HPE Community
Aruba & ProVision-based
1752676 Members
6204 Online
108789 Solutions
New Discussion

Aruba 2920 ACL Question

 
VEC-Solutions
Advisor

‎06-01-2020 10:14 PM

‎06-01-2020 10:14 PM

Aruba 2920 ACL Question

Just recently switched out our core to a 2920 and I wanted to take the opportunity to setup an ACL for a VLAN that is basically for sub-lease of the business that just needs to see devices on their own VLAN and be able to route to the firewall. Firewall is 192.168.200.1     Networks are 192.168.0.0, 150.0, 200.0, etc....about 7 VLANs in all w/ the sub-lease VLAN (192.168.150.0). My ACL looks something like this:

10 Permit IP 192.168.150.0/24 192.168.200.1/24

20 Deny IP 192.168.150.0/24 Any

30 Permit Any Any

This setup seems to work except for the fact I can still seem to ping the layer 3 devices from the switch when pinging from the sub-lease VLAN. For example, "ping 192.168.200.254 (vlan 1 layer 3 gateway) source 60 (the sub-lease VLAN) results in a successful ping. Wondering if I am leaving something out of the ACE's.

0 Kudos
7 REPLIES 7
Ivan_B
HPE Pro

‎06-01-2020 11:45 PM

‎06-01-2020 11:45 PM

Re: Aruba 2920 ACL Question

Hello!

In "ping the layer 3 devices from the switch when pinging from the sub-lease VLAN" scenario L3 devices respond to ping, but what about if you ping your L3 devices not from the switch directly, but from any device in the sub-lease VLAN? The main reason behind this question is to verify ACL's operation for pass-through traffic, not the one initiated from the switch itself, because self-initiated traffic normally is treated differently in switches due to specifics of the way ASICs operate.

 

 

I am an HPE employee

Accept or Kudo

0 Kudos
VEC-Solutions
Advisor

‎06-02-2020 09:38 AM

‎06-02-2020 09:38 AM

Re: Aruba 2920 ACL Question

So I'm just totally lost now.....

Did as you said and untagged a port on VLAN 60 to test this from a computer and not from a switch. 

Tracing route to 192.168.0.50 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.150.254
2 <1 ms <1 ms <1 ms 192.168.0.50

Not only can I ping and comm with the SVI which is the management IP as well, but somehow I can still ping servers on the ACL'd VLANs.......

Seems it is hitting the SVI and then doing w/e it wants to.....

0 Kudos
parnassus
Honored Contributor

‎06-03-2020 04:08 AM

‎06-03-2020 04:08 AM

Re: Aruba 2920 ACL Question

Hi! To ease the troubleshooting efforts can you post the sanitized running configuration?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
VEC-Solutions
Advisor

‎06-03-2020 12:25 PM

‎06-03-2020 12:25 PM

Re: Aruba 2920 ACL Question

I don't think there is anything in here that can identify our network for bad actors. Please advise if I posted something identifiable.

hostname "HP-2920-48G"
module 1 type j9728a
timesync ntp
ntp unicast
ntp server-name "0.us.pool.ntp.org"
ntp server-name "1.us.pool.ntp.org"
ntp server-name "2.us.pool.ntp.org"
ntp server-name "3.us.pool.ntp.org"
ntp enable
time daylight-time-rule continental-us-and-canada
time timezone -360
ip access-list extended "VLAN60"
10 permit ip 192.168.150.0 0.0.0.255 192.168.200.1 0.0.0.255
20 deny ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
30 deny ip 192.168.150.0 0.0.0.255 192.168.50.0 0.0.0.255
40 deny ip 192.168.150.0 0.0.0.255 192.168.100.0 0.0.0.255
50 deny ip 192.168.150.0 0.0.0.255 192.168.200.0 0.0.0.255
60 deny ip 192.168.150.0 0.0.0.255 192.168.201.0 0.0.0.255
70 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip dns server-address priority 1 1.1.1.1
ip dns server-address priority 2 8.8.8.8
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip routing
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
exit
vlan 1
name "DATA"
no untagged 12,23,32,37-38,40-42
untagged 1-11,13-22,24-31,33-36,39,45,48,A1-A2
tagged 43-44,46-47
ip address 192.168.200.254 255.255.255.0
dhcp-server
exit
vlan 10
name "PHONE"
untagged 40-42
tagged 2,43-44,46-47
ip address 192.168.0.254 255.255.255.0
qos priority 7
voice
dhcp-server
exit
vlan 20
name "CAMERA"
untagged 12
tagged 43-44,46-47
ip address 192.168.201.254 255.255.255.0
dhcp-server
exit
vlan 30
name "SECURITY"
untagged 37-38
tagged 43-44,46-47
ip address 192.168.100.254 255.255.255.0
dhcp-server
exit
vlan 40
name "WIFI"
tagged 43-44,46-47
ip address 192.168.50.254 255.255.255.0
qos priority 6
dhcp-server
exit
vlan 50
name "VIDEO"
untagged 23
tagged 43-44,46-47
no ip address
exit
vlan 60
name "INTERNET-FRONT"
tagged 43,47
ip address 192.168.150.254 255.255.255.0
dhcp-server
exit
vlan 70
name "VIDEO-SHOP"
untagged 32
tagged 46
no ip address
exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
dhcp-server pool "DATA-VLAN"
default-router "192.168.200.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.200.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.200.101 192.168.200.150
exit
dhcp-server pool "WIFI-VLAN"
default-router "192.168.50.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.50.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.50.101 192.168.50.150
exit
dhcp-server pool "PHONE-VLAN"
default-router "192.168.0.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.0.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.0.101 192.168.0.150
exit
dhcp-server pool "CAMERA-VLAN"
default-router "192.168.201.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.201.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.201.101 192.168.201.150
exit
dhcp-server pool "SECURITY-VLAN"
default-router "192.168.100.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.100.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.100.101 192.168.100.150
exit
dhcp-server pool "INTERNET-FRONT-VLAN"
default-router "192.168.150.254"
dns-server "1.1.1.1,8.8.8.8,8.8.4.4"
network 192.168.150.0 255.255.255.0
option 42 ip "184.105.182.16,74.6.168.73,108.61.73.244"
range 192.168.150.101 192.168.150.150
exit
dhcp-server conflict-logging
dhcp-server enable
password manager

0 Kudos
VEC-Solutions
Advisor

‎06-03-2020 12:28 PM

‎06-03-2020 12:28 PM

Re: Aruba 2920 ACL Question

I think the ACL listed here was a new config I was trying. I do not even have this ACL applied to any VLANs yet. Just was testing things that didn't seem to work.

0 Kudos
parnassus
Honored Contributor

‎06-04-2020 05:29 PM

‎06-04-2020 05:29 PM

Re: Aruba 2920 ACL Question

I don't understand: did you tested by applying the ACL or not? because any test made without applying the ACL is simply not a test since the ACL doesn't rule traffic when it is not applied (even if it is defined).


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
VEC-Solutions
Advisor

‎06-05-2020 08:06 AM

‎06-05-2020 08:06 AM

Re: Aruba 2920 ACL Question

I tried several different ways to apply the VACL. Applying it as "vlan-in" on the VLAN I wanted to restrict (never worked), applying it to all VLANs I wanted the restricted VLAN not to be able to access as "vlan-in" (worked, but could still ping all VLAN gateways). I ended up just routing the VLAN out to the firewall directly through a layer 1 link and leaving the VLAN  without a VLAN gateway so it is isolated. 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.