HPE Community
Switches, Hubs, and Modems
1753846 Members
7976 Online
108807 Solutions
New Discussion юеВ

access list on a vlan interface wont work!

 
dmsman
Visitor

тАО09-21-2021 10:47 PM - last edited on тАО09-23-2021 08:38 AM by

тАО09-21-2021 10:47 PM - last edited on тАО09-23-2021 08:38 AM by

access list on a vlan interface wont work!

I have a core switch "HP 8206" connected through vlan 2 to an isp router which in turn connects me to my branch on subnet 192.168.2.1/24 through an isp router, im trying to control my vlan 1 traffic 192.168.1.1/24 to vlan 2 through an access list on the vlan 1 interface but it simply isn't working even after trying ip access-group acl in,out,vlan please help

ip access-group extended test
Deny ip 192.168.1.25 255.255.255.255 192.168.2.7 255.255.255.255
Permit ip any any

vlan 1
name "Server-VLAN"
untagged Trk45
ip address 192.168.1.1 255.255.255.0

ip access-group test in


vrrp vrid 1
virtual-ip-address 192.168.1.1
priority 255
enable
exit

 

0 Kudos
4 REPLIES 4
Ivan_B
HPE Pro

тАО09-21-2021 10:51 PM

тАО09-21-2021 10:51 PM

Re: access list on a vlan interface wont work!

Hi @dmsman !

This ACL should deny traffic sourced from single IP 192.168.1.25 to single IP 192.168.2.7, the rest is allowed. Is it really what you need to achieve? Just block IP traffic between those two single IP addresses?

 

I am an HPE employee

Accept or Kudo

0 Kudos
dmsman
Visitor

тАО09-22-2021 12:42 AM - edited тАО09-22-2021 12:43 AM

тАО09-22-2021 12:42 AM - edited тАО09-22-2021 12:43 AM

Re: access list on a vlan interface wont work!

no this isn't the full acl this is just an example , the thing is the traffic is stil going as the acl isnt there

0 Kudos
Ivan_B
HPE Pro

тАО09-22-2021 04:26 AM - edited тАО09-22-2021 04:26 AM

тАО09-22-2021 04:26 AM - edited тАО09-22-2021 04:26 AM

Re: access list on a vlan interface wont work!

You need to be sure your hosts in Vlan 1 are using 192.168.1.1 as default gateway.

Another issue, sorry, I've overlooked it - you are using subnet masks in the ACL while you must use wildcard masks instead:

 

ip access-group extended test
Deny ip 192.168.1.25 0.0.0.0 192.168.2.7 0.0.0.0
Permit ip any any

 

Thus, if you want to block the whole subnet and the subnet has /24 mask (255.255.255.0), then the correct wildcard mask will be 0.0.0.255

 

I am an HPE employee

Accept or Kudo

dmsman
Visitor

тАО09-25-2021 11:01 PM

тАО09-25-2021 11:01 PM

Re: access list on a vlan interface wont work!

-please is there a way to find hits on the access list on the vlan when i use access-group in or out? i could only find hits using show statistics aclv4 vlan x vlan

-what is the difference between access-group in/out/vlan?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.