- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- VLAN and ACL connectivity problem
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2008 12:28 AM
тАО09-02-2008 12:28 AM
I have been wrestling for a while with an issue regarding routing, vlans and acls.
Im currently using a 5300-series switch for testing but the real switch is a 5400-series switch (if they behave differently).
My problem:
Im setting up several user-, server- and administration vlann, but I can simplify the question in the following way:
One user vlan and on administration vlan. I would like to setup the traffic so that the user vlan doesnt get any kind of connection to the administration vlan (a ping would resove in "Request timed out") but the administration vlan should get full access to the user vlan (ping, rcp etc).
I have been using the following acl (se below) and im not quite happy with the result I get. My user vlan cant access the administration vlan (as it should be). But the problem is that the administration vlan can reach the user vlan but the response on the ping isnt satisfying, I get a "Destination net unreachable" reply (se below for the exact syntax).
So the question is, am I doing something wrong or is this kind of behavior not possible with the use of acls?
----------------------------------------------
Ping reply - Administration host to User host
----------------------------------------------
C:\>ping 172.18.24.5
Pinging 172.18.24.5 with 32 bytes of data:
Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.
Ping statistics for 172.18.24.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
----------------------------------------------
5300 - Current configuration
----------------------------------------------
; J4850A Configuration Editor; Created on release #E.11.03
hostname "Routing 5300"
max-vlans 64
time timezone 60
time daylight-time-rule Western-Europe
no telnet-server
ip access-list extended "100"
deny udp 172.18.24.0 0.0.0.252 172.18.32.0 0.0.0.254
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J4907A
module 2 type J4907A
ip default-gateway 172.18.2.1
sntp server 172.18.1.230
ip routing
no ip source-route
ip udp-bcast-forward
timesync sntp
sntp unicast
snmp-server host 172.18.2.24 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A2-A7,A9-A16,B1-B16
ip address 172.18.2.2 255.255.248.0
no untagged A1,A8
exit
vlan 117
name "User_vlan"
untagged A8
ip address 172.18.24.1 255.255.252.0
ip helper-address 172.18.2.55
ip helper-address 172.18.2.56
ip helper-address 172.18.2.73
ip access-group "100" out
exit
vlan 11
name "Administration_vlan"
untagged A1
ip address 172.18.32.1 255.255.254.0
exit
ip route 0.0.0.0 0.0.0.0 172.18.2.1
router rip
exit
vlan 1
ip rip
exit
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2008 09:04 AM
тАО09-02-2008 09:04 AM
Re: VLAN and ACL connectivity problem
imposible successfully ping because
you can write
(deny udp 172.18.24.0 0.0.0.252 172.18.32.0 0.0.0.254
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) acl command on switch and assing vlan 117 on rule
ping command send ping packet to destination device and sender wait response ping echo packet from destination device
172.18.24.5*send ping--packet-to*172.18.32.1
ok... but
172.18.32.1*responsepingpacketto 172.18.24.5
imposible because knock acl this response packet
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2008 09:59 PM
тАО09-02-2008 09:59 PM
Re: VLAN and ACL connectivity problem
I was wondering about what you describe since im aware that the packet should be stopped (no traffic allow into the administration vlan). But I thought that perhaps since the connection was initiated from the administrator vlan the switch would let the connection flow between the hosts. I am aware that firewalls have those kinds of connections possible.
Have I come across a dead end or is it possible to configure the acl in some other way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2008 11:44 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2008 12:08 AM
тАО09-03-2008 12:08 AM
Re: VLAN and ACL connectivity problem
I will continue to test this feature and hopefully established tcp traffic will be enough but to be honest im not quite sure.