- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- HPE Aruba Networking & ProVision-based
- >
- Help with ACL on Procurve J8697A Switch 5406zl
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2015 12:15 PM
02-03-2015 12:15 PM
After converting my network from a layer 2 flat network to layer 3, I noticed my inventory software(Track-IT) and my printer polling via snmp stopped polling devices on the new vlans.
I have a general understanding of ACL, that if I add an ACLto a vlan that it changes from permit all to deny all besides what is defined by a rule. I have an ACL set up now for my public vlan, ableit I'm sure it's not perfect but it seems to work "mostly"
However now I want SNMP to work across all my private vlan's but I don't want to open up everything else or deny any broadcasts that are denied now by default. Can someone help me along the right path??
Current situation with my current setup everything works A-ok. Clients can get to all their apps and servers on diff vlans. The only issue is no snmp
Here is my ACL for public :
ip access-list extended "109"
10 permit ip 10.99.0.0 0.0.255.255 10.1.1.198 0.0.0.0 log
11 permit ip 10.99.0.0 0.0.255.255 10.1.1.199 0.0.0.0 log
20 deny ip 10.99.0.0 0.0.255.255 10.0.0.0 0.255.255.255 log
30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit
Here is a snippet of some of the other configuration:
vlan 11
name "Test"
ip helper-address 10.1.1.101
ip address 10.79.3.1 255.255.0.0
tagged D19,D24
exit
vlan 12
name "Test2"
ip helper-address 10.1.1.101
ip address 10.32.3.1 255.255.0.0
tagged D19,D24
exit
vlan 99
name "Public"
ip helper-address 10.99.0.1
ip address 10.99.3.1 255.255.0.0
tagged A5,A12,B3-B4,D19,D21-D24,Trk1-Trk2
ip access-group "109" in
ip access-group "109" out
exit
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2015 03:30 PM
02-03-2015 03:30 PM
Re: Help with ACL on Procurve J8697A Switch 5406zl
Could you please spell out the source & destination ip addresses for each of the two polling functions.
Your ACL looks fine, but you should remove it from the VLAN interface in the "out" direction.
This "out" will be doing nothing.
("out" on VLAN99 means from other VLANs to VLAN99)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2015 05:42 AM
02-04-2015 05:42 AM
Re: Help with ACL on Procurve J8697A Switch 5406zl
I want to create an acl that will allow snmp to traverse across vlan 1, 11, and 12. So my polling would be coming from 10.1.x.x polling via snmp something on 10.79.6.x or 10.32.6.x
1. Wanted some clarity on how to create the ACL to just allow snmp.
2. Should I do permit any so that it doesn't break anything that's working today?
3. Since the default rule for no acl is to permit any why does snmp not work by default?
vlan 11
name "Test"
ip helper-address 10.1.1.101
ip address 10.79.3.1 255.255.0.0
tagged D19,D24
exit
vlan 12
name "Test2"
ip helper-address 10.1.1.101
ip address 10.32.3.1 255.255.0.0
tagged D19,D24
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2015 01:35 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2015 12:33 PM
02-05-2015 12:33 PM
Re: Help with ACL on Procurve J8697A Switch 5406zl
Please assist me if my understanding is incorrect:
I believe this is what my issue was:
SNMP is a broadcast protocol when conifgured to discover devices on the "domain". All of the clients in question were part of the domain just on different vlans.
So the discovery would find everything on vlan1 but find nothing on the other vlans, because broadcast is limited to the local vlan.
However when manually entering the host range of the devices I wanted to discover(on another vlan) it would find them.
So can I assume that snmp's discovery, unless configured to hunt an ip range, is a broadcast protocal which would be blocked by the nature of vlans.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2015 02:35 PM
02-05-2015 02:35 PM
Re: Help with ACL on Procurve J8697A Switch 5406zl
I don't believe that SNMP is a broadcast protocol. It can only discover devices if you identify them by IP or identify their subnets so it can scan through each IP looking for responses.