HPE Community
HPE Aruba Networking & ProVision-based
1825711 Members
3128 Online
109686 Solutions
New Discussion

ACL to deny IP access form Vlan to dest. Host

 
aaronjau
Visitor

‎07-03-2011 11:20 PM

‎07-03-2011 11:20 PM

ACL to deny IP access form Vlan to dest. Host

Dear,

 

I've a question to setup ACL on 5412zl with VRRP Core switches.

 

Requirment :

Block all windows client form Vlan60 to access Host 192.168.50.126 (which connected to Core1 port c19)

 

Configuration :

Core1 (default gateway 10.20.0.1 255.255.255.255)

Default Vlan 1 - 10.0.0.254

Vlan 50 - Ip add 192.168.50.254

Vlan 60 - Ip add 192.168.60.254

Vlan 70 - Ip add 192.168.70.254

 

Core2 (default gateway 10.20.0.1 255.255.255.255)

Default Vlan 1 - 10.0.0.253

Vlan 50 - Ip add 192.168.50.253

Vlan 60 - Ip add 192.168.60.253

Vlan 70 - Ip add 192.168.70.253

 

 

Test / Result :

1.) Create a standard ACL "Deny-60"
ip access-list standard "Deny-60"
10    deny 192.168.60.0 0.0.0.255

20    permit any

exit
 
Assigned to interface C19
Result : will case deny all incoming packet (all Vlan) to dest. port.
Result : after to add line 20 resume normal and allow all incoming packet (all vlan) to dest. port.
 
2.) Create a extended ACL "Deny-V60"
ip access-list extended "Deny-V60"
10    deny ip 192.168.60.0 0.0.0.255 192.168.50.126 0.0.0.0

20    permit ip any any

exit
 
Assigned to Vlan 50 (Vlan 50 ip access-group Deny-V60 in)
Result : will case deny all incoming packet (all Vlan) to all host under Vlan 50. Result : after to add line 20 resume normal and allow all incoming packet (all Vlan) to all host under Vlan 50.
 
Assigned to Vlan 60 (Vlan 60 ip access-group Deny-V60 out)
Result : will case deny all in/out packet form Vlan 60 segment to any host.
Result : after to add line 20 resume normal and allow all in/out packet form Vlan 60.
 
We're no idea how to setup ACL any more !!!
0 Kudos
6 REPLIES 6
Gerhard Roets
Esteemed Contributor

‎07-04-2011 07:51 AM - edited ‎07-04-2011 07:52 AM

‎07-04-2011 07:51 AM - edited ‎07-04-2011 07:52 AM

Re: ACL to deny IP access form Vlan to dest. Host

Hi Aaron

 

1). In which direction did you apply the ACL ? In or out ?

2). For this one

Assigned to Vlan 50 (Vlan 50 ip access-group Deny-V60 in)
Result : will case deny all incoming packet (all Vlan) to all host under Vlan 50. Result : after to add line 20 resume normal and allow all incoming packet (all Vlan) to all host under Vlan 50.

 

-- Try the outbound direction. Since your ACL read Permit deny 60 to 50

 

Assigned to Vlan 60 (Vlan 60 ip access-group Deny-V60 out)
Result : will case deny all in/out packet form Vlan 60 segment to any host.
Result : after to add line 20 resume normal and allow all in/out packet form Vlan 60.

 

-- Try the inbound direction. Since your ACL read Permit deny 60 to 50

 

HTH

Gerhard

0 Kudos
aaronjau
Visitor

‎07-04-2011 08:46 PM

‎07-04-2011 08:46 PM

Re: ACL to deny IP access form Vlan to dest. Host

Hi Gerhard,

 

Thanks your reply !

 

Did you mean I need to apply both in/out direction on Vlan 50 & Vlan 60 ?

 

Like this ?

 

vlan 50
   name "VLAN50"
   untagged A2-A13,A17-A19,A21-A24,B2-B13,B17-B19,B22-B23,C1-C4,C7-C13,C17-C19,C21,C23,K3-K4,Trk21
   ip address 192.168.50.254 255.255.255.0
   tagged C20,Trk1-Trk5,Trk8,Trk10,Trk13-Trk14
   jumbo

  ip access-group Deny-V60 in

  ip access-group Deny-V60 out
   exit
vlan 60
   name "VLAN60"
   untagged A20
   ip helper-address 192.168.50.200
   ip helper-address 192.168.50.201
   ip address 192.168.60.254 255.255.255.0
   tagged C20,Trk1-Trk2,Trk5,Trk8,Trk10
   jumbo

  ip access-group Deny-V60 in

  ip access-group Deny-V60 out

   exit

 

thx

Aaron

0 Kudos
Gerhard Roets
Esteemed Contributor

‎07-05-2011 01:58 AM

‎07-05-2011 01:58 AM

Re: ACL to deny IP access form Vlan to dest. Host

Hi Aaron

 

You can either

1). Apply it on vlan 50 on the outbound direction

2). Apply it on vlan 60 in the inbound direction

 

Or you can do both 1 and 2.

 

HTH

Gerhard

0 Kudos
aaronjau
Visitor

‎07-05-2011 02:31 AM

‎07-05-2011 02:31 AM

Re: ACL to deny IP access form Vlan to dest. Host

Hi Gerhard,

 

I tried both way either in Vlan50 or Vlan60

1). Apply it on vlan 50 on the outbound direction

Result : Any host can access any Vlan, seem no filter !

 

2). Apply it on vlan 60 in the inbound direction

Result : All host cannot access to Vlan60 and All host under Vlan60 cannot acces to any vlan. but they can pingable to gateway (192.168.60.254)

 

Acturally, I just want to filter those win client form Vlan60 to access some Host in Vlan 50 , but the setting case me to either permit all or deny all.

 

Could someone help !!

0 Kudos
Gerhard Roets
Esteemed Contributor

‎07-06-2011 04:06 AM

‎07-06-2011 04:06 AM

Re: ACL to deny IP access form Vlan to dest. Host

Hi Aaron

 

YOu have to do it on both switches. I assume the switches are running VRRP. Your client are pointing at the virtual IP address.

 

HTH

Gerhard

 

 

0 Kudos
aaronjau
Visitor

‎07-07-2011 06:55 PM

‎07-07-2011 06:55 PM

Re: ACL to deny IP access form Vlan to dest. Host

Yes, we've two 5412zl as Core and running VRRP, those client pointing at the virtural IP (192.168.xx.254 ).

 

But I tried to run the same ACL on the standalnoe switches 3500yl-48G with IP routing to simulate 5412zl Core configurations for test the result is same.

 

 

 

thx!

Aaron,Jau

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.