HPE Community
Switches, Hubs, and Modems
1753888 Members
7633 Online
108809 Solutions
New Discussion юеВ

Acess List behaviour in Procurve 3500 switch

 
PRSIVA
New Member

тАО11-27-2009 10:56 PM

тАО11-27-2009 10:56 PM

Acess List behaviour in Procurve 3500 switch

We use a 3500yl switch as a routing switch with many VLANs. All inter VLAN routing is handled by this switch. I have to restrict the hosts of VLAN 11 to access only a few servers, which are sitting in a different VLAN. So I have created a access list with few PERMIT lines. These PERMIT lines allows access only to a few servers for the hosts of VLAN 11. This ACL is enabled on VLAN 11 and its working fine and allows the hosts of VLAN 11 to access the permitted servers. However I have explicitly allowed the hosts of VLAN 11 to access the 3500yl. But I am not able to ping the hosts of VLAN11 from the 3500yl. Whenever I disable the ACL on VLAN 11 interface the 3500yl is able to ping the hosts of VLAN 11. Why it is happening?
0 Kudos
7 REPLIES 7
Mohammed Faiz
Honored Contributor

тАО11-28-2009 04:06 AM

тАО11-28-2009 04:06 AM

Re: Acess List behaviour in Procurve 3500 switch

Hi,

Could you post the ACL up or just the line of the ACL that allows VLAN 11 hosts to reach the 3500?
0 Kudos
PRSIVA
New Member

тАО11-29-2009 07:14 PM

тАО11-29-2009 07:14 PM

Re: Acess List behaviour in Procurve 3500 switch

Thanks for the reply. The ACL is given below.
ip access-list standard "10"
10 permit 10.0.0.1 0.0.0.0
20 permit 10.0.0.11 0.0.0.0
25 permit 10.0.2.61 0.0.0.0
26 permit 10.0.0.100 0.0.0.0
27 permit 10.0.6.201 0.0.0.0
30 permit 10.0.2.11 0.0.0.0
40 permit 10.0.2.12 0.0.0.0
50 permit 10.0.2.51 0.0.0.0
51 permit 10.0.2.54 0.0.0.0
60 deny 0.0.0.0 255.255.255.255
exit
10.0.0.11 is the VLAN1 IP address of the 3500 switch.

Thanks,
0 Kudos
Mohammed Faiz
Honored Contributor

тАО11-30-2009 02:05 AM

тАО11-30-2009 02:05 AM

Re: Acess List behaviour in Procurve 3500 switch

Hi,

Ok so you're using a standard ACL, what direction have you applied the ACL in? And what subnet do the hosts of VLAN 11 live on?
0 Kudos
PRSIVA
New Member

тАО11-30-2009 03:01 AM

тАО11-30-2009 03:01 AM

Re: Acess List behaviour in Procurve 3500 switch

It applied in OUT direction.
VLAN11 subnet is 10.0.10.0. VLAN11 ip address of 3500 is 10.0.10.1 and we cannot ping the hosts of VLAN11 from 3500 if the ACL is applied.
0 Kudos
Mohammed Faiz
Honored Contributor

тАО11-30-2009 04:03 AM

тАО11-30-2009 04:03 AM

Re: Acess List behaviour in Procurve 3500 switch

Ok, so there are a couple of issues here.
Applying the ACL in the "OUT" directions does not restrict what VLAN 11 hosts can access, it restricts what can talk inbound to the VLAN 11 hosts.
ACL directions are always with respect to the switch, i.e. "OUT" means packets outbound of the switch (which means inbound to VLAN 11).
The reason you can't ping the hosts with your current setup is that the IP of the switch in VLAN 11 is not in the ACL.
If you add in 10.0.10.1 into the ACL you should be fine.
(ACLs don't normally apply to intra-subnet traffic but the exception to the rule is if the communication is to an IP that's on the switch)
0 Kudos
PRSIVA
New Member

тАО11-30-2009 09:55 PM

тАО11-30-2009 09:55 PM

Re: Acess List behaviour in Procurve 3500 switch

I have modified the ACL like this.

ip access-list standard "10"
10 permit 10.0.0.1 0.0.0.0
16 permit 10.0.10.1 0.0.0.0
20 permit 10.0.0.11 0.0.0.0
25 permit 10.0.2.61 0.0.0.0
26 permit 10.0.0.100 0.0.0.0
27 permit 10.0.6.201 0.0.0.0
30 permit 10.0.2.11 0.0.0.0
40 permit 10.0.2.12 0.0.0.0
50 permit 10.0.2.51 0.0.0.0
51 permit 10.0.2.54 0.0.0.0
60 deny 0.0.0.0 255.255.255.255
exit

The second line permits VLAN11 ip address of the switch. But we are still cannot ping the hosts of VLAN11 from the switch
0 Kudos
Mohammed Faiz
Honored Contributor

тАО12-01-2009 02:09 AM

тАО12-01-2009 02:09 AM

Re: Acess List behaviour in Procurve 3500 switch

It seems I was slightly wrong in the description of ACL behaviour. The switch should not screen any traffic that has a source address on the switch when you are using an outbound ACL so your ACL should work without lines 16 and 20.
Can you post the full config from that switch?
Also, what firmware revision are you running?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.