- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- HPE Aruba Networking & ProVision-based
- >
- Applying VLAN ACL blocked access to permitted IP a...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2021 05:31 AM - last edited on 09-14-2021 09:03 AM by support_s
09-14-2021 05:31 AM - last edited on 09-14-2021 09:03 AM by support_s
Hello all, first timer with Aruba 2930Fs. I have 14 IP addresses in a VLAN which is permitted to communicate to any other IP addresses. Now I need to block two of the IP addresses from receiving any incoming SSH connections.
I intentionally set explicit VACLs to permit access to these five IP addresses and deny any other connections.
These are the 14 IP addresses
VLAN 10: 192.168.1.2/28, 192.168.1.3/28, 192.168.1.4/28, 192.168.1.5/28, 192.168.1.6/28 .... 192.168.1.15/28
This is where I am sitting at
VLAN 20: 192.168.1.66/29
I am using the Fortinet FW for InterVLAN routing. From my IP address on VLAN 200, I am able to ping/ssh to any of the fourteen IP addresses on VLAN 10.
I want to
1. allow my machine 192.168.1.66 to talk to 192.168.1.3, 192.168.1.4 and 192.168.1.5.
2. stop 192.168.1.2/28 and 192.168.1.6/28 (the rest of the IP addresses are currently unused) from talking to any of the IP addresses in VLAN 10 via ssh. So I've created the following VACL.
ip access-list extended "TEST VACL-001 Permit SSH 192.168.1.3 and 1.4 and 1.5"
10 permit 192.168.1.66 0.0.0.0 192.168.1.3 0.0.0.0 eq 22 log
20 permit 192.168.1.66 0.0.0.0 192.168.1.4 0.0.0.0 eq 22 log
30 permit 192.168.1.66 0.0.0.0 192.168.1.5 0.0.0.0 eq 22 log
40 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 22 log
I noticed after applying the VACL, I could not ssh into 192.168.1.4
Any ideas/clues that I use?
Solved! Go to Solution.
- Tags:
- Aruba
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2021 07:51 AM
09-14-2021 07:51 AM
Re: Applying VLAN ACL blocked access to permitted IP addresses
Hello @SHtan, is the Aruba 2930F Switch acting as the IP Router for VLAN segments you want to segregate with ACLs? if not (and the IP Router is your FortiGate firewall while the Aruba 2930F Switch acts as a Layer 2 extension of the FortiGate firewall) then you need to apply ACLs on the current router which is not the Aruba 2930F.
If the scenario is not as can be understood by reading what you wrote, please do detail it so we can understand who is who and where the ACLs can be applied according to IP routing.
I'm not an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2021 08:52 PM
09-14-2021 08:52 PM
Re: Applying VLAN ACL blocked access to permitted IP addresses
Hello there, @parnassus ! Thanks for getting back!
The Aruba 2930F is running purely as a L2 switch with routing performed by the Fortinet. The issue here is that the permitted IP addresses are Linux hosts with ordinary users logging in. I do not want them to ssh into the unpermitted hosts residing on the same VLAN.
The following IP address can SSH to any IP address in the 192.168.1.0/28
192.168.1.3,
I want to block SSH from entering these IP addresses
192.168.1.2, 192.168.1.6
I had initially place the access-list into a VACL, which i found to be incorrect. Reason being, the VACL is applied on entering the switch on the VLAN, whereas my issue here is about SSH traversing within the VLAN.
Thus I applied the follow ACL on the IN interface (physical port) using "interface <port-list> ip access-group <identifier> in"
with
ip access-list extended "Deny SSH"
10 deny tcp 192.168.1.3 0.0.0.0 192.168.1.2 0.0.0.0 eq 22 log
20 deny tcp 192.168.1.3 0.0.0.0 192.168.1.6 0.0.0.0 eq 22 log
exit
I found access from 192.168.1.3 to 192.168.1.2 and 192.168.1.6 was blocked totally and not just limited to SSH.
How can i just block SSH?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2021 02:21 AM
09-15-2021 02:21 AM
SolutionHello
Every ACL has an implicit deny rule at the end which is denying all the traffic not matched by the explicit rules. SO you have in essence 3 deny rules in "Deny SSH" and nothing is permitted.
In order to override this you have to add a new rule at the end permitting all the ip traffic. Set it with a high sequence number such that you could enter more rules in between if necessary.
70 permit ip any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2021 12:37 AM
09-16-2021 12:37 AM
Re: Applying VLAN ACL blocked access to permitted IP addresses
This worked - Thanks!