"The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.hpe.com for current and complete HPE Aruba Networking product lines and names."

Beginning Nov 15, 2021, the Networking Forums moved to the Airheads community

Want to Remove ACL

SOLVED

Hi,

I have HPE-5510 switch configured with ACL. Since in ACL I have configured that the switch should be accessible only from the mentioned IPs. But now since I have to migrate switch to other location, I need to remove ACL, I tried it but then switch becomes inaccessible.

Kindly advise as to how to remove ACL and its rules so that I can access Switch from any PC ?

Here is the configuration of ACL

acl number 3012
rule 5 permit ip source 172.16.12.62 0
rule 10 permit ip source 172.16.12.66 0
rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0
rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0
rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0
rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0
rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0
rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0
rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0
rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15
rule 60 permit ip

Manish

9 REPLIES 9

Hi @ManishChawda !

How and where the ACL is applied?

I am an HPE employee

Hi @ManishChawda, as suggested by @Ivan_B where the ACL number 3012 was applied?

Please post the output of these three commands:

display acl all
display acl 3012 
display packet-filter

I'm not an HPE Employee

Kudos and Accepted Solution banner

Hi,

ACL is applied in L3 Switch HPE-5510 to all PC's except 2 PC's so that only from that 2 PC's I can access HPE-5510. Kindly advise.

Below is the output.

[UMHPE5510L3-112]display acl all

Advanced IPv4 ACL 3012, 12 rules,

ACL's step is 5, start ID is 0

rule 5 permit ip source 172.16.12.31 0

rule 6 permit ip source 172.16.12.32 0

rule 10 permit ip source 172.16.12.66 0

rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0

rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0

rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0

rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0

rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0

rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0

rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0

rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15

rule 60 permit ip

-----------

[UMHPE5510L3-112]display acl 3012

Advanced IPv4 ACL 3012, 12 rules,

ACL's step is 5, start ID is 0

rule 5 permit ip source 172.16.12.31 0

rule 6 permit ip source 172.16.12.32 0

rule 10 permit ip source 172.16.12.66 0

rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0

rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0

rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0

rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0

rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0

rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0

rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0

rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15

rule 60 permit ip

---------

[UMHPE5510L3-112]display packet-filter interface

Interface: Vlan-interface12

Inbound policy:

IPv4 ACL 3012

TBH I don't see how removing the ACL 3012 can block access to anything. Not sure what steps did you follow to remove it, but I would try:

system-view
interface Vlan12
undo packet-filter 3012 inbound

and test. At this time do not remove the ACL itself. If everything is fine after running abovementioned commands, then remove the ACL itself by:

system-view
undo acl number 3012

I am an HPE employee

At first you need to remove the qos-profile from the interfaces where the rule is applied; before you need to delete the ACL binded to the qos-profile and then you could delete the ACL, if needed.

I Haq

Hi,

Thanks for the reply.

This was configured by one of the partner. I will surely try but since I am at remote location so when I will physically visit the location I will try. I will update you ASAP.

One more thing, can you give me commands to configure the same ACL step-by-step.

Manish

In order to configure same ACL with same number use following commands:

system-view
acl number 3012
rule 5 permit ip source 172.16.12.31 0
rule 6 permit ip source 172.16.12.32 0
rule 10 permit ip source 172.16.12.66 0
rule 15 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.1 0
rule 20 permit ip source 172.16.12.0 0.0.0.127 destination 172.16.11.11 0
rule 25 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.2 0
rule 30 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.3 0
rule 35 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.4 0
rule 40 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.7 0
rule 50 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.11.10 0
rule 55 deny ip source 172.16.12.0 0.0.0.127 destination 172.16.13.0 0.0.0.15
rule 60 permit ip

I am an HPE employee

...and if you want to (re)apply the (re)configured ACL 3012 to VLAN id 12 then you have also to do:

system-view
interface Vlan12
packet-filter 3012 inbound

otherwise the ACL 3012 is just configured BUT not applied.

I'm not an HPE Employee

Kudos and Accepted Solution banner

Hi,

Thanks for all!. I will try once visiting the location and update you till then kudos and accepting solution.

Thanks