HPE Community
Aruba & ProVision-based
1753859 Members
7659 Online
108809 Solutions
New Discussion

RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)

 
Christopher_F
Occasional Visitor

‎04-09-2020 09:05 AM

‎04-09-2020 09:05 AM

RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)

Device: Aruba 3810m
I have the following configuration:

ip access-list extended "ACL_for_Rand"
(a good few permit and deny statements) 
100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
110 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log

vlan 3
name "Random_VLAN"
tagged 1-8
ip access-group "ACL_for_Rand" in
ip address 192.168.0.1 255.255.255.0


The part I don't really understand, and could use some clarificaiton on, is the fact that the ACL is applied as a routed ACL (RACL), right? Otherwise the vlan 3 statement would look like this: ip access-group "ACL_for_Rand" vlan-in
When I issue the command to see the hit counts in the ACL I see hit counts for ACE 100...
Which confuses me because if this is truely a RACL, that traffic should never hit the ACE because it never leaves the VLAN (thus no routing, thus no using the ACL)?

Could someone help me understand why I'm seeing hit counts on this ACE for this ACL?

0 Kudos
3 REPLIES 3
Emil_G
HPE Pro

‎04-09-2020 11:31 PM

‎04-09-2020 11:31 PM

Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)

Hello, 

Please have a look at page 209

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091309en_us

Here is a table showing the filtering action of inbound RACL. It says: 

routed IPv4 traffic entering the switch and any IPv4 traffic with a destination on the switch itself.

The switch itself has an IP 192.168.0.1 which is a match for ACE 100. Any IPv4 traffic means routed or switched. If a management PC in subnet 192.168.0.0/24 had an SSH session with the switch IP IP 192.168.0.1 the SSH packets are matching ACE 100.

This is the only explenation I can think of at the moment. Maybe you can try to confirm it. For example you can check the number of hits, then send a certain number of ping packets from a host in VLAN 3 to the switch IP 192.168.01 and after that check the number of hits again. The difference should be equal or (more likely) higher than the number of pings.

I am an HPE employee

Accept or Kudo


0 Kudos
Christopher_F
Occasional Visitor

‎04-10-2020 07:53 AM

‎04-10-2020 07:53 AM

Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)

Thanks Emil, 

I see more evidence in the documentation for this too.

Page 214 RACLs do not filter IPv4 traffic that remains in the same subnet from source to destination(switched traffic) unless the destination address (DA) or source address (SA) is on the switchitself.

So my next question... If I removed ACE 100, would devices in the same network and vlan as the switch still be able to communicate? I understand why I get hit counts, but it seems like a weird sort of inbetween thing to me at this point. 

0 Kudos
Emil_G
HPE Pro

‎04-10-2020 08:22 AM

‎04-10-2020 08:22 AM

Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)

Hello Christopher, 

Yes, for my understanding if you remove ACE 100, end nodes in VLAN 3 should be able to communicate with each other. This would be switched traffic and shouldnt be controlled by the RACL. That means in particular this traffic will not match ACE either.

If you need to reach the IP 192.168.0.1 of the switch via SSH, HTTPS, SNMP etc from a host in VLAN 3, this will be blocked after removing ACE 100 because this traffic will match ACE 110. 

I am an HPE employee

Accept or Kudo


0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.