Wired Intelligent Edge

 View Only

  • 1.  Acccess Control Lists

    Posted Feb 08, 2021 05:54 AM

    Morning, I'm in the process of locking down inter vlan traffic, I'm normally used to Cisco ACLs and for the most part, these are working as expected, but when I apply an ACL to the student vlan (55) I lose ping access to the vlan gateway.

    Without the ACL applied all is good, but as soon as I enable it I lose the ping from the gateway, what is odd (from my perspective) is that the hit count is still going up id I look at the stats: sh statistics aclv4 Student_Test vlan 55 in

    Hit Counts for ACL WBTC_Student_Test

    Total
    ( 0 ) 10 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    ( 0 ) 20 permit ip 0.0.0.0 255.255.255.255 224.0.0.0 15.255.255.255
    ( 2734 ) 30 permit ip 0.0.0.0 255.255.255.255 10.81.16.10 0.0.0.0
    ( 1306 ) 40 permit ip 0.0.0.0 255.255.255.255 10.81.16.5 0.0.0.0




    Client IP: 10.81.55.26/24
    VLAN Gateway IP: 10.81.55.1
    DC IP: 10.81.16.10
    Web filter IP: 10.81.16.5

    Switch is a 2930M
    already configured on switch 

    Ip Routing
    ip route 0.0.0.0 0.0.0.0 10.81.16.5

    ACL:
    ip access-list extended "Student_Test"
    10 permit udp any any eq bootps
    20 permit ip any 224.0.0.0 15.255.255.255
    30 permit ip any host 10.81.16.10
    40 permit ip any host 10.81.16.5

    VLAN config
    vlan 55
    name "Wired_Student_VLAN"
    tagged Trk1-Trk4
    untagged 33-40
    ip helper-address 10.81.16.10
    ip address 10.81.55.1 255.255.255.0
    ip access-group "Student_Test" in
    exit






    ------------------------------
    Simon Harbinson
    ------------------------------


  • 2.  RE: Acccess Control Lists

    Posted Feb 08, 2021 07:53 AM
    It looks like your ACL does not allow communication from the client to the default gateway 10.81.55.1, nor it does allow the icmp echo-reply packets. So the return ICMP packet is blocked, resulting in what you see. These ACLs are stateless, so return traffic needs to be permitted.

    If you want to allow ping, you will need to permit it in your ACLs.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: Acccess Control Lists

    Posted Feb 08, 2021 08:59 AM
    Edited by Nomis8849 Feb 08, 2021 10:08 AM
    Hi Herman,

    Little confused, (more than likely because I'm used to Cisco ACLs) the client is in the same subnet as the gateway, in that case, why is it attempting to apply the ACL, or is my understanding wrong, I thought that anything in the same VLAN can talk to each other its only traffic incoming to the vlan that the ALC is applied to due to this command (ip access-group "Student_Test" in).

    However I think my assumption of the issue is wrong, the issue is as soon as I add an ACL I lose intern access, if a tracert google.co.uk I get a response from the gateway that the destination net unreachable.

    But I add an "50 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255" then the trace works but the browser is still unable to access the internet.

    this is clearing me not understanding something 

    Thanks, Simon




    ------------------------------
    Simon Harbinson
    ------------------------------

    Original Message


  • 4.  RE: Acccess Control Lists

    Posted Feb 08, 2021 11:23 AM
    Edited by Nomis8849 Feb 08, 2021 11:23 AM
    So After doing some digging around I have come up with this and it works but I'm unsure that I'm being productive (is it written right ?)

    ip access-list extended "Student_Test"
    10 permit ip 10.81.55.0 0.0.0.255 10.81.55.0 0.0.0.255
    20 permit udp any any eq bootps
    30 permit ip any host 10.81.16.10
    40 permit ip any host 10.81.16.5
    50 deny ip 10.81.55.0 0.0.0.255 10.81.16.0 0.0.0.255 log
    60 deny ip 10.81.55.0 0.0.0.255 10.81.19.0 0.0.0.255 log
    70 deny ip 10.81.55.0 0.0.0.255 10.81.52.0 0.0.0.255 log
    80 permit ip 10.81.55.0 0.0.0.255 0.0.0.0 255.255.255.255 log

    as I understand it now 
    10 - allows for the devices on the subnet to speak with each other
    20 - Allows DHCP, I guess that if I want to target the DC it would be:  permit udp any 10.81.16.10 0.0.0.0 eq bootps
    30 - Allows for other DC related traffice
    40 - Allows Communication to the web filter 
    50, 60, & 70 deny access to internal vlans
    80 - Allows internet traffic to talk to the client in this vlan 

    I also read that there is an implicit deny but would rule 80 name that deny pointless ??

    ------------------------------
    Simon Harbinson
    ------------------------------

    Original Message


Related Content