HPE Community
Switches, Hubs, and Modems
1753325 Members
5092 Online
108792 Solutions
New Discussion юеВ

Re: Need to setup specific ACL on an HP switch 5412zl series

 
Filu
New Member

тАО03-12-2009 08:24 PM

тАО03-12-2009 08:24 PM

Need to setup specific ACL on an HP switch 5412zl series

Hi, I need to create an ACL that restricts access from VLAN 222 to everything else (except SMTP), and the rest of VLANS 5, 10, 20, 100 can access VLAN 222

So the goal is
1, 5, 20, 100 to 222 permit #file shares, snmp, pretty much everything

222 to 1, 5, 20, 100 deny except SMTP

I did the following

ip access-list extended "sd_smtp"
10 permit tcp 192.168.0.0 0.0.15.255 192.168.0.0 0.0.15.255 gt 0
20 permit icmp any any # for ping
20 permit tcp 10.222.2.10 0.0.0.0 192.168.1.30 0.0.0.0 eq 25
Exit

In the end I ran this

vlan 222 ip access-group SD in

but it didn t work. I played with the ACLs for a bit to no avail, that is above is just a sample of many variants of the sample above

Can someone write a proper access-list that will work with the configuration attached?

Thanks,
Filu
0 Kudos
4 REPLIES 4
cenk sasmaztin
Honored Contributor

тАО03-16-2009 08:19 AM

тАО03-16-2009 08:19 AM

Re: Need to setup specific ACL on an HP switch 5412zl series

ip access-list extended "101"
deny tcp 10.222.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 25
deny tcp 10.222.2.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 25
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

and attach interface vlan 222 out baund this rules
cenk

0 Kudos
Filu
New Member

тАО03-17-2009 07:34 AM

тАО03-17-2009 07:34 AM

Re: Need to setup specific ACL on an HP switch 5412zl series

interesting, your ACL is exactly the opposite of what I was thinking it should be. Eh, well, I'll test it soon and let you know. Also, can you explain, pretty please, why did you use "deny TCP vlan222 to vlan1" on port 25. I thought I need to allow from 222 to everything on port 25. I'm a newbie and some things are still unclear to me :)

See the first line in ACL: deny tcp 10.222.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 25. Kinda confusing to me, as I thought I want to allow it.

Now, the reason to attach the ACL to 222 OUT is to filter the traffic from vlan 2222 to the router, correct? So any traffic comes in (from router to vlan 222?) fine and unrestricted but comes out from vlan 222 to router filtered. But this is what puzzles me, why does the traffic come restricted from vlan 222 out to the router on port 25? I need this vlan 222 to be able to send alert emails to vlan 1, 5 etc.

Please explain, and hopefully I'll be smarter soon :)

Thanks!
0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-17-2009 09:03 AM

тАО03-17-2009 09:03 AM

Re: Need to setup specific ACL on an HP switch 5412zl series

So the goal is
1, 5, 20, 100 to 222 permit #file shares, snmp, pretty much everything

222 to 1, 5, 20, 100 deny except SMTP

is this true ????

cenk

0 Kudos
cenk sasmaztin
Honored Contributor

тАО03-17-2009 09:38 AM

тАО03-17-2009 09:38 AM

Re: Need to setup specific ACL on an HP switch 5412zl series

sory I can't understand

except meaning excluding

I suppose antipodal
new rule for you please test and say me result

permit tcp 192.168.0.0 0.0.255.255 10.222.2.0 0.0.0.255 eq 25
permit tcp 10.0.0.0 0.255.255.255 10.222.2.0 0.0.0.255 eq 25
permit tcp 10.0.0.0 0.255.255.255 10.222.2.0 0.0.0.255 eq 53 fordns
permit tcp 10.0.0.0 0.0.255.255 10.222.2.0 0.0.0.255 eq 67 fordhcp
permit tcp 10.0.0.0 0.0.255.255 10.222.2.0 0.0.0.255 eq 68 fordhcp
cenk

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.