- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Web and Unmanaged
- >
- Re: v1910 ACL's Not Working
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 11:02 AM - last edited on 07-21-2013 10:24 PM by Maiko-I
02-21-2013 11:02 AM - last edited on 07-21-2013 10:24 PM by Maiko-I
The ACL procedure on these switches is a pain in the ass. I followed the instructionsexactly and still it doesn't work as expected. No matter what rules I put in the ACL, if the "Behavior" is set to Permit, all traffic is permitted. If the "Behavior is set to Deny, all traffic is denied. If I set the "Behavior" to Not Set, it errors and won't apply the policy. Why can't I just apply a ACL to an interface without all this QoS business?
Please tell me what I'm doing wrong.
version 5.20 Release 1111P02 sysname ADMIN Switch clock timezone #Web#-5#02 minus 05:00:00 domain default enable system telnet server enable ip ttl-expires enable cluster enable stack stack-port 1 port GigabitEthernet1/0/2 mirroring-group 1 local time-range ALLTIME from 00:00 1/1/1970 to 24:00 12/31/2100 acl number 3001 rule 0 permit ip destination 172.16.0.0 0.0.0.255 rule 5 permit ip destination 172.16.50.1 0 rule 10 permit ip destination 172.16.50.2 0 rule 15 permit ip destination 172.16.50.4 0 rule 20 permit ip destination 172.16.50.5 0 rule 25 deny ip destination 172.16.50.3 0 rule 30 deny ip destination 172.16.60.0 0.0.0.255 rule 35 permit ip vlan 1 description Internal vlan 50 description Servers vlan 60 description Finance domain system access-limit disable state active idle-cut disable self-service-url disable traffic classifier Class1 operator and if-match acl 3001 traffic behavior Behavior1 filter deny qos policy Policy1 classifier Class1 behavior Behavior1 user-group system local-user admin password simple authorization-attribute level 3 service-type ssh telnet terminal stp mode rstp stp enable interface NULL0 interface Vlan-interface1 ip address 172.16.0.4 255.255.255.0 interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 1 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound mirroring-group 1 monitor-port interface GigabitEthernet1/0/2 stp edged-port enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/3 port link-type trunk port trunk permit vlan 1 50 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/4 port link-type hybrid port hybrid vlan 1 tagged stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/5 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 60 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/6 port link-type trunk port trunk permit vlan 1 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/7 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/8 port link-type trunk port trunk permit vlan 1 50 60 stp edged-port enable undo ntdp enable interface GigabitEthernet1/0/9 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/10 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/11 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/12 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/13 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/14 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/15 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/16 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/17 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound mirroring-group 1 mirroring-port both interface GigabitEthernet1/0/18 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/19 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/20 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/21 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/22 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/23 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/24 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/25 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/26 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/27 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound interface GigabitEthernet1/0/28 stp edged-port enable undo ntdp enable qos apply policy Policy1 inbound snmp-agent snmp-agent local-engineid 800063A203D07E28259F03 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all undo snmp-agent trap enable standard ntp-service unicast-server 172.16.0.127 ssh server enable user-interface aux 0 authentication-mode scheme user-interface vty 0 15 authentication-mode scheme return
P.S. This thread has been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to Web and Unmanaged. - Hp Forum Moderator
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 05:22 PM - edited 02-21-2013 06:15 PM
02-21-2013 05:22 PM - edited 02-21-2013 06:15 PM
SolutionHello, edited my original reply as it's obviously not the same and uses traffic classification and behaviors! So...it sounds like since it's based off of QoS policies you'd want multiple ACLs, Classifications and Behaviors. This would be for your permits and for your denies which map to multiple behaviors for your permits and your denies. So I would assume it would look something like this when it's done:
acl number 3001
rule 0 permit ip destination 172.16.0.0 0.0.0.255
rule 5 permit ip destination 172.16.50.1 0
rule 10 permit ip destination 172.16.50.2 0
rule 15 permit ip destination 172.16.50.4 0
rule 20 permit ip destination 172.16.50.5 0
traffic classifier PermitTraffic operator or if-match acl 3001
traffic behavior PermitBehavior filter permit
qos policy Policy1 classifier PermitTraffic behavior PermitBehavior
And then repeat with your deny ACL, Classifier, and behaviors, and finally adding them to your QoS policy. One more thing, your deny ACLwill actually have to have permit statements as the ACL itself is not actually denying traffic, it's the behavior that's applying the the deny filter. The ACL is just used for classyfing the traffic with the similar behavior.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2013 05:16 AM
02-22-2013 05:16 AM
Re: v1910 ACL's Not Working
This is it!
What a backwards way to apply an ACL. So much more convoluted than I learned on Cisco gear.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2013 07:05 AM
02-22-2013 07:05 AM
Re: v1910 ACL's Not Working
Great, glad I could help! Ya, it seems doing that way makes it a bit difficult, but I guess this gives you a good bit of flexibility. With that said, that's only one of the ways of implementing on the higher end A series switches. The other ways of accomplishing are much more like the traditional packet filtering ACLs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2016 02:53 AM
01-22-2016 02:53 AM
Re: v1910 ACL's Not Working
any change you can share the full configuration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2016 09:01 AM
02-22-2016 09:01 AM
Re: v1910 ACL's Not Working
ACL this switch is actually very complicated. I have 4 vlans, 1,2,3,4. I would like to give access to VLAN 4 only to VLAN 2. What should I do?
Should I set a QoS rule to any port in the case vlan interface?