- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- RACL VLAN ACL Question (traffic within VLAN gettin...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2020 09:05 AM
04-09-2020 09:05 AM
RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)
Device: Aruba 3810m
I have the following configuration:
ip access-list extended "ACL_for_Rand"
(a good few permit and deny statements)
100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
110 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
vlan 3
name "Random_VLAN"
tagged 1-8
ip access-group "ACL_for_Rand" in
ip address 192.168.0.1 255.255.255.0
The part I don't really understand, and could use some clarificaiton on, is the fact that the ACL is applied as a routed ACL (RACL), right? Otherwise the vlan 3 statement would look like this: ip access-group "ACL_for_Rand" vlan-in
When I issue the command to see the hit counts in the ACL I see hit counts for ACE 100...
Which confuses me because if this is truely a RACL, that traffic should never hit the ACE because it never leaves the VLAN (thus no routing, thus no using the ACL)?
Could someone help me understand why I'm seeing hit counts on this ACE for this ACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2020 11:31 PM
04-09-2020 11:31 PM
Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)
Hello,
Please have a look at page 209
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091309en_us
Here is a table showing the filtering action of inbound RACL. It says:
routed IPv4 traffic entering the switch and any IPv4 traffic with a destination on the switch itself.
The switch itself has an IP 192.168.0.1 which is a match for ACE 100. Any IPv4 traffic means routed or switched. If a management PC in subnet 192.168.0.0/24 had an SSH session with the switch IP IP 192.168.0.1 the SSH packets are matching ACE 100.
This is the only explenation I can think of at the moment. Maybe you can try to confirm it. For example you can check the number of hits, then send a certain number of ping packets from a host in VLAN 3 to the switch IP 192.168.01 and after that check the number of hits again. The difference should be equal or (more likely) higher than the number of pings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2020 07:53 AM
04-10-2020 07:53 AM
Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)
Thanks Emil,
I see more evidence in the documentation for this too.
Page 214 RACLs do not filter IPv4 traffic that remains in the same subnet from source to destination(switched traffic) unless the destination address (DA) or source address (SA) is on the switchitself.
So my next question... If I removed ACE 100, would devices in the same network and vlan as the switch still be able to communicate? I understand why I get hit counts, but it seems like a weird sort of inbetween thing to me at this point.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2020 08:22 AM
04-10-2020 08:22 AM
Re: RACL VLAN ACL Question (traffic within VLAN getting hit counts on RACL?)
Hello Christopher,
Yes, for my understanding if you remove ACE 100, end nodes in VLAN 3 should be able to communicate with each other. This would be switched traffic and shouldnt be controlled by the RACL. That means in particular this traffic will not match ACE either.
If you need to reach the IP 192.168.0.1 of the switch via SSH, HTTPS, SNMP etc from a host in VLAN 3, this will be blocked after removing ACE 100 because this traffic will match ACE 110.