HPE Community
Switches, Hubs, and Modems
1752795 Members
6493 Online
108789 Solutions
New Discussion юеВ

Re: Comfiguring Routing & ACL in 5308XL switch

 
Ashok K Gurung
Frequent Advisor

тАО05-03-2007 05:31 PM

тАО05-03-2007 05:31 PM

Re: Comfiguring Routing & ACL in 5308XL switch

- Yes both pcs from same vlan can do so(connect to shared resources)
-Yes They can even if they are not a domain member
-Yes we did tried some acl but we thought we have deleted/disable all of them
-C:>nslookup www.google.com
Server: pokhara.internal.mitacademy
Address: 172.16.32.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 72.14.253.104, 72.14.253.99, 72.14.253.147, 72.14.253.103
Aliases: www.google.com

Just a thought how do we delete acl that were not suppose to be there parmanently?

Thank you
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-03-2007 07:25 PM

тАО05-03-2007 07:25 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

Looks like its ACL which suppose to be off but some how its on. I tried with another vlan and that works without any problem.

Now is there any way of cleaning out all those hidden acls?

Will really appreciate if there any suggestion.


thank you
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-04-2007 03:32 AM

тАО05-04-2007 03:32 AM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

If you can post the configuration it will be helpful for us to give you the correct suggestion to remove the ACLs.

Anyway, assume you have an extended ACL applied to one Vlan, then

- remove the ACL from the Vlan:
Switch(config)#no vlan ip access-group

- Remove the ACL:
if its a named one
Switch(config)#no ip access-list extended NAME

if its a standard or extended, then you have to remove line by line, and that will be easy if you run: show run command, then stop on the ACL entries, copy one by one and run no before each one.

Good Luck !!!
Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-04-2007 11:26 PM

тАО05-04-2007 11:26 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Thanks for the reply again

Config file we have posted earlier is what we have. Reason I was saying in our previous post that it could be the old ACL we had created.

We had deleted that ACL using command "no ip access-list extended NAME" vlan that was assigned vlan is now has been deleted

we used following command to see if we have any acls but all answer is no

HP ProCurve Switch 5308xl(config)# show access-list

Access Control Lists

Type Appl Name
---- ---- ----------------------------------------------------------------

HP ProCurve Switch 5308xl(config)# show access-list config
No access control lists are actively configured.

Other command like show access-list vlan all shows no acl configure.

just didn't understand what is blocking traffic like share/browse going to certain vlan(vlan3) we can ping, we can tracerout whate etc but not share, can not join computer to domain etc etc.

Thank you again
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-06-2007 03:16 PM

тАО05-06-2007 03:16 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi its me again

Yes we finally know what was our problem and its working (it was default gateway setup). Now we are working on acl part and as you know we have admin and student network, we do not want any IP traffic from student network to admin network apart from some of tcp traffic e.g. smtp, ftp

We were wondering if there is another way of wrting acl apart from going line by line. e.g. we have 4 subnet in admin and 6 subnet in student now if we were created acl that blocks all traffic from student subnet to admin subnet and allow selected traffic across than we are looking at long list in acl. e.g. of acl is attached

We were wondering if there is better way of writing this acls.

We will appreciate if you have any ideas

Thank you
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-06-2007 10:10 PM

тАО05-06-2007 10:10 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

Good that your problem is over, gateway is the first thing to think and ping :)

Anyway, Named ACLs is better because of ease of use and edit or update.

SW(config)#ip access-list
SW(config-ext-nacl)# ----- here you start creating your ACL, and add a string number for each entry (better to use increase by 10 so you can insert in between later).

Check this for more info and examples:
ftp://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf

Good Luck !!!
Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-06-2007 11:17 PM

тАО05-06-2007 11:17 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

we have compile acl and we are not quite sure if that will do what we would like that to do. what we want to achieve here is we would like
1) traffic from all student workstation to admin network to be blocked (172.16.36.0/24 ++)
2) Traffic from student Servers (172.16.32.0/24) and admin network (10 netwok) are allowed to any where.

we were wondering if you could comment on attached acl before we go and apply to our switch.

Thank you
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-06-2007 11:19 PM

тАО05-06-2007 11:19 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Sorry Attached ACL here first time didn't work
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО05-07-2007 02:45 AM

тАО05-07-2007 02:45 AM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi

My comments is why you create one ACL that includes all the Vlans IP Addresses 101, 102, 103, 104.

If you need to block one Vlan from going somewhere, you create an extended ACL and apply it on the Source which is the Vlan deny/permit it from going to wherever you want.

Check the following ACLs, i played with the Wildcards to minimize the ACL entries:

---------------------------------------------
;Extended named ACL for Vlan 101
;------------------------------
ip access-list extended "101"
; blocking Vlan 101 going to admin vlan
deny ip 172.16.36.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.36.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.36.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 101
vlan 101 ip access-group "101" out

;Extended named ACL for Vlan 102
;------------------------------
ip access-list extended "102"
; blocking Vlan 102 going to admin vlan
deny ip 172.16.37.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.37.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.37.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 102
vlan 102 ip access-group "102" out

;Extended named ACL for Vlan 103
;------------------------------
ip access-list extended "103"
; blocking Vlan 103 going to admin vlan
deny ip 172.16.38.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.38.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.38.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 103
vlan 103 ip access-group "103" out

;Extended named ACL for Vlan 104
;------------------------------
ip access-list extended "104"
; blocking Vlan 104 going to admin vlan
deny ip 172.16.39.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.39.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.39.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 104
vlan 104 ip access-group "104" out

;Extended named ACL for Vlan 105 - Wireless
;------------------------------
ip access-list extended "105"
; blocking Vlan 105 going to admin vlan
deny ip 172.16.51.0 0.0.0.255 10.0.0.0 0.0.3.255
deny ip 172.16.51.0 0.0.0.255 10.0.10.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.12.0 0.0.1.255
deny ip 172.16.51.0 0.0.0.255 10.0.14.0 0.0.0.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

; Applying to VLAN 105
vlan 105 ip access-group "105" out
---------------------------------------------

Hope that helps you.

Thanks in this Forum means assign points to all the posts that helped (or even not helped because still the guys tried to help)
:)

Good Luck !!!
Science for Everyone
0 Kudos
Ashok K Gurung
Frequent Advisor

тАО05-07-2007 12:52 PM

тАО05-07-2007 12:52 PM

Re: Comfiguring Routing & ACL in 5308XL switch

Hi Guys

Thanks for intruducing us to Wildcards we have to start learning it and that is what my previous post was regarding as if we do not use some sort of wildcard or references acl will have long long list.

After couple of modification your acl works for us and thank you again.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.