- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- ACL with 2610 switch
Switches, Hubs, and Modems
1824169
Members
3398
Online
109669
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-29-2008 12:20 PM
тАО10-29-2008 12:20 PM
ACL with 2610 switch
Hello,
This is my first ACL work and i'm a little confuse ....
Routing is active on my Procurve 2610.
I've got 4 VLAN :
Default_vlan : 192.168.1.0 (router adress : 192.168.1.253)
VLAN1 : 192.168.2.0 (192.168.2.253)
VLAN3 : 192.168.3.0 (192.168.3.253)
VLAN4 : 192.168.4.0 (192.168.4.253)
I wrote those lines :
no ip access-list extended 102
no ip access-list extended 103
no ip access-list extended 104
;---------------------------------------------
;Extended named ACL for Vlan 2
;------------------------------
ip access-list extended "102"
; blocking VLAN 3 and 4 going to Vlan 2
deny ip 192.168.3.0 0.255.255.255 192.168.2.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.2.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
;Extended named ACL for Vlan 3
;------------------------------
ip access-list extended "103"
; blocking VLAN 2 and 4 going to Vlan 3
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.3.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
;Extended named ACL for Vlan 4
;------------------------------
ip access-list extended "104"
; blocking VLAN 2 and 3 going to Vlan 4
deny ip 192.168.2.0 0.255.255.255 192.168.4.0 0.255.255.255
deny ip 192.168.3.0 0.255.255.255 192.168.4.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Applied ACL to ports corresponding to VLANs.
I want VLAN2 - 3 - 4 can see VLAN1
But VLAN 2 3 and 4 not see each other
Can someone help me writing those ACL ? I read again and again the Access Security Guide and try lots of thing without a good result.
When I apply ACLs every VLAN can't see anyone.
But DHCP work (adress-helper -> 192.168.1.10)
Sorry for my english : i'm french.
Regards,
Cyril
This is my first ACL work and i'm a little confuse ....
Routing is active on my Procurve 2610.
I've got 4 VLAN :
Default_vlan : 192.168.1.0 (router adress : 192.168.1.253)
VLAN1 : 192.168.2.0 (192.168.2.253)
VLAN3 : 192.168.3.0 (192.168.3.253)
VLAN4 : 192.168.4.0 (192.168.4.253)
I wrote those lines :
no ip access-list extended 102
no ip access-list extended 103
no ip access-list extended 104
;---------------------------------------------
;Extended named ACL for Vlan 2
;------------------------------
ip access-list extended "102"
; blocking VLAN 3 and 4 going to Vlan 2
deny ip 192.168.3.0 0.255.255.255 192.168.2.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.2.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
;Extended named ACL for Vlan 3
;------------------------------
ip access-list extended "103"
; blocking VLAN 2 and 4 going to Vlan 3
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.3.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
;Extended named ACL for Vlan 4
;------------------------------
ip access-list extended "104"
; blocking VLAN 2 and 3 going to Vlan 4
deny ip 192.168.2.0 0.255.255.255 192.168.4.0 0.255.255.255
deny ip 192.168.3.0 0.255.255.255 192.168.4.0 0.255.255.255
; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Applied ACL to ports corresponding to VLANs.
I want VLAN2 - 3 - 4 can see VLAN1
But VLAN 2 3 and 4 not see each other
Can someone help me writing those ACL ? I read again and again the Access Security Guide and try lots of thing without a good result.
When I apply ACLs every VLAN can't see anyone.
But DHCP work (adress-helper -> 192.168.1.10)
Sorry for my english : i'm french.
Regards,
Cyril
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 12:17 AM
тАО10-30-2008 12:17 AM
Re: ACL with 2610 switch
are you sure procurve uses "reverse" subnetmasks 0.255.255.255 ?
i'd expect normal masks of 255.0.0.0.
(in the whole config)
Pieter
i'd expect normal masks of 255.0.0.0.
(in the whole config)
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 12:45 AM
тАО10-30-2008 12:45 AM
Re: ACL with 2610 switch
I looked up the guide, yes in the acl revers-mask is used.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 12:58 AM
тАО10-30-2008 12:58 AM
Re: ACL with 2610 switch
hi
please send me sh run print
please send me sh run print
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 01:15 AM
тАО10-30-2008 01:15 AM
Re: ACL with 2610 switch
first : your masks 0.255.255.255 must be changed in 0.0.0.255
second
instead of explicit deny followed by permit any.
I would chose to use rules to permit the trafic you need.
when using acls, an implicit "deny any" is always included at the end of the acl even if not registered as a line in the acl.
with explicyt deny, when a vlan is added, you need to modify all acl's
with explit permit you only add a new acl for the new vlan, existing acl's stay untouched
second
instead of explicit deny followed by permit any.
I would chose to use rules to permit the trafic you need.
when using acls, an implicit "deny any" is always included at the end of the acl even if not registered as a line in the acl.
with explicyt deny, when a vlan is added, you need to modify all acl's
with explit permit you only add a new acl for the new vlan, existing acl's stay untouched
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 06:06 AM
тАО10-30-2008 06:06 AM
Re: ACL with 2610 switch
Hi,
Tanks for your reply : here it is my swich running configuration.
; J9088A Configuration Editor; Created on release #R.11.07
hostname "ProCurve Switch 2610-48"
snmp-server contact "CYRIL"
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-4,49-52
ip address 192.168.100.253 255.255.255.0
no untagged 5-48
exit
vlan 2
name "VLAN_2"
untagged 5-12
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 3
name "VLAN_3"
untagged 13-14
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 4
name "VLAN_4"
untagged 15-22
ip address 192.168.4.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 5
name "VLAN_5"
untagged 23-48
ip address 192.168.5.253 255.255.255.0
ip helper-address 192.168.100.10
exit
I'll try with a simple acl : only on VLAN 5 for this test.
Tanks for your reply : here it is my swich running configuration.
; J9088A Configuration Editor; Created on release #R.11.07
hostname "ProCurve Switch 2610-48"
snmp-server contact "CYRIL"
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-4,49-52
ip address 192.168.100.253 255.255.255.0
no untagged 5-48
exit
vlan 2
name "VLAN_2"
untagged 5-12
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 3
name "VLAN_3"
untagged 13-14
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 4
name "VLAN_4"
untagged 15-22
ip address 192.168.4.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 5
name "VLAN_5"
untagged 23-48
ip address 192.168.5.253 255.255.255.0
ip helper-address 192.168.100.10
exit
I'll try with a simple acl : only on VLAN 5 for this test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 07:57 AM
тАО10-30-2008 07:57 AM
Re: ACL with 2610 switch
Ok ! I found my problem !!
The switch only apply changes when I unplug him !
After tests and documention read everything is ok.
I'll post my definitive result if it can help someone.
Tanks for your help.
The switch only apply changes when I unplug him !
After tests and documention read everything is ok.
I'll post my definitive result if it can help someone.
Tanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2008 08:42 AM
тАО10-30-2008 08:42 AM
Re: ACL with 2610 switch
I want VLAN2 - 3 - 4 can see VLAN1
But VLAN 2 3 and 4 not see each other
please copy my config to your switch and make test
hostname "ProCurve Switch 2610-48"
snmp-server contact "CYRIL"
ip access-list standard "1"
deny 192.168.3.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "2"
deny 192.168.2.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "3"
deny 192.168.2.0 0.0.0.255
deny 192.168.3.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
interface 5
-- MORE --, next page: Space, next line: Enter, quit: Control-C access-group "1" in
exit
interface 6
access-group "1" in
exit
interface 7
access-group "1" in
exit
interface 8
access-group "1" in
exit
interface 9
access-group "1" in
exit
interface 10
access-group "1" in
exit
interface 11
access-group "2" in
exit
interface 12
access-group "2" in
exit
-- MORE --, next page: Space, next line: Enter, quit: Control-Cinterface 13
access-group "2" in
exit
interface 14
access-group "2" in
exit
interface 15
access-group "3" in
exit
interface 16
access-group "3" in
exit
interface 17
access-group "3" in
exit
interface 18
access-group "3" in
exit
interface 19
access-group "3" in
exit
interface 20
access-group "3" in
-- MORE --, next page: Space, next line: Enter, quit: Control-Cexit
interface 21
access-group "3" in
exit
interface 22
access-group "3" in
exit
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-4,24-28
ip address 192.168.100.253 255.255.255.0
no untagged 5-23
exit
vlan 2
name "VLAN_2"
untagged 5-10
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 3
name "VLAN_3"
-- MORE --, next page: Space, next line: Enter, quit: Control-C untagged 11-14
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 4
name "VLAN_4"
untagged 15-22
ip address 192.168.4.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 5
name "VLAN_5"
untagged 23
ip address 192.168.5.253 255.255.255.0
ip helper-address 192.168.100.10
exit
ProCurve Switch 2610-48(config)#
But VLAN 2 3 and 4 not see each other
please copy my config to your switch and make test
hostname "ProCurve Switch 2610-48"
snmp-server contact "CYRIL"
ip access-list standard "1"
deny 192.168.3.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "2"
deny 192.168.2.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "3"
deny 192.168.2.0 0.0.0.255
deny 192.168.3.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
interface 5
-- MORE --, next page: Space, next line: Enter, quit: Control-C access-group "1" in
exit
interface 6
access-group "1" in
exit
interface 7
access-group "1" in
exit
interface 8
access-group "1" in
exit
interface 9
access-group "1" in
exit
interface 10
access-group "1" in
exit
interface 11
access-group "2" in
exit
interface 12
access-group "2" in
exit
-- MORE --, next page: Space, next line: Enter, quit: Control-Cinterface 13
access-group "2" in
exit
interface 14
access-group "2" in
exit
interface 15
access-group "3" in
exit
interface 16
access-group "3" in
exit
interface 17
access-group "3" in
exit
interface 18
access-group "3" in
exit
interface 19
access-group "3" in
exit
interface 20
access-group "3" in
-- MORE --, next page: Space, next line: Enter, quit: Control-Cexit
interface 21
access-group "3" in
exit
interface 22
access-group "3" in
exit
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-4,24-28
ip address 192.168.100.253 255.255.255.0
no untagged 5-23
exit
vlan 2
name "VLAN_2"
untagged 5-10
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 3
name "VLAN_3"
-- MORE --, next page: Space, next line: Enter, quit: Control-C untagged 11-14
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 4
name "VLAN_4"
untagged 15-22
ip address 192.168.4.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 5
name "VLAN_5"
untagged 23
ip address 192.168.5.253 255.255.255.0
ip helper-address 192.168.100.10
exit
ProCurve Switch 2610-48(config)#
cenk
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP