Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

v1910 ACL's Not Working

SOLVED
Go to solution
unwiley
Occasional Contributor

v1910 ACL's Not Working

The ACL procedure on these switches is a pain in the ass. I followed the instructionsexactly and still it doesn't work as expected. No matter what rules I put in the ACL, if the "Behavior" is set to Permit, all traffic is permitted. If the "Behavior is set to Deny, all traffic is denied. If I set the "Behavior" to Not Set, it errors and won't apply the policy. Why can't I just apply a  ACL to an interface without all this QoS business?

Please tell me what I'm doing wrong.

version 5.20 Release 1111P02
sysname ADMIN Switch
clock timezone #Web#-5#02 minus 05:00:00
domain default enable system
telnet server enable
ip ttl-expires enable
cluster enable stack stack-port 1 port GigabitEthernet1/0/2
mirroring-group 1 local
time-range ALLTIME from 00:00 1/1/1970 to 24:00 12/31/2100
acl number 3001 rule 0 permit ip destination 172.16.0.0 0.0.0.255 rule 5 permit ip destination 172.16.50.1 0 rule 10 permit ip destination 172.16.50.2 0 rule 15 permit ip destination 172.16.50.4 0 rule 20 permit ip destination 172.16.50.5 0 rule 25 deny ip destination 172.16.50.3 0 rule 30 deny ip destination 172.16.60.0 0.0.0.255 rule 35 permit ip
vlan 1 description Internal
vlan 50 description Servers
vlan 60 description Finance
domain system access-limit disable state active idle-cut disable self-service-url disable
traffic classifier Class1 operator and if-match acl 3001
traffic behavior Behavior1 filter deny
qos policy Policy1 classifier Class1 behavior Behavior1
user-group system
local-user admin password simple authorization-attribute level 3 service-type ssh telnet terminal
stp mode rstp stp enable
interface NULL0
interface Vlan-interface1 ip address 172.16.0.4 255.255.255.0
interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 1 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound mirroring-group 1 monitor-port
interface GigabitEthernet1/0/2 stp edged-port enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/3 port link-type trunk port trunk permit vlan 1 50 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/4 port link-type hybrid port hybrid vlan 1 tagged stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/5 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 60 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/6 port link-type trunk port trunk permit vlan 1 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/7 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/8 port link-type trunk port trunk permit vlan 1 50 60 stp edged-port enable undo ntdp enable
interface GigabitEthernet1/0/9 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/10 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/11 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/12 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/13 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/14 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/15 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/16 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/17 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound mirroring-group 1 mirroring-port both
interface GigabitEthernet1/0/18 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/19 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/20 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/21 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/22 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/23 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/24 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/25 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/26 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/27 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
interface GigabitEthernet1/0/28 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound
snmp-agent snmp-agent local-engineid 800063A203D07E28259F03 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all undo snmp-agent trap enable standard
ntp-service unicast-server 172.16.0.127
ssh server enable
user-interface aux 0 authentication-mode scheme user-interface vty 0 15 authentication-mode scheme
return

 

 

P.S. This thread has been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to Web and Unmanaged. - Hp Forum Moderator

 

5 REPLIES
LorenzoCastro
Frequent Advisor
Solution

Re: v1910 ACL's Not Working

Hello, edited my original reply as it's obviously not the same and uses traffic classification and behaviors!  So...it sounds like since it's based off of QoS policies you'd want multiple ACLs, Classifications and Behaviors.  This would be for your permits and for your denies which map to multiple behaviors for your permits and your denies.  So I would assume it would look something like this when it's done:

 

acl number 3001

rule 0 permit ip destination 172.16.0.0 0.0.0.255

rule 5 permit ip destination 172.16.50.1 0
rule 10 permit ip destination 172.16.50.2 0
rule 15 permit ip destination 172.16.50.4 0
rule 20 permit ip destination 172.16.50.5 0

traffic classifier PermitTraffic operator or if-match acl 3001

traffic behavior PermitBehavior filter permit

qos policy Policy1 classifier PermitTraffic behavior PermitBehavior

 

And then repeat with your deny ACL, Classifier, and behaviors, and finally adding them to your QoS policy.  One more thing, your deny ACLwill actually have to have permit statements as the ACL itself is not actually denying traffic, it's the behavior that's applying the the deny filter.  The ACL is just used for classyfing the traffic with the similar behavior.   

unwiley
Occasional Contributor

Re: v1910 ACL's Not Working

This is it! 

 

What a backwards way to apply an ACL.  So much more convoluted than I learned on Cisco gear.

 

Thank you!

LorenzoCastro
Frequent Advisor

Re: v1910 ACL's Not Working

Great, glad I could help!   Ya, it seems doing that way makes it a bit difficult, but I guess this gives you a good bit of flexibility.  With that said, that's only one of the ways of implementing on the higher end A series switches.  The other ways of accomplishing are much more like the traditional packet filtering ACLs. 

q-w-e-r-t-y
Occasional Contributor

Re: v1910 ACL's Not Working

any change you can share the full configuration?

rfnogueira82
Occasional Visitor

Re: v1910 ACL's Not Working

ACL this switch is actually very complicated. I have 4 vlans, 1,2,3,4. I would like to give access to VLAN 4 only to VLAN 2. What should I do?
Should I set a QoS rule to any port in the case vlan interface?