- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: VLANs, Routing, Gateways + Rules?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2009 01:04 PM
тАО02-12-2009 01:04 PM
Re: VLANs, Routing, Gateways + Rules?
> The ACL documentation for the 3400cl did
> seem pretty concise - 80 pages in all
Yep. 10 pages of them are just there to explain the resource issues and half baked workarounds for the poor folks running into them (which are all of them - I bet you will hit this...)
> and stated that I could apply many more
> than 8 ACE's to an ACL.
I just had a look into the chapter called "Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches" from the latest Advanced Traffic Management Guide. It states that 3400cl and 6400cl are essentially the same in this matter:
* Only Ingress ACLs
* Only Port ACLs
* Severe Resource Issues when using ACLs.
Have a closer look at the part called "Planning an ACL Application..." and the table below "ACL Resource usage and Monitoring". The Caveat here is the "8 ACL Masks" limit that is even a limit of 7 masks as soon as IGMP snooping is active. You can tune an ACL somewhat by reorganizing it so consecutive ACEs produce the same mask (then this ACE is "free" and only draws from the absolute total of 120 rules) but in practice, this is only possible in a small number of cases. You often end up with no more than 7 or 8 ACEs, maybe a lucky 10. Of course you can *define* ACLs with more entries, but you cannot *apply* them anywhere, the switch will greet your enthusiasm with a laconic "Unable to apply access control list" message.
I could also mention that applying an ingress ACL to a port on this platform will cycle this port through Down/Up states, taking the STP topology with it, so you cannot really change ACLs without impact. Given the port ingress nature of the ACLs, you tend to shoot yourself into the foot even with tedious planning, especially when your switch is more in the center of the network. I can only repeat - while port ingress ACLs might have some use on the edge ports of access layer switches, they are completely insufficient for L3 switches in the distribution or (collapsed) core layers. You might compare the ACL docs of the yl/zl class switches to see what's closer to the state of the art here. I haven't hit a wall yet with ACLs on 6200yl for instance, but in the same network, a distribution unit made of two 6400cl is driving me crazy. We can only change ACLs there in a planned downtime, with somebody at the location standing by with a laptop and serial, and the resource limits already killed a downtime window. As a result, a part of a country-wide VPN is dysfunctional for months now. 5400zl replacements are in the pipe, blocking on layer 8 (finances)...
HTH,
Andre.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2009 02:18 PM
тАО02-12-2009 02:18 PM
Re: VLANs, Routing, Gateways + Rules?
I was planning on creating one ACL with around 30 ACE's and applying to all relevant ports (probably 20 ports in total)
At least it's half term next week - I can do some proper testing...........
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2009 03:06 PM
тАО02-12-2009 03:06 PM
Re: VLANs, Routing, Gateways + Rules?
If I'm readin this right - My original plan of giving each workstation VLAN an IP range on 10.*.0.0/255.255.0.0 and having the servers on 10.200.0.0/255.255.0.0 would make me run out of ACL masks rather quickly.
But, as most of my workstation VLANs will have the same ruls applied to them, if I change the workstation VLAN IP ranges to 192.*.0.0/255.255.0.0 I could pretty much do everything with one ACL mask............
so for instance;
permit 192.0.0.0 0.255.255.255 10.200.0.0 0.0.255.255
would allow all my workstaions to talk to my servers, while still preventing my workstation VLANs from talking to each other...... Is that right? If so, my ACL planning got a lot easier, and as I haven't setup the IP ranges yet, it's no extra work there either............
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2009 07:34 AM
тАО02-16-2009 07:34 AM
Re: VLANs, Routing, Gateways + Rules?
I created an extended ACL;
permit ip 10.15.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.15.0.0 0.0.255.255 10.12.0.0 0.0.255.255
permit ip 10.15.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.16.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.16.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.12.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.13.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.13.0.0 0.0.255.255 10.127.0.0 0.0.255.255
permit ip 10.217.0.0 0.0.255.255 10.217.0.0 0.0.255.255
It worked initially - I set a workstation on 10.16.0.10 pinging both 10.14.0.10 and 10.217.28.12 - I applied the ACL to the port, and communication to 10.14.0.10 was blocked, whilst 10.217.28.12 carried on
But - 15-20 seconds later, I got a "Limited or no connectivity" notice (WinXP) and everything stopped. Even DHCP has stopped (DHCP server is 10.217.28.12).
I turned the rule off - applied it again, and got the exact same thing.
I tried again - This time a fresh PC - I applied the rule, plugged in the PC, and don't even get dhcp.
I'm assuming I've blocked DHCP somehow..........
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2009 03:57 AM
тАО02-17-2009 03:57 AM
Re: VLANs, Routing, Gateways + Rules?
permit udp host 0.0.0.0 eq bootpc host 10.217.28.12 eq bootps
permit udp any eq bootpc host 255.255.255.255 eq bootps
That seems to have cured my DHCP issue.
Now I just have to figure out why my workstation imaging is broken - I'm PXE booting to my Novell Zen imaging server - There's a brief message about not being able to download a file..........
These things are never simple.........
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2009 04:45 AM
тАО02-17-2009 04:45 AM
Re: VLANs, Routing, Gateways + Rules?
- « Previous
-
- 1
- 2
- Next »