HPE Community
HPE Aruba Networking & ProVision-based
1820636 Members
1911 Online
109626 Solutions
New Discussion

Extended ACL's on Procurve 5400 series

 
jdixon
Frequent Advisor

‎06-02-2017 11:14 AM - edited ‎06-02-2017 11:18 AM

‎06-02-2017 11:14 AM - edited ‎06-02-2017 11:18 AM

Extended ACL's on Procurve 5400 series

I'm having a hard time understanding something with procurve and applying extended ACL's to VLANS. I'm applying them with the direction IN which I thought meant the ACL is applied to all packets coming IN to the VLAN. What I'm noticing though is I have to reverse the Source/Destination on the ACL.

Example:

ip access-list extended "CUST-Access-IN"
     502 deny ip 10.1.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
     503 deny ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
     600 remark "==== Allow All ==="
     601 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
   exit
vlan 2010
   name "VLAN2010"
   tagged F1-F2,F4,K1-K4,L1-L4,Trk50
   ip address 172.17.12.254 255.255.255.0
   ip access-group "CUST-Access-IN" in
   exit

Now VLAN 10 doesn't have any ACL. So when I try to communicate from VLAN 2010 (172.17.12.4) to VLAN 10 (10.1.0.2) it works just fine. Even though you can see the deny from SOURCE 10.1.0.0/16 to 172.17.0.0/16.

So if I change it around:

ip access-list extended "CUST-Access-IN"
     502 deny ip 172.17.0.0 0.0.255.255 10.1.0.0 0.0.255.255 log
     503 deny ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
     600 remark "==== Allow All ==="
     601 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
   exit

Then it finally blocked it when I telnet from 172.17.12.4 to 10.1.0.2 on port 88.

How come the source/destination is REVERSED in my mind?? If you look at wireshark you can see the Source/Destination and the ports. Yes, 172.17.0.0 should be able to hit 10.1.0.2 on port 88 but the traffic coming back shouldn't be allow in this example. It goes From 60214(random) -> 88 and then comes back 88 -> 60214 which should be blocked

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.