Re: How to create Access list HP procurve 8212ZL switch

Asha D · ‎06-15-2011

Hi,

We have 4 vlans configured in it.
vlan1:15.15.15.0/24
vlan2:20.20.20.0/24
vlan3:25.25.25.0/24

ip routing is enabled, now all the vlans can communicate with each other.i want to create access list so that it should allow all traffic form other vlans to vlan 3 and it should block vlan 3 traffic to other vlans mainly one way communication.

Please any provide commands to do the same?

Regards
Asha

showneek · ‎06-16-2011

Hi, you have to create ACL and apply it as routed ACL.

You can find complete explanation and configuration in Access Security Guide manual:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02814696/c02814696.pdf

Asha D · ‎06-16-2011

Hi,

According my requirement i need to configure Routed ACL (RACL).. can you provide me the commands to do that with an example.

Regards
Asha

cenk sasmaztin · ‎06-16-2011

hi Asha example ACL config for you
vlan 4 reachable to vlan 3
but unreachable all other vlan

hostname "ProCurve Switch 3500-24"
ip access-list standard "10"
10 deny 10.0.12.0 0.0.0.255
20 permit 0.0.0.0 255.255.255.255
exit
ip access-list extended "100"
10 deny ip 10.0.11.0 0.0.0.255 10.0.12.0 0.0.0.255
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list standard "11"
10 deny 10.0.11.0 0.0.0.255
20 permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "12"
10 deny 10.0.10.0 0.0.0.255
20 deny 10.0.11.0 0.0.0.255
30 permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "20"
10 permit 10.0.11.100 0.0.0.255
20 deny 0.0.0.0 255.255.255.255
exit
module 1 type J94ddA
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1,6-24
ip address dhcp-bootp
no untagged 2-5
exit
vlan 2
name "VLAN2"
untagged 2
ip address 10.0.10.200 255.255.255.0
exit
vlan 3
name "VLAN3"
untagged 3
ip address 10.0.11.200 255.255.255.0
exit
vlan 4
name "VLAN4"
untagged 4
ip address 10.0.12.200 255.255.255.0
ip access-group "20" out
exit
vlan 5
name "VLAN5"
untagged 5
ip address 10.0.13.200 255.255.255.0
exit

cenk

ishutterbug · ‎08-18-2011

Asha - I'd add to cenk's reply only a tip that I've found works well for me. That is, to maintain my ACL's in text files. Each time I need to modify the ACL, I do so in the text file, then copy/paste that into the CLI of the 8212zl we have at our institution. Here's an example ...

=========================================================

conf t
int vlan 91
no ip access-group "109" in
exit

no ip access-list extended "109"

ip access-list extended "109"
   10 permit ip 172.16.10.162 0.0.0.0 172.16.0.32 0.0.0.0
   20 permit ip 172.16.10.162 0.0.0.0 172.16.40.105 0.0.0.0
   30 permit ip 172.16.10.162 0.0.0.0 172.16.40.106 0.0.0.0
   40 permit ip 172.16.10.162 0.0.0.0 209.39.25.61 0.0.0.0
   ...
   240 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

int vlan 91
ip access-group "109" in
exit
exit
wr mem

YenLin · ‎04-14-2013

hi I would like to create a vlan for guests, so what is the best way to create the acl for this kind of vlan?

Below is the configuration that I reckon.

ip access-list extend 101

10 deny 10.1.1.0 0.0.0.255

20 deny 10.1.2.0 0.0.0.255

30 deny 10.1.3.0 0.0.0.255

40 deny 10.1.4.0 0.0.0.255

50 deny 10.1.5.0 0.0.0.255

.

100 permit 0.0.0.0 255.255.255.255

Vlan 15

access-group 101 in

wr m

logo

From 10-90 are our private VLANs, and 100 is to permit this vlan to go to internet.

Re: How to create Access list HP procurve 8212ZL switch

How to create Access list HP procurve 8212ZL switch