HPE Community
HPE Aruba Networking & ProVision-based
1827059 Members
4131 Online
109713 Solutions
New Discussion

Re: Access list on 5460zl blocks nothing

 
Marcel Mossel
Occasional Contributor

‎09-17-2013 10:45 AM - edited ‎09-29-2013 02:03 AM

‎09-17-2013 10:45 AM - edited ‎09-29-2013 02:03 AM

Access list on 5460zl blocks nothing - solved

We have a 5406zl switch with sofwtare version K.15.09.0012. We want to block vlans with client devices that are not manager by the school. We have made the following access list for employees:

 

ip access-list extended "ACL-mdw_in"

     20 permit tcp 0.0.0.0 255.255.255.255 10.2.0.0 0.0.0.3 eq 53

     21 permit udp 0.0.0.0 255.255.255.255 10.2.0.0 0.0.0.3 eq 53

     30 permit tcp 0.0.0.0 255.255.255.255 192.168.1.235 0.0.0.0 eq 80

     40 permit tcp 0.0.0.0 255.255.255.255 192.168.1.233 0.0.0.0 eq 3389

     100 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255

     110 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.15.255.255

     120 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255

     200 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

   exit

 

They have access to dns, webmail, a terminal server and the internet and no access to internal subnets.

We have a vlan for guest  withthe following access list:

 

ip access-list extended "Expeditie"

     10 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

   exit

 

That have access to an Internet gateway only which is located in the subnet itself. No access to the internal network. They use external DNS.

The vlan configuration looks like this:

 

vlan 748

   name "Bedr-Gast"

   tagged A2,A15,A21-A24,B20-B23,Trk1-Trk2

   ip access-group "Expeditie" in

   ip address 10.36.255.254 255.255.0.0

   ip helper-address 10.2.0.2

   exit

 

With a similar configuration for the employee vlan.

 

The access lists blocks nothing. We can ping internal systems such as domain controllers and make a RDP connection to it. We tried using the specific subnet of the vlan as source address instead of "any", but that made no difference. The access losts don't seem to work at all.

 

Is it a software bug or did we make a configuration mistake? We use this software version after trying several others, because we had (severe) throughput problems when routing across 2 hops. It did work when we implemented it.

 

1 person had this problem.
0 Kudos
2 REPLIES 2
Vince_Whirlwind
Trusted Contributor

‎09-19-2013 12:03 AM

‎09-19-2013 12:03 AM

Re: Access list on 5460zl blocks nothing

Change it to "out".

 

I've forgotten the logic, but the direction is the opposite of whatever seems logical.

0 Kudos
Marcel Mossel
Occasional Contributor

‎09-29-2013 02:01 AM

‎09-29-2013 02:01 AM

Re: Access list on 5460zl blocks nothing

We found the cause of the problem.

 

We were connecting through a wireless network via an msm765 controller. It appeared that there was a single AP that was in a separate group. It had incorrect settings for the particular SSID/VSC. Although the egress vlan was correctly set, it was not enabled, so we ended up in the wrong vlan.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.