HPE Community
LAN Routing
1854692 Members
8823 Online
104102 Solutions
New Discussion

RACL difficulties

 
huuggee
New Member

‎08-23-2011 03:44 AM

‎08-23-2011 03:44 AM

RACL difficulties

I have a few VLANs across a pair of 8212s and a 5412.

Specifically I have a LAN vlan, 23 and a server VLAN, 45 that I am trying to lock down to a few specific IPs

 

So I can add a standard access list:

 

ip access-list standard "45-out"
   10 permit 172.23.11.61 0.0.0.0
   11 permit 172.23.11.82 0.0.0.0

 

and apply this to vlan 45 on the way out

vlan 45 ip access-group 45-out out

 

however with this applied, VLAN 45 cannot see anything other than those 2 hosts.

 

What I would like is for VLAN 45 to be able to route anywhere, but only for some specific hosts to see machines on VLAN 45.

 

What am I missing?

 

Thanks for any help

 

Tom

0 Kudos
2 REPLIES 2
paulgear
Esteemed Contributor

‎09-04-2011 05:33 AM

‎09-04-2011 05:33 AM

Re: RACL difficulties

Hi Tom,

Let's see if i'm understanding your explanation right: I read your statement as saying that you want to allow all outbound access from VLAN 45, but only selected inbound access to VLAN 45.  What you need to achieve this is a stateful firewall with connection tracking.

I haven't done this on my E5400s, but if my reading of the manual is correct, what you need to do is do filtering on the the way in to VLAN 45, and allow those two IP addresses AND any established connections (using an extended ACL with the "established" flag).  This means that connections that have already been initiated from VLAN 45 should pass.

I don't know how sophisticated the ProCurve connection tracking is - hopefully it will understand UDP and ICMP exchanges as well as the documented support of TCP connections.

 

Hope that helps.

 

Regards,

Paul

 

Regards,
Paul
0 Kudos
ISoliman
Super Advisor

‎12-29-2011 02:05 AM

‎12-29-2011 02:05 AM

Re: RACL difficulties

established keyword only applies to TCP connections.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.