HPE Community
Switching and Routing
1832487 Members
4339 Online
110043 Solutions
New Discussion

Re: ACL across VLANS

 
bigmaneric97
Occasional Advisor

‎12-10-2020 06:03 AM

‎12-10-2020 06:03 AM

ACL across VLANS

I am trying to apply an ACL to a VLAN that lives in our training room. I want to limit to DHCP, DNS and a couple of other things. And give them access to the internet. Mainly I want to keep them off most of our network. Here is an example from the ACL:

ip access-list extended "Training Lab"
5 permit icmp 10.3.4.0 255.255.255.0 10.3.4.1 255.255.255.255
10 permit tcp 10.3.4.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.255 eq 53
20 permit tcp 10.3.4.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.255 eq 53
30 permit udp 10.3.4.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.255 eq 68
40 permit udp 10.3.4.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.255 eq 68

200 deny ip 10.3.4.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
210 deny ip 10.3.4.0 255.255.255.0 xxx.xxx.0.0 255.0.0.0
220 permit ip 10.3.4.0 255.255.255.0 0.0.0.0 0.0.0.0

I have tried the following to apply to the vlan:

vlan 773
name "Training"

ip access-group "Training Lab" out (current)

I have also tried vlan and in. With the curren iteration, I can get an IP address and configuration through DHCP and I can ping the VLAN gateway. Using both VLAN and in I can still get a DHCP address, but I can't ping the gateway.

 

None of these allow me access to other parts of the network or the internet. I'm very confused as to why this isn't working. Everything I find for configuring  seems to right.

 

Thank you,

Eric

0 Kudos
5 REPLIES 5
parnassus
Honored Contributor

‎12-10-2020 09:36 AM

‎12-10-2020 09:36 AM

Re: ACL across VLANS

Hi! I'm quite sure you should apply this ACL in the "in" direction (seen from the Core Switch where the routing happens and where the SVI 10.3.4.1 - is it right? - is addressed)

So within the VLAN id 773 context: ip access-group "Training Lab" in

Try to change the ACE id 5 from:

5 permit icmp 10.3.4.0 255.255.255.0 10.3.4.1 255.255.255.255

to:

5 permit ip 10.3.4.0 255.255.255.0 10.3.4.1 255.255.255.255


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
bigmaneric97
Occasional Advisor

‎12-10-2020 10:03 AM

‎12-10-2020 10:03 AM

Re: ACL across VLANS

I changed the line in the ACL and changied back to ip access-group "Training Lab" in. No change from before. I can't ping the IP address. To give some context on infrastructure. My lab is in an HP switch that matches my core switch and connected via a trunk. Each switch has the same VLAN's the VLAN GW (10.3.4.1) exists on the core switch.

 

What is strange is with the ACL being a RACL with in and a VACL with vlan I can't ping the GW. I would think that I should at least be able to ping the GW since the workstation and GW are in the same VLAN. doing a statson the ACL in all 3 states shows 0's in the counters.

 

Thank you for your help.

Eric

0 Kudos
parnassus
Honored Contributor

‎12-10-2020 02:38 PM

‎12-10-2020 02:38 PM

Re: ACL across VLANS

I was in a hurry...shouldn't be instead:

5 permit icmp 10.3.4.0 0.0.0.255 10.3.4.1 0.0.0.0
10 permit tcp 10.3.4.0 0.0.0.255 <ip-of-a-host> 0.0.0.0 eq 53
20 permit tcp 10.3.4.0 0.0.0.255 <ip-of-a-host> 0.0.0.0 eq 53
30 permit udp 10.3.4.0 0.0.0.255 <ip-of-a-host> 0.0.0.0 eq 68
40 permit udp 10.3.4.0 0.0.0.255 <ip-of-a-host> 0.0.0.0 eq 68
200 deny ip 10.3.4.0 0.0.0.255 <ip-of-a-/16-subnet> 0.0.255.255
210 deny ip 10.3.4.0 0.0.0.255 <ip-of-a-/8-subnet> 0.255.255.255
220 permit ip 10.3.4.0 0.0.0.255 0.0.0.0 255.255.255.255

 

 


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
bigmaneric97
Occasional Advisor

‎12-11-2020 06:13 AM

‎12-11-2020 06:13 AM

Re: ACL across VLANS

So this seemed interesting. This line was accepted:

5 permit ip 10.3.4.0 0.0.0.255 10.3.4.1 0.0.0.0

every other line i.e. 

10 permit tcp 10.3.4.0 0.0.0.255 <ip-of-a-host> 0.0.0.0 eq 53

gives this error. Invalid input: 0

If the reverse netmask was the issue I would expect that error every line

 

Thanks,

Eric

0 Kudos
bigmaneric97
Occasional Advisor

‎01-04-2021 06:39 AM - last edited on ‎01-07-2021 06:24 AM by

‎01-04-2021 06:39 AM - last edited on ‎01-07-2021 06:24 AM by

Re: ACL across VLANS

 Parnassus,

Here is the current Access list:

 

ip access-list extended "Training Lab"
10 permit tcp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 53
20 permit tcp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 53
30 permit udp 10.3.4.0 0.0.0.255 192.168.0.77 0.0.0.0 eq 68
40 permit udp 10.3.4.0 0.0.0.255 192.168.0.97 0.0.0.0 eq 68
50 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 80
60 permit tcp 10.3.4.0 0.0.0.255 192.168.0.29 0.0.0.0 eq 443
70 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 80
80 permit tcp 10.3.4.0 0.0.0.255 192.168.0.20 0.0.0.0 eq 443
90 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 80
100 permit tcp 10.3.4.0 0.0.0.255 192.168.0.125 0.0.0.0 eq 443
110 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 80
120 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 553
130 permit tcp 10.3.4.0 0.0.0.255 192.168.0.51 0.0.0.0 eq 443
140 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 80
150 permit tcp 10.3.4.0 0.0.0.255 192.168.0.145 0.0.0.0 eq 443
160 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 80
170 permit tcp 10.3.4.0 0.0.0.255 192.168.200.31 0.0.0.0 eq 443
180 permit tcp 10.3.4.0 0.0.0.255 92.168.200.145 0.0.0.0 eq 80
190 permit tcp 10.3.4.0 0.0.0.255 192.168.200.145 0.0.0.0 eq 443
195 permit ip 10.3.4.0 0.0.0.255 0.0.0.0 0.0.0.0
200 deny ip 10.3.4.0 0.0.0.255 192.168.0.0 255.255.0.0
210 deny ip 10.3.4.0 0.0.0.255 10.0.0.0 255.0.0.0
220 permit ip 10.3.4.0 0.0.0.255 10.3.4.1 0.0.0.0

When I apply it as ip access-group "Training Lab" in, I can see hits registering in the in the sh statistics aclv4 "Training Lab" vlan 773 in command. Using wire shark I see no response returning on many, But I ping the workstation I'm using for testing. I used 192.168.0.77 for the ping test. This ACL should just restrict the traffic leaving the VLAN correct?

 

Thank you again for your help @parnassus 

Eric

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.