- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Aruba 2920 ACL Question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2020 10:14 PM
06-01-2020 10:14 PM
Aruba 2920 ACL Question
Just recently switched out our core to a 2920 and I wanted to take the opportunity to setup an ACL for a VLAN that is basically for sub-lease of the business that just needs to see devices on their own VLAN and be able to route to the firewall. Firewall is 192.168.200.1 Networks are 192.168.0.0, 150.0, 200.0, etc....about 7 VLANs in all w/ the sub-lease VLAN (192.168.150.0). My ACL looks something like this:
10 Permit IP 192.168.150.0/24 192.168.200.1/24
20 Deny IP 192.168.150.0/24 Any
30 Permit Any Any
This setup seems to work except for the fact I can still seem to ping the layer 3 devices from the switch when pinging from the sub-lease VLAN. For example, "ping 192.168.200.254 (vlan 1 layer 3 gateway) source 60 (the sub-lease VLAN) results in a successful ping. Wondering if I am leaving something out of the ACE's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2020 11:45 PM
06-01-2020 11:45 PM
Re: Aruba 2920 ACL Question
Hello!
In "ping the layer 3 devices from the switch when pinging from the sub-lease VLAN" scenario L3 devices respond to ping, but what about if you ping your L3 devices not from the switch directly, but from any device in the sub-lease VLAN? The main reason behind this question is to verify ACL's operation for pass-through traffic, not the one initiated from the switch itself, because self-initiated traffic normally is treated differently in switches due to specifics of the way ASICs operate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2020 09:38 AM
06-02-2020 09:38 AM
Re: Aruba 2920 ACL Question
So I'm just totally lost now.....
Did as you said and untagged a port on VLAN 60 to test this from a computer and not from a switch.
Tracing route to 192.168.0.50 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.150.254
2 <1 ms <1 ms <1 ms 192.168.0.50
Not only can I ping and comm with the SVI which is the management IP as well, but somehow I can still ping servers on the ACL'd VLANs.......
Seems it is hitting the SVI and then doing w/e it wants to.....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2020 04:08 AM
06-03-2020 04:08 AM
Re: Aruba 2920 ACL Question
Hi! To ease the troubleshooting efforts can you post the sanitized running configuration?
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2020 12:25 PM
06-03-2020 12:25 PM
Re: Aruba 2920 ACL Question
I don't think there is anything in here that can identify our network for bad actors. Please advise if I posted something identifiable.
hostname "HP-2920-48G"
module 1 type j9728a
timesync ntp
ntp unicast
ntp server-name "0.us.pool.ntp.org"
ntp server-name "1.us.pool.ntp.org"
ntp server-name "2.us.pool.ntp.org"
ntp server-name "3.us.pool.ntp.org"
ntp enable
time daylight-time-rule continental-us-and-canada
time timezone -360
ip access-list extended "VLAN60"
10 permit ip 192.168.150.0 0.0.0.255 192.168.200.1 0.0.0.255
20 deny ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
30 deny ip 192.168.150.0 0.0.0.255 192.168.50.0 0.0.0.255
40 deny ip 192.168.150.0 0.0.0.255 192.168.100.0 0.0.0.255
50 deny ip 192.168.150.0 0.0.0.255 192.168.200.0 0.0.0.255
60 deny ip 192.168.150.0 0.0.0.255 192.168.201.0 0.0.0.255
70 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip dns server-address priority 1 1.1.1.1
ip dns server-address priority 2 8.8.8.8
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip routing
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
exit
vlan 1
name "DATA"
no untagged 12,23,32,37-38,40-42
untagged 1-11,13-22,24-31,33-36,39,45,48,A1-A2
tagged 43-44,46-47
ip address 192.168.200.254 255.255.255.0
dhcp-server
exit
vlan 10
name "PHONE"
untagged 40-42
tagged 2,43-44,46-47
ip address 192.168.0.254 255.255.255.0
qos priority 7
voice
dhcp-server
exit
vlan 20
name "CAMERA"
untagged 12
tagged 43-44,46-47
ip address 192.168.201.254 255.255.255.0
dhcp-server
exit
vlan 30
name "SECURITY"
untagged 37-38
tagged 43-44,46-47
ip address 192.168.100.254 255.255.255.0
dhcp-server
exit
vlan 40
name "WIFI"
tagged 43-44,46-47
ip address 192.168.50.254 255.255.255.0
qos priority 6
dhcp-server
exit
vlan 50
name "VIDEO"
untagged 23
tagged 43-44,46-47
no ip address
exit
vlan 60
name "INTERNET-FRONT"
tagged 43,47
ip address 192.168.150.254 255.255.255.0
dhcp-server
exit
vlan 70
name "VIDEO-SHOP"
untagged 32
tagged 46
no ip address
exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
dhcp-server pool "DATA-VLAN"
default-router "192.168.200.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.200.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.200.101 192.168.200.150
exit
dhcp-server pool "WIFI-VLAN"
default-router "192.168.50.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.50.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.50.101 192.168.50.150
exit
dhcp-server pool "PHONE-VLAN"
default-router "192.168.0.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.0.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.0.101 192.168.0.150
exit
dhcp-server pool "CAMERA-VLAN"
default-router "192.168.201.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.201.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.201.101 192.168.201.150
exit
dhcp-server pool "SECURITY-VLAN"
default-router "192.168.100.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.100.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.100.101 192.168.100.150
exit
dhcp-server pool "INTERNET-FRONT-VLAN"
default-router "192.168.150.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.150.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.150.101 192.168.150.150
exit
dhcp-server conflict-logging
dhcp-server enable
password manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2020 12:28 PM
06-03-2020 12:28 PM
Re: Aruba 2920 ACL Question
I think the ACL listed here was a new config I was trying. I do not even have this ACL applied to any VLANs yet. Just was testing things that didn't seem to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2020 05:29 PM
06-04-2020 05:29 PM
Re: Aruba 2920 ACL Question
I don't understand: did you tested by applying the ACL or not? because any test made without applying the ACL is simply not a test since the ACL doesn't rule traffic when it is not applied (even if it is defined).
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2020 08:06 AM
06-05-2020 08:06 AM
Re: Aruba 2920 ACL Question
I tried several different ways to apply the VACL. Applying it as "vlan-in" on the VLAN I wanted to restrict (never worked), applying it to all VLANs I wanted the restricted VLAN not to be able to access as "vlan-in" (worked, but could still ping all VLAN gateways). I ended up just routing the VLAN out to the firewall directly through a layer 1 link and leaving the VLAN without a VLAN gateway so it is isolated.