- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Issues using access-lists on 5308xl for return...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2006 06:39 AM
тАО04-03-2006 06:39 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2006 12:22 PM
тАО04-03-2006 12:22 PM
Re: Issues using access-lists on 5308xl for return traffic
To get around it, I think there are one of two things you may need which the 5300 does not support.
1. The 'established' command
2. Ability to filter ICMP traffic.
The new 5400/3500 products can do this.
The other way you can attack it is to use the 'permit any any' at the end of your ACL and specifically deny everything else you don't want access allowed to. This isn't as secure but it should let you achieve what you want.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2006 12:54 AM
тАО04-04-2006 12:54 AM
Re: Issues using access-lists on 5308xl for return traffic
Is there anyone out there using access-lists on the 5308xl that can shed some light, or tell me how you are using them?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2006 02:17 AM
тАО04-04-2006 02:17 AM
Re: Issues using access-lists on 5308xl for return traffic
permit tcp 0.0.0.0 255.255.255.255 10.10.30.0 0.0.0.255 gt 1023
I've always found this document quite useful in trying to understand how ACL's work: http://www.samspublishing.com/articles/article.asp?p=376125&rl=1
I think you'll find Chapter 10 and the section about 'Two-way Traffic and the established Keyword', helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2006 05:59 AM
тАО04-04-2006 05:59 AM
Re: Issues using access-lists on 5308xl for return traffic
One last question and I think I can put this to rest. Can you take a look at page 9-24 of the Advanced Traffic Management guide (ftp://ftp.hp.com/pub/networking/software/6400-5300-3400-AdvTrafficMgmt-Oct2005-59906051.pdf) as they are using an example extended ACL to only allow incoming telnet sessions to a host and then suggest an ACL config for me that would effectively allow only incoming telnet sessions to VLAN 30, but allow hosts on VLAN 30 to connect to hosts outside its VLAN unrestricted?
At that point then I think
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2006 12:55 PM
тАО04-04-2006 12:55 PM
SolutionSo for your configuration if you want other VLANs to only be able to telnet to a single host on VLAN 30, yet have VLAN 30 be able to communicate freely with the other VLANs, you can do it but once again you have to allow for that return traffic.
If you applied this 'in' for VLAN 1 I think it would achieve the same thing:
ip access-list extended "101"
permit tcp 10.100.11.0 0.0.1.255 10.10.30.4 0.0.0.0 eq 23
permit tcp 10.100.11.0 0.0.1.255 10.10.30.0 0.0.0.255 gt 1023
deny tcp 10.100.11.0 0.0.1.255 10.10.3.0 0.0.0.255
permit ip 10.100.11.0 0.0.1.255 0.0.0.0 255.255.255.255
exit
You would also need a similar ACL for VLAN 20.
With those in place, you may not actually need any ACL's on VLAN 30 then.
I don't profess to be an ACL expert at all, so I may be missing something obvious. If I am hopefully someone else can fill in the blanks or offer another alternative.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2006 04:47 PM
тАО04-04-2006 04:47 PM
Re: Issues using access-lists on 5308xl for return traffic
Unlike Router ACLs, firewall is stafeful (i.e., knows state or condition, aware of history and can predict future). TCP is stateful. For a UDP and even ICMP virtual state info is created.
Stateful ACL supporting devices:
HP 7000 series wan router, Cisco PIX, Cisco IOS Reflective ACL (standart feature set) Cisco IOS inspect ACL (security feature set)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2006 03:22 AM
тАО04-05-2006 03:22 AM
Re: Issues using access-lists on 5308xl for return traffic
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2006 03:25 AM
тАО04-05-2006 03:25 AM