- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Need help wih ACL and VLAN
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 01:04 AM
тАО08-28-2006 01:04 AM
Need help wih ACL and VLAN
We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.
We get the follwing ACL:
ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
exit
ip access-list extended "101"
permit ip 0.0.0.0 255.255.255.255 192.168.116.0 0.0.0.255
exit
In the specific VLAN (R&D) we entered:
ip access-group "100" in
ip access-group "101" out
The effect is that only the one host can send eMails but all other have no contact to this VLAN.
How can we resolve it?
Thanx for help.
Kind Regards
Alen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 04:00 AM
тАО08-28-2006 04:00 AM
Re: Need help wih ACL and VLAN
At the moment a packet comes in from another VLAN and passes the 101 ACL, it is the return traffic that has to pass ACL 100 that gets denied.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:00 AM
тАО08-28-2006 05:00 AM
Re: Need help wih ACL and VLAN
I believe what you did in ACL 100, permit host to host emails, then deny this vlan other traffic, and i think thats enough for this vlan, so why don;t you allow other traffic by adding : "permit ip any any" to end of this ACL100.
Otherwise, no need for the last line: deny ip 192.168.116.0 0.0.0.255 any , because ACLs end with explicit deny, so even if your ACL100 like this
Hi @ all,
We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.
We get the follwing ACL:
ip access-list extended "100" permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
exit
It will work with you like its working now.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:07 AM
тАО08-28-2006 05:07 AM
Re: Need help wih ACL and VLAN
did you mean this config?:
ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
permit ip any any
exit
We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.
But all the othe other VLANS must have access to this VLAN (1303).
Alen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:09 AM
тАО08-28-2006 05:09 AM
Re: Need help wih ACL and VLAN
so you think there won't be a solution for our scenario?
Kind Regards
Alen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:12 AM
тАО08-28-2006 05:12 AM
Re: Need help wih ACL and VLAN
No at all, i didn;t say that man :)
What i said is: i believe you need just to add permit ip any any.
OR
if you want to keep your configuration, then delete deny, because it follows by deny ip any any at anyway.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:20 AM
тАО08-28-2006 05:20 AM
Re: Need help wih ACL and VLAN
Can you try this:
ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 05:33 AM
тАО08-28-2006 05:33 AM
Re: Need help wih ACL and VLAN
"We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.
But all the other VLANS must have access to this VLAN (1303)."
For this type of scenario you need the 'established' option.
'reflexive' ACL's are even more powerful.
This article below has helped me understand ACL's a little better, I think it's worthwhile reading:
http://www.informit.com/articles/article.asp?p=376258&seqNum=1&rl=1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 08:20 AM
тАО08-28-2006 08:20 AM
Re: Need help wih ACL and VLAN
I will try this tomorrow, when I will be back on the office.
I will report the result here.
Thanx for help.
Regards
Alen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2006 07:47 PM
тАО08-28-2006 07:47 PM
Re: Need help wih ACL and VLAN
I tested it which the config which you send me:
ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
The Result is, that I can send eMails from the host but I don't have any access from the other VLAN into this.
Alen