HPE Community
Switches, Hubs, and Modems
1752320 Members
5390 Online
108786 Solutions
New Discussion юеВ

VRRP and ACLs

 
SOLVED
Go to solution
Kenneth ├Шstrup
Occasional Advisor

тАО06-25-2010 02:24 AM

тАО06-25-2010 02:24 AM

VRRP and ACLs

Hi,

I've got a setup of two HP 5400s set up using routing (VRRP) to connect different different VLANs to a VLAN containing a set of servers.

I want to use ACLs to ensure that the switch will only route packets to the server VLAN, and not between the other VLANs.

I've been trying a lot of different sets of configuration, but none of them seem to work. Probably because I'm not doing it right.


Let's say, I've got VLAN 20 and VLAN 30, and these VLANs needs to talk to servers on VLAN 10, but not to eachother.

On VLAN 10, I've got the following subnet: 10.4.10.0/24.

I've tried setting up the following ACL:

ip access-list extended "test"
10 permit ip 0.0.0.0 255.255.255.255 10.4.10.0 255.255.255.0
exit

And on VLAN 20 and 30 I've assigned the ACL by:

vlan 20
ip access group "test" out
exit

I've tried setting the rules as "in", "out" and "vlan", but nothing seems to affect it. Either anything gets through, or nothing gets through.

Anyone have an idea to what I might be doing wrong?

The above config is set on both switches, the primary and backup VRRP.
0 Kudos
4 REPLIES 4
Michael_Breuer
Esteemed Contributor

тАО06-25-2010 07:24 AM

тАО06-25-2010 07:24 AM

Re: VRRP and ACLs

Hello,

in the ACL statement you have to specify a wildcard mask, not a subnet mask.

i.e.

ip access-list extended "test"
10 permit ip any 10.4.10.0 0.0.0.255
exit

see: http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf
page 10-38

Cheers,

Michael
Ingentive Networks GmbH
0 Kudos
Pieter 't Hart
Honored Contributor

тАО06-27-2010 11:06 PM

тАО06-27-2010 11:06 PM

Solution

Re: VRRP and ACLs

Hi Kenneth,
In addition to the other post
The criterium is "entering or leaving the switch "!

So,
- if you've got a single switch, with two vlan's.
- you've setup routing between those vlans
- when the data is transferred between the vlan's it does NOT leave the switch!
=> that's why you need to apply the filter IN to the first or OUT the second vlan

if you don't want vlan20 and 30 to talk to eachother, you will need two ACL's "in"

another thing is behaviour of RACL's and VACL's.
for a VACL you also need to ad a second parmit for the local vlan to allow hosts within the vlan to talk to eachother.
Kenneth ├Шstrup
Occasional Advisor

тАО06-28-2010 12:21 AM

тАО06-28-2010 12:21 AM

Re: VRRP and ACLs

Thanks Pieter, that cleared things up a bit for me.

The thing is, I can't know for certain if the VLAN will leave the switch or not.

I've got two 5400's acting as core switches, with a large number of 2800 series switches, all connected in spanning tree.


(server1) (server2)
| |
(hp5400 coresw1)------(hp54000 coresw2)
/ \
(edge sw1)------------------(edge sw2)


Both servers, has a failover link to the other core switch. The servers are provisioned to the users "randomly", meaning one server is not necessarily failover, untill the other crashes, but they will both take normal load.

Meaning that users from "edge sw2" may connect to both server1 and server2, depending on their assignment. However they will have each their vlan.

Do you have any ideas on how access lists may be implemented in this setup?
0 Kudos
Pieter 't Hart
Honored Contributor

тАО06-28-2010 03:06 AM

тАО06-28-2010 03:06 AM

Re: VRRP and ACLs

hi Kenneth,

>>> The thing is, I can't know for certain if the VLAN will leave the switch or not.
<<<

but you do know where traffic enters the vlan.
When traffic enters the vlan at it will be at the accessports of vlan20.
thats why at this point you better filter with an ACL-"in".
You know what ports are in vlan20, so you apply an ACL-in that allows
VLAN20 to VLAN20 and VLAN20 to VLAN10.

evenso for ports in vlan30.
you allow VLAN30 to VLAN30 and VLAN30 to VLAN10

hence you disallow vlan20 to vlan30 vica versa.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.