- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Web and Unmanaged
- >
- Re: V1910 vlan routing ACL's
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2014 11:29 AM - last edited on тАО06-16-2014 01:44 AM by Lisa198503
тАО06-10-2014 11:29 AM - last edited on тАО06-16-2014 01:44 AM by Lisa198503
V1910 vlan routing ACL's
Hi, have any body succesfully configured ACLs on V1910 family swich? From what I understand to make ACL's work on this switches, you need to configure:
-
ACL rules
-
QoS Classifier
-
QoS Behavior
-
QoS Policy Using both Classifier and Behavior
-
Apply QoS Policy to a Port?
What I have is:
-
Vlan 1: switches management vlan (All Trunk Ports, Gateway=192.168.2.250), Switch ports: 13 to 28
-
Vlan 101: Servers Vlan (Gateway 192.168.0.210), Switch ports: 1 to 12
-
Vlan 102: staff vlan (Gateway 172.16.200.1), No ports on this switch because the ports for this vlan will be configures on access switches connected to this switch via trunk ports
-
Vlan 103 students vlan (Gateway 172.16.0.1), No ports on this switch because the ports for this vlan will be configures on access switches connected to this switch via trunk ports
What I need is:
-
Prevent access from staff (102) to students (103) vlans and viceversa.
-
Give access from staff (102) and students (103) to servers vlan (101)
-
Prevent access from staff (102) and students (103) vlan to switches management vlan (1)
-
Prevent access from students (103) to some specific servers (192.168.0.2, 192.168.0.12, 192.168.0.16)
-
DHCP helper or something like that, because IPs from Vlans 102 and 103 are assigned via DHCP Server (192.168.0.1)
What I have configured so far:
-
All Vlans are aleady created, each vlan with an IP so I can route between each other (192.168.2.250, 192.168.0.210, 172.16.200.1, 192.168.2.1)
-
Swicth gateway 0.0.0.0 to 192.168.0.6, so all traffic next hop is the firewall
-
ACL's:
-
ACL Number: 3001, Type: Advanced, Number of Rules: 3
-
Rule ID Operation Description
10 deny ip source 172.16.200.0 0.0.7.255
destination 172.16.0.0 0.0.15.255
20 deny ip source 172.16.200.0 0.0.7.255
destination 192.168.2.0 0.0.0.255
30 permit ip source 172.16.200.0 0.0.7.255
destination 192.168.0.0 0.0.1.255
-
ACL Number: 3002, Type Advanced, Number of Rules: 6
Rule ID Operation Description
10 deny ip source 172.16.0.0 0.0.15.255
destination 172.16.200.0 0.0.7.255
20 deny ip source 172.16.0.0 0.0.15.255
destination 192.168.2.0 0.0.0.255
30 deny ip source 172.16.0.0 0.0.15.255
destination 192.168.0.2 0
40 deny ip source 172.16.0.0 0.0.15.255
destination 192.168.0.12 0
50 deny ip source 172.16.0.0 0.0.15.255
destination 192.168.0.16 0
60 permit ip source 172.16.0.0 0.0.15.255
destination 192.168.0.0 0.0.1.255 fragment
What itтАЩs working with the current configuration:
-
Routing between vlans is working by default with the configuration of every vlan ip address and the default gateway of the switch, so I donтАЩt really know why I have to configure the permit rules. So right know I have complete access from any vlan to any vlan, thatтАЩs why I created the ACLтАЩs,
What is not working:
-
ACLтАЩs are not working because apparently they do not work If I donтАЩt create what I mentioned above: Classifiers, Behaviors, Policies
Can anybody help me with an straight forward step by step on how to achieve this? I am not an expert on this topics, but I do understand that on most layer 3 switches the ACLтАЩs work directly without any further configuration but on this specific model you have to make this extra steps
P.S. This thread has been moved from LAN Routing to Web and Unmanaged. -HP Forum Moderator
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2014 04:16 PM
тАО06-10-2014 04:16 PM
Re: V1910 vlan routing ACL's
Howdy,
Can you not just use the
# int gig 1/0
# packet-filter 3003 inbound
type syntax on these relatively simple ones?
I thought that using the QoS config method was for VACL's?
Loads of ACL examples in the comware v5 examples Guide for 10500 (Comware Cookbook)
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03911087-1.pdf
HTH
Ian
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2014 06:38 AM
тАО06-11-2014 06:38 AM
Re: V1910 vlan routing ACL's
# int gig 1/0
# packet-filter 3003 inbound
What are this commands for?
I also found on the documentation you suggested and there is something like:
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] packet-filter 3000 inbound
Is this the same you are suggesting?
What are VACL's
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-12-2014 02:56 PM
тАО06-12-2014 02:56 PM
Re: V1910 vlan routing ACL's
Howdy,
re: VACL have a look at the link below
VACL - filters traffic within the VLAN rather than traffic passing through the L3 interface
The packet filter is a simple (ish) mechanism for applying access control lists to vlan / l3 interfaces
1) Create your acl
2) add some rules to it
3) check the permt / deny logic
4) apply to the appropriate interface - closest to the source usually best - inbound or outbound
Yes those examples in the comware doc should translate to what you trying to achieve
HTH
Ian
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-13-2014 06:33 AM
тАО06-13-2014 06:33 AM
Re: V1910 vlan routing ACL's
interface GigabitEthernet1/0/1
packet-filter 3000 inbound
interface GigabitEthernet1/0/2
packet-filter 3000 inbound
interface GigabitEthernet1/0/3
packet-filter 3000 inbound
And so on for all my switch ports?
Also, if the above should work, would womething like this work? Instead of applying to every single port apply to the complete Vlan
interface Vlan-interface1
packet-filter 3000 inbound
interface Vlan-interface101
packet-filter 3000 inbound
interface Vlan-interface102
packet-filter 3000 inbound
And so on..
Thank you again for you time!! :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-13-2014 09:50 AM - edited тАО06-13-2014 10:45 AM
тАО06-13-2014 09:50 AM - edited тАО06-13-2014 10:45 AM
Re: V1910 vlan routing ACL's
Ian, well I tried this sollution and it partially worked, you are a genius!!, I am copying here my configuration file:
#
version 5.20, Release 1513P85
#
sysname Core
#
super password level 3 cipher $c$3$f9AQHbywXlr5KliCcLUWZ1V33ReEJc7Myfb/SQ==
#
domain default enable system
#
ip ttl-expires enable
#
password-recovery enable
#
acl number 3001
rule 10 deny ip source 172.16.200.0 0.0.7.255 destination 172.16.0.0 0.0.15.255
rule 20 deny ip source 172.16.200.0 0.0.7.255 destination 192.168.2.0 0.0.0.255
rule 30 permit ip source 172.16.200.0 0.0.7.255 destination 192.168.0.0 0.0.1.255
acl number 3002
rule 10 deny ip source 172.16.0.0 0.0.15.255 destination 172.16.200.0 0.0.7.255
rule 20 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.2.0 0.0.0.255
rule 30 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.2 0
rule 40 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.12 0
rule 50 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.16 0
rule 60 permit ip source 172.16.0.0 0.0.15.255 destination 192.168.0.0 0.0.1.255 fragment
#
vlan 1
#
vlan 101
description Servidores
#
vlan 102
description Administrativos
#
vlan 103
description Estudiantes
#
radius scheme system
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher $c$3$d2uEAn/pkEAkdG+Pk/GvBbhkxr5VV4qcbElbfg==
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
stp mode rstp
stp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.2.250 255.255.255.0
#
interface Vlan-interface101
ip address 192.168.0.210 255.255.255.0
#
interface Vlan-interface102
ip address 172.16.200.1 255.255.248.0
#
interface Vlan-interface103
ip address 172.16.0.1 255.255.240.0
#
interface GigabitEthernet1/0/1
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/2
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/3
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/4
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/5
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/6
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/7
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/8
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/9
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/10
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/11
port access vlan 101
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/12
port access vlan 102
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/13
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/14
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/15
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/16
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/17
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/18
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/19
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/20
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/21
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/22
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/23
port access vlan 103
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/24
port link-type trunk
port trunk permit vlan 1 101 to 103
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/25
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/26
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/27
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
interface GigabitEthernet1/0/28
port link-type hybrid
port hybrid vlan 101 to 103 tagged
port hybrid vlan 1 untagged
stp edged-port enable
packet-filter 3001 inbound
packet-filter 3002 inbound
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.6 preference 10
#
snmp-agent
snmp-agent local-engineid 8000000B0344319203C7EA
snmp-agent sys-info contact Gustavo Puente
snmp-agent sys-info location Data Center
snmp-agent sys-info version v3
#
user-interface aux 0
authentication-mode scheme
user-interface vty 0 15
authentication-mode scheme
#
return
I added filter 3001 inbound" andfilter 3002 inbound" lines to every port on the switch and apparently it is working : ) meaning that:
From vlan1 you can ping vlans101, 102, 103
Vlan102 cant ping vlan1 nor vlan103
Vlan103 cant ping vlan1 nor vlan102
Vlan102 and 103 can ping vlan101
What I am not achieving is that from vlan 103 I shouldn't be able to ping specific ip addresses on vlan 101 (192.168.0.2, 192.168.0.16, 192.168.0.12) that are also defined on my ACL's
Could you please take a look at it and tell me if I am missing something?
Does the order of the Permits and Denys in the ACL's matter, or I am not defining it correctly?
Thanks a lot and sorry for the trouble