- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Comfiguring Routing & ACL in 5308XL switch
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2007 05:31 PM
тАО05-03-2007 05:31 PM
Re: Comfiguring Routing & ACL in 5308XL switch
-Yes They can even if they are not a domain member
-Yes we did tried some acl but we thought we have deleted/disable all of them
-C:>nslookup www.google.com
Server: pokhara.internal.mitacademy
Address: 172.16.32.2
Non-authoritative answer:
Name: www.l.google.com
Addresses: 72.14.253.104, 72.14.253.99, 72.14.253.147, 72.14.253.103
Aliases: www.google.com
Just a thought how do we delete acl that were not suppose to be there parmanently?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2007 07:25 PM
тАО05-03-2007 07:25 PM
Re: Comfiguring Routing & ACL in 5308XL switch
Looks like its ACL which suppose to be off but some how its on. I tried with another vlan and that works without any problem.
Now is there any way of cleaning out all those hidden acls?
Will really appreciate if there any suggestion.
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2007 03:32 AM
тАО05-04-2007 03:32 AM
Re: Comfiguring Routing & ACL in 5308XL switch
If you can post the configuration it will be helpful for us to give you the correct suggestion to remove the ACLs.
Anyway, assume you have an extended ACL applied to one Vlan, then
- remove the ACL from the Vlan:
Switch(config)#no vlan
- Remove the ACL:
if its a named one
Switch(config)#no ip access-list extended NAME
if its a standard or extended, then you have to remove line by line, and that will be easy if you run: show run command, then stop on the ACL entries, copy one by one and run no before each one.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2007 11:26 PM
тАО05-04-2007 11:26 PM
Re: Comfiguring Routing & ACL in 5308XL switch
Config file we have posted earlier is what we have. Reason I was saying in our previous post that it could be the old ACL we had created.
We had deleted that ACL using command "no ip access-list extended NAME" vlan that was assigned vlan is now has been deleted
we used following command to see if we have any acls but all answer is no
HP ProCurve Switch 5308xl(config)# show access-list
Access Control Lists
Type Appl Name
---- ---- ----------------------------------------------------------------
HP ProCurve Switch 5308xl(config)# show access-list config
No access control lists are actively configured.
Other command like show access-list vlan
just didn't understand what is blocking traffic like share/browse going to certain vlan(vlan3) we can ping, we can tracerout whate etc but not share, can not join computer to domain etc etc.
Thank you again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2007 03:16 PM
тАО05-06-2007 03:16 PM
Re: Comfiguring Routing & ACL in 5308XL switch
Yes we finally know what was our problem and its working (it was default gateway setup). Now we are working on acl part and as you know we have admin and student network, we do not want any IP traffic from student network to admin network apart from some of tcp traffic e.g. smtp, ftp
We were wondering if there is another way of wrting acl apart from going line by line. e.g. we have 4 subnet in admin and 6 subnet in student now if we were created acl that blocks all traffic from student subnet to admin subnet and allow selected traffic across than we are looking at long list in acl. e.g. of acl is attached
We were wondering if there is better way of writing this acls.
We will appreciate if you have any ideas
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2007 10:10 PM
тАО05-06-2007 10:10 PM
Re: Comfiguring Routing & ACL in 5308XL switch
Good that your problem is over, gateway is the first thing to think and ping :)
Anyway, Named ACLs is better because of ease of use and edit or update.
SW(config)#ip access-list
SW(config-ext-nacl)# ----- here you start creating your ACL, and add a string number for each entry (better to use increase by 10 so you can insert in between later).
Check this for more info and examples:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2007 11:17 PM
тАО05-06-2007 11:17 PM
Re: Comfiguring Routing & ACL in 5308XL switch
we have compile acl and we are not quite sure if that will do what we would like that to do. what we want to achieve here is we would like
1) traffic from all student workstation to admin network to be blocked (172.16.36.0/24 ++)
2) Traffic from student Servers (172.16.32.0/24) and admin network (10 netwok) are allowed to any where.
we were wondering if you could comment on attached acl before we go and apply to our switch.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2007 11:19 PM
тАО05-06-2007 11:19 PM
Re: Comfiguring Routing & ACL in 5308XL switch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2007 02:45 AM
тАО05-07-2007 02:45 AM
Re: Comfiguring Routing & ACL in 5308XL switch
My comments is why you create one ACL that includes all the Vlans IP Addresses 101, 102, 103, 104.
If you need to block one Vlan from going somewhere, you create an extended ACL and apply it on the Source which is the Vlan deny/permit it from going to wherever you want.
Check the following ACLs, i played with the Wildcards to minimize the ACL entries:
---------------------------------------------
;Extended named ACL for Vlan 101
;------------------------------
ip access-list extended "101"
; blocking Vlan 101 going to admin vlan
deny ip 172.16.36.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.36.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.14.0 0.0.0.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
; Applying to VLAN 101
vlan 101 ip access-group "101" out
;Extended named ACL for Vlan 102
;------------------------------
ip access-list extended "102"
; blocking Vlan 102 going to admin vlan
deny ip 172.16.37.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.37.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.14.0 0.0.0.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
; Applying to VLAN 102
vlan 102 ip access-group "102" out
;Extended named ACL for Vlan 103
;------------------------------
ip access-list extended "103"
; blocking Vlan 103 going to admin vlan
deny ip 172.16.38.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.38.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.14.0 0.0.0.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
; Applying to VLAN 103
vlan 103 ip access-group "103" out
;Extended named ACL for Vlan 104
;------------------------------
ip access-list extended "104"
; blocking Vlan 104 going to admin vlan
deny ip 172.16.39.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.39.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.14.0 0.0.0.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
; Applying to VLAN 104
vlan 104 ip access-group "104" out
;Extended named ACL for Vlan 105 - Wireless
;------------------------------
ip access-list extended "105"
; blocking Vlan 105 going to admin vlan
deny ip 172.16.51.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.51.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.14.0 0.0.0.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
; Applying to VLAN 105
vlan 105 ip access-group "105" out
---------------------------------------------
Hope that helps you.
Thanks in this Forum means assign points to all the posts that helped (or even not helped because still the guys tried to help)
:)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2007 12:52 PM
тАО05-07-2007 12:52 PM
Re: Comfiguring Routing & ACL in 5308XL switch
Thanks for intruducing us to Wildcards we have to start learning it and that is what my previous post was regarding as if we do not use some sort of wildcard or references acl will have long long list.
After couple of modification your acl works for us and thank you again.