACL should work without lines 16 and 20.
Can you post the full config from that switch?
Also, what firmware revision are you running?