- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- VRRP and ACLs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-25-2010 02:24 AM
тАО06-25-2010 02:24 AM
I've got a setup of two HP 5400s set up using routing (VRRP) to connect different different VLANs to a VLAN containing a set of servers.
I want to use ACLs to ensure that the switch will only route packets to the server VLAN, and not between the other VLANs.
I've been trying a lot of different sets of configuration, but none of them seem to work. Probably because I'm not doing it right.
Let's say, I've got VLAN 20 and VLAN 30, and these VLANs needs to talk to servers on VLAN 10, but not to eachother.
On VLAN 10, I've got the following subnet: 10.4.10.0/24.
I've tried setting up the following ACL:
ip access-list extended "test"
10 permit ip 0.0.0.0 255.255.255.255 10.4.10.0 255.255.255.0
exit
And on VLAN 20 and 30 I've assigned the ACL by:
vlan 20
ip access group "test" out
exit
I've tried setting the rules as "in", "out" and "vlan", but nothing seems to affect it. Either anything gets through, or nothing gets through.
Anyone have an idea to what I might be doing wrong?
The above config is set on both switches, the primary and backup VRRP.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-25-2010 07:24 AM
тАО06-25-2010 07:24 AM
Re: VRRP and ACLs
in the ACL statement you have to specify a wildcard mask, not a subnet mask.
i.e.
ip access-list extended "test"
10 permit ip any 10.4.10.0 0.0.0.255
exit
see: http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf
page 10-38
Cheers,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-27-2010 11:06 PM
тАО06-27-2010 11:06 PM
SolutionIn addition to the other post
The criterium is "entering or leaving the switch "!
So,
- if you've got a single switch, with two vlan's.
- you've setup routing between those vlans
- when the data is transferred between the vlan's it does NOT leave the switch!
=> that's why you need to apply the filter IN to the first or OUT the second vlan
if you don't want vlan20 and 30 to talk to eachother, you will need two ACL's "in"
another thing is behaviour of RACL's and VACL's.
for a VACL you also need to ad a second parmit for the local vlan to allow hosts within the vlan to talk to eachother.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-28-2010 12:21 AM
тАО06-28-2010 12:21 AM
Re: VRRP and ACLs
The thing is, I can't know for certain if the VLAN will leave the switch or not.
I've got two 5400's acting as core switches, with a large number of 2800 series switches, all connected in spanning tree.
(server1) (server2)
| |
(hp5400 coresw1)------(hp54000 coresw2)
/ \
(edge sw1)------------------(edge sw2)
Both servers, has a failover link to the other core switch. The servers are provisioned to the users "randomly", meaning one server is not necessarily failover, untill the other crashes, but they will both take normal load.
Meaning that users from "edge sw2" may connect to both server1 and server2, depending on their assignment. However they will have each their vlan.
Do you have any ideas on how access lists may be implemented in this setup?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-28-2010 03:06 AM
тАО06-28-2010 03:06 AM
Re: VRRP and ACLs
>>> The thing is, I can't know for certain if the VLAN will leave the switch or not.
<<<
but you do know where traffic enters the vlan.
When traffic enters the vlan at it will be at the accessports of vlan20.
thats why at this point you better filter with an ACL-"in".
You know what ports are in vlan20, so you apply an ACL-in that allows
VLAN20 to VLAN20 and VLAN20 to VLAN10.
evenso for ports in vlan30.
you allow VLAN30 to VLAN30 and VLAN30 to VLAN10
hence you disallow vlan20 to vlan30 vica versa.