HPE Community
Switches, Hubs, and Modems
1753521 Members
4764 Online
108795 Solutions
New Discussion

Re: Maybe RACL, maybe not. Need to restrict some traffic for training room.

 
bigmaneric97
Occasional Advisor

‎11-16-2020 11:13 AM

‎11-16-2020 11:13 AM

Maybe RACL, maybe not. Need to restrict some traffic for training room.

We have a training vlan of 10.3.4.0/24. I need it to have access to our DNS server and some other server and Internet access. Here is a "snippit" of what I have.

 

ip access-list extended "Training Lab"
10 permit tcp 10.3.4.0 255.255.255.0 192.168.xxx.77 255.255.255.255 eq 53
20 permit tcp 10.3.4.0 255.255.255.0 192.168.xxx.97 255.255.255.255 eq 53
30 permit udp 10.3.4.0 255.255.255.0 192.168.xxx.77 255.255.255.255 eq 68

...

200 deny ip 10.3.4.0 255.255.255.0 192.168.xxx.0 255.255.0.0 
210 deny ip 10.3.4.0 255.255.255.0 10.0.xxx.0 255.0.0.0

220 permit ip 10.3.4.0 255.255.255.0 0.0.0.0 0.0.0.0 

 

I then apply this to the vlan with address 10.3.4.0/24 and it shows as

 

ip access-list extended "Training Lab" vlan-in

 

The issue is when I apply this RACL I cannot access anything. The training network is coming through one switch where the vlan does not have an ip and the trunk to the next switch is tagged. The next switch is the core switch where the gateway IP of the vlan is assigned to the vlan. I have been applying the RACL to the vlan on the secondary and not the main switch? DO I need it on the main switch, the secondary switch, or both?

 

Thank you,

Eric

 

0 Kudos
1 REPLY 1
parnassus
Honored Contributor

‎11-16-2020 11:07 PM

‎11-16-2020 11:07 PM

Re: Maybe RACL, maybe not. Need to restrict some traffic for training room.

ACL applies where the routing happens.

If your "Core" switch is the switch performing IP Routing (VLANs have SVIs on this switch and IP Routing feature is enabled...and if clients use those SVIs...then your Core is the right switch where to apply your ACL).


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.