HPE Community
Aruba & ProVision-based
1753611 Members
6076 Online
108797 Solutions
New Discussion

Re: 8212zl ACL Problem

 
airport_guy
Occasional Advisor

‎06-27-2013 10:45 PM - last edited on ‎04-14-2015 06:31 PM by

‎06-27-2013 10:45 PM - last edited on ‎04-14-2015 06:31 PM by

8212zl ACL Problem

We have a 8212zl connected to multiple 2910zl network switches.  We use the 8212zl as our core switch to perform all routing.  When I try to apply a ACL (access control list) on the 8212zl VLAN 226 to block all traffic except from iteself and VLAN 213, none of the traffic will block.  Here is an example of the ACL:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255
10 permit 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255
exit

 

The VLAN has the following configuration:

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226IN" in
ip access-group "VLAN226IN" out
ip access-group "VLAN226IN" vlan
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1
exit

 

Does anyone have any ideas on what is happening?

 

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum Moderator

0 Kudos
5 REPLIES 5
Vince_Whirlwind
Trusted Contributor

‎06-27-2013 10:59 PM

‎06-27-2013 10:59 PM

Re: 8212zl ACL Problem

I htink you should have:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 ip access-list standard "VLAN226OUT"
10 permit 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

name "VLAN226"
ip access-group "VLAN226IN" out
ip access-group "VLAN226OUT" in

0 Kudos
airport_guy
Occasional Advisor

‎06-30-2013 03:57 PM

‎06-30-2013 03:57 PM

Re: 8212zl ACL Problem

Here is what I currently have.  All my other VLAN's can still talk to this VLAN for some reason.  I also tried applying VLAN226IN to in and VLAN226OUT to out and that did nothing as well.

 

p access-list extended "VLAN226IN"
5 permit ip 172.20.20.13 0.0.0.255 172.20.226.0 0.0.0.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "VLAN226OUT"
10 permit ip 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226OUT" in
ip access-group "VLAN226IN" out
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1

 

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-30-2013 08:50 PM

‎06-30-2013 08:50 PM

Re: 8212zl ACL Problem

Do a traceroute. I wonder if your inter-VLAN routing has happened somewhere else?

0 Kudos
airport_guy
Occasional Advisor

‎06-30-2013 09:03 PM

‎06-30-2013 09:03 PM

Re: 8212zl ACL Problem

This is my output:

 

C:\Users\Administrator>ipconfig

 

Windows IP Configuration

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . :   

   IPv4 Address. . . . . . . . . . . : 172.20.100.5   

   Subnet Mask . . . . . . . . . . . : 255.255.255.0   

   Default Gateway . . . . . . . . . : 172.20.100.1

 

Tunnel adapter Local Area Connection* 9:

 

   Media State . . . . . . . . . . . : Media disconnected   

   Connection-specific DNS Suffix  . :

 

C:\Users\Administrator>tracert 172.20.226.1

 

Tracing route to 172.20.226.1 over a maximum of 30 hops

 

  1     1 ms     1 ms     1 ms  172.20.226.1

 

Trace complete.

 

C:\Users\Administrator>

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-30-2013 09:42 PM

‎06-30-2013 09:42 PM

Re: 8212zl ACL Problem

.1 is presumably the address on the core switch. How about tracerouting to something further in the .226 network?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.