HPE Community
Switches, Hubs, and Modems
1753305 Members
6228 Online
108792 Solutions
New Discussion юеВ

Need help wih ACL and VLAN

 
Alen Ahja
Frequent Advisor

тАО08-28-2006 01:04 AM

тАО08-28-2006 01:04 AM

Need help wih ACL and VLAN

Hi @ all,

We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.

We get the follwing ACL:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
exit

ip access-list extended "101"
permit ip 0.0.0.0 255.255.255.255 192.168.116.0 0.0.0.255
exit

In the specific VLAN (R&D) we entered:

ip access-group "100" in
ip access-group "101" out

The effect is that only the one host can send eMails but all other have no contact to this VLAN.

How can we resolve it?

Thanx for help.

Kind Regards

Alen

0 Kudos
10 REPLIES 10
Matt Hobbs
Honored Contributor

тАО08-28-2006 04:00 AM

тАО08-28-2006 04:00 AM

Re: Need help wih ACL and VLAN

What I believe you need is the 'established' keyword on your 101 ACL. Unfortunately the 5300 does not support this command. The newer products like the 5400/3500 do however.

At the moment a packet comes in from another VLAN and passes the 101 ACL, it is the return traffic that has to pass ACL 100 that gets denied.

0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-28-2006 05:00 AM

тАО08-28-2006 05:00 AM

Re: Need help wih ACL and VLAN

Hi

I believe what you did in ACL 100, permit host to host emails, then deny this vlan other traffic, and i think thats enough for this vlan, so why don;t you allow other traffic by adding : "permit ip any any" to end of this ACL100.
Otherwise, no need for the last line: deny ip 192.168.116.0 0.0.0.255 any , because ACLs end with explicit deny, so even if your ACL100 like this

Hi @ all,

We have at a side a 5300xl Switch with 5 VLAN.
On of them is the R&D VLAN (VLAN ID=1303).
We want now that only one host of this VLAN can send eMails to one other host.
Then all other VLANs must have access to this VLAN.

We get the follwing ACL:

ip access-list extended "100" permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
exit

It will work with you like its working now.

Good Luck !!!
Science for Everyone
0 Kudos
Alen Ahja
Frequent Advisor

тАО08-28-2006 05:07 AM

тАО08-28-2006 05:07 AM

Re: Need help wih ACL and VLAN

Hi Mohieddin,

did you mean this config?:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
permit ip any any
exit

We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.

But all the othe other VLANS must have access to this VLAN (1303).

Alen
0 Kudos
Alen Ahja
Frequent Advisor

тАО08-28-2006 05:09 AM

тАО08-28-2006 05:09 AM

Re: Need help wih ACL and VLAN

Hi Matt,

so you think there won't be a solution for our scenario?

Kind Regards

Alen
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-28-2006 05:12 AM

тАО08-28-2006 05:12 AM

Re: Need help wih ACL and VLAN

Hi

No at all, i didn;t say that man :)
What i said is: i believe you need just to add permit ip any any.
OR
if you want to keep your configuration, then delete deny, because it follows by deny ip any any at anyway.

Good Luck !!!
Science for Everyone
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-28-2006 05:20 AM

тАО08-28-2006 05:20 AM

Re: Need help wih ACL and VLAN

Hi

Can you try this:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Good Luck !!!
Science for Everyone
0 Kudos
Matt Hobbs
Honored Contributor

тАО08-28-2006 05:33 AM

тАО08-28-2006 05:33 AM

Re: Need help wih ACL and VLAN

I believe that what I said is accurate, as you have stated:

"We don't want that the hosts in the VLAN 1303 will have access to other VLAN. Only this one host must have it.

But all the other VLANS must have access to this VLAN (1303)."

For this type of scenario you need the 'established' option.

'reflexive' ACL's are even more powerful.

This article below has helped me understand ACL's a little better, I think it's worthwhile reading:

http://www.informit.com/articles/article.asp?p=376258&seqNum=1&rl=1
0 Kudos
Alen Ahja
Frequent Advisor

тАО08-28-2006 08:20 AM

тАО08-28-2006 08:20 AM

Re: Need help wih ACL and VLAN

Hi Mohieddin,

I will try this tomorrow, when I will be back on the office.
I will report the result here.

Thanx for help.

Regards

Alen
0 Kudos
Alen Ahja
Frequent Advisor

тАО08-28-2006 07:47 PM

тАО08-28-2006 07:47 PM

Re: Need help wih ACL and VLAN

Hi!

I tested it which the config which you send me:

ip access-list extended "100"
permit tcp 192.168.116.182 0.0.0.0 192.170.171.12 0.0.0.0 eq 25
deny ip 192.168.116.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

The Result is, that I can send eMails from the host but I don't have any access from the other VLAN into this.

Alen
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.