ACL's on procurve 3500 & 5412 switches

Jazon · ‎06-14-2010

Can you please indicate how I would isolate a vlan using ACL's that contains development servers from all hosts and vlans on the network except from a small number of development engineers?

P.S. This thread has been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum moderator

Mohammed Faiz · ‎06-14-2010

That's fairly straight forward, you'd create an ACL on the router that holds the gateway address for the development vlan.

# ip access-list extended "DevNet"

Then create a rule to allow access for the development engineers.

# permit ip ENG_SUBNET/MASK any

You can either allow a subnet as in the example above or a list of individual addresses like this:

# permit ip host IP_1 any
# permit ip host IP_2 any

There is an implicit deny at the end of your ACL so that's all you need to do there.

Then apply the ACL to the vlan :

# vlan DEV_VLAN ip access-group DevNet out

The direction is applied with respect to the router so applying in "out" on the DEV_VLAN restricts packets inbound to that VLAN.

Check your ACL with the command:

# sh access-list DevNet

Jazon · ‎06-15-2010

Thanks for the advice, I'll give that a try. I couldn't get it working before as I think I was applying 'in' on the dev_vlan. Cheers

Mohammed Faiz · ‎06-15-2010

In that case just post your current config and we can play spot the mistake :) (also save me typing which is always nice ;) )

Jazon · ‎06-15-2010

Hi,

I have a test host in the admin vlan (172.18.1.249) that is still able to ping the Dev_Test vlan, even with the ACL in place as below.

I have a host in the Dev_Test vlan (172.21.1.1), which I've allowed access in the ACL as a test.
__________________________

J8692A Configuration Editor; Created on release #K.13.63

hostname "Test"
snmp-server contact
snmp-server location
ip access-list extended "100"
10 remark "Dev_Test"
10 permit ip 172.21.1.1 0.0.0.0 0.0.0.0 255.255.255.255
exit
ip access-list connection-rate-filter "Dev_Test"
exit
module 1 type J86xxA
ip default-gateway 172.16.0.1
snmp-server community "R4nD0m" Unrestricted
snmp-server host 172.19.1.16 "R4nD0m" All
snmp-server host 172.19.1.16 "public"
vlan 1
name "management"
untagged 2-22,24
ip address 172.16.6.249 255.255.0.0
no untagged 1,23
exit
vlan 3
name "admin_net"
untagged 1
ip address 172.18.0.1 255.255.0.0
exit
vlan 4
name "academic_net"
no ip address
exit
vlan 5
name "services_net"
no ip address
exit
vlan 21
name "Dev_Test"
untagged 23
ip address 172.21.0.1 255.255.0.0
ip access-group "Dev_Test" out
exit
no ip ssh
__________________________

Gateway Config:

Vlan

admin_net - 172.18.0.1 255.255.0.0
academic_net - Disabled
services_net - Disabled
Dev_Test - 172.21.0.1 255.255.0.0

Jazon · ‎06-15-2010

I've just amended the ACL again, to allow to hosts 172.18.1.249 & 172.21.1.1 These can both ping each other, but even when I change the laptop to 172.18.1.250, it can still ping the 172.21.1.1 address even though it should be caught in the deny all in the ACL?

Mohammed Faiz · ‎06-15-2010

Ok, so the issue there is that your directions are slightly confused.
If you want to restrict what IPs can talk _in_ to that VLAN then you apply the ACL "out", as you have done.
However your ACL now isn't correct as you're saying :

permit ip 172.21.1.1 0.0.0.0 0.0.0.0 255.255.255.255

which is, allow a source IP of 172.21.1.1 to talk to a destination host of any IP address.

Change the ACL to :

permit ip 172.18.1.249 0.0.0.0 0.0.0.0 255.255.255.255

and 172.18.1.249 should be able to ping 172.21.1.1 but 172.18.1.250 should not.

Jazon · ‎06-15-2010

That's odd. I've made the change as suggested, but my admin host can still talk to 172.21.1.1 even when I change the IP to 172.18.1.250? Config :

hostname "Test"
snmp-server contact
snmp-server location
ip access-list extended "100"
10 remark "dev_test"
10 permit ip 172.18.1.249 0.0.0.0 0.0.0.0 255.255.255.255
exit
ip access-list connection-rate-filter "dev_test"
exit
module 1 type J86xxA
ip default-gateway 172.16.0.1
ip routing
snmp-server community "R4nD0m" Unrestricted
snmp-server host 172.19.1.16 "R4nD0m" All
snmp-server host 172.19.1.16 "public"
vlan 1
name "management"
untagged 2-22,24
ip address 172.16.6.249 255.255.0.0
no untagged 1,23
exit
vlan 3
name "admin_net"
untagged 1
ip address 172.18.0.1 255.255.0.0
exit
vlan 4
name "academic_net"
no ip address
exit
vlan 5
name "services_net"
no ip address
exit
vlan 21
name "Dev_Test"
untagged 23
ip address 172.21.0.1 255.255.0.0
ip access-group "dev_test" out
exit
no ip ssh
management-vlan 1

Mohammed Faiz · ‎06-15-2010

Ah, should have spotted that, you've called your ACL "100" but applied an acl to the vlan called "dev_test" :)

Jazon · ‎06-16-2010

Thanks for your help on this. Well spotted, it was what you suspected in your last reply :-) Works fine now, Cheers

Jazon · ‎06-18-2010

Hi.

I am having issues with a client within the development vlan trying to access the web.

I have tried adding the 'eq 80' on the access list, but still no access.

Will I need to use the 'In' instead of 'Out' at the end of the statement?

Thanks

Mohammed Faiz · ‎06-18-2010

Could you post up your ACL as it stands at the moment?
If you want your development network machines to be able to access the internet then yes, it will be easier if you reverse the direction of your ACL.
In that case your ACL would read like this:

- deny access to unwanted subnets on your network
- allow access to anything else
- (implicit deny all)

You'd then apply this in the "inbound" direction on your vlan.

Jazon · ‎06-21-2010

Hi there.

Below is the config. Basically, I need one client within the Dev_Vlan to be able to get out onto the web (172.21.1.1)
------------
Running configuration:

; J8698A Configuration Editor; Created on release #K.13.63

hostname "Core Switch"
snmp-server contact "ITSS"
snmp-server location "A Block"
exit
ip access-list extended "Dev_Vlan"
10 permit ip 172.21.1.0 0.0.0.255 0.0.0.0 255.255.255.255
30 permit ip 172.18.1.176 (client) 0.0.0.0 0.0.0.0 255.255.255.255
40 permit ip 172.18.1.249 (client) 0.0.0.0 0.0.0.0 255.255.255.255
50 permit ip 172.18.1.63 (client) 0.0.0.0 0.0.0.0 255.255.255.255
60 permit ip 172.17.0.5 (firewall) 0.0.0.0 0.0.0.0 255.255.255.255
exit
vlan 21
name "Dev_Vlan"
ip address 172.21.0.1 255.255.255.240
ip access-group "Dev_Vlan" out
exit
Core Switch(config)#
---------------------------

Mohammed Faiz · ‎06-21-2010

Allowing access to the internet for certain hosts is tricky with ACLs and it's usually best to use an inbound control instead (i.e. restrict what the dev subnet hosts can talk out to).

So you can either have an 'inbound' ACL like I mentioned above:

- deny access from any host to unwanted subnets on your network
- allow access from any host to anything else
- (implicit deny all)

or you could have

- allow access from any host to 172.18.1.176
- allow access from any host to 172.18.1.249
- allow access from any host to 172.18.1.63
- allow access from 172.21.1.1 to any host on port 80
- (implicit deny all)

Either of those ACLs would then be applied in the "inbound" direction.

Jazon · ‎06-21-2010

Hi. Thanks for the response.

Here is what I have configured:

Does this look correct?

ip access-list extended "Dev_Vlan"
10 permit ip 0.0.0.0 255.255.255.255 172.18.1.176 0.0.0.0
20 permit ip 0.0.0.0 255.255.255.255 172.18.1.249 0.0.0.0
30 permit ip 0.0.0.0 255.255.255.255 172.18.1.63 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 172.21.1.0 0.0.0.255
50 permit tcp 172.21.1.1 0.0.0.0 0.0.0.0 255.255.255.255 eq 80
exit

vlan 21
name "Dev_Vlan"
ip address 172.21.0.1 255.255.255.240
tagged F10
ip access-group "Dev_Vlan" in
exit

Mohammed Faiz · ‎06-21-2010

All looks ok, just remember that port 80 only gives the host basic web access so HTTPS etc will not work.

Jazon · ‎06-21-2010

Hi. Thanks for that.

I've added an additional line in for 443.

Regards

Jason

klysiak · ‎01-11-2013

I have the following issue:

configuration is as follows:

ip access-list standard v1_in

permit 10.10.2.1/24

exit

vlan 1

ip address 10.10.254.1

untagged A24

ip access-group v1_in out

exit

vlan 2

ip address 10.10.2.1

untagged a23

exit

vlan 3

ip address 10.10.3.1

untagged a22

exit

In this configuration only vlan 2 clients can communicate with vlan 1. But there is one exception. All vlans can communicate with 10.10.254.1

Is it ok?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

ACL's on procurve 3500 &amp; 5412 switches

ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

Re: ACL's on procurve 3500 & 5412 switches

ACL's on procurve 3500 & 5412 switches