Wired Intelligent Edge

 View Only
Back to discussions
Expand all | Collapse all

ACL is not working in the Aruba 6200F version ML.10.15.1020

This thread has been viewed 10 times

  • 1.  ACL is not working in the Aruba 6200F version ML.10.15.1020

    Posted Jul 06, 2025 06:53 AM
    I am having Aruba 6200F Switch and want to apply ACL.  i am having vlan-30 with subnet:10.10.31.0/24 and vlan-32 with subnet : 10.10.32.0/24 and i want to block all communication from vlan-30 to vlan-32 and want allow all communication from vlan-32 to vlan-30.. where as per the required configuration
     
    we did we write rule for ACL :--
     
    access-list ip VLAN30Deny
        10 deny icmp 10.10.31.0/255.255.255.0 10.10.32.0/255.255.255.0 count
        20 permit any any any
     
    --------------------------------------------------------------------------------------------------------
     
    interface vlan 30
        ip address 10.10.31.1/24
        apply access-list ip VLAN30Deny routed-out
     
    ( When we applied this working like no ACL happing both way communication )
     
     
    ----------------------------------------------------------------------------------------------------------
     
    And we applied as routed-in from Vlan-30 to vlan-32 communication is stoped as per the written ACL but when we check from the Vlan-32 to Vlan-30 where i am able to ping gateway ip 10.10.31.1
    but not able to ping the host ip 10.10.31.176 and when we remove ACL rule its start communicating means also not issues from the laptop side.
     
    interface vlan 30
        ip address 10.10.31.1/24
        apply access-list ip VLAN30Deny routed-in
    6200(config)# show running-config
    Current configuration:
    !
    !Version AOS-CX ML.10.15.1020
    !export-password: default
    hostname 6200
    user admin group administrators password ciphertext AQBapfTY4JLY9X+9+BttH3vMsQd/jzAyyavMjhLnqJAntDzhYgAAALFSzTzzJyKtOEBri3x93ckIBAt/TlT7B3wi0JqHUQxiR5PjCYvOdT+y7Bb0B2A0JqMf7Qe5ImHNwKy895bcfxagjemELiEK8somsTKuwN0uoOgKpNbFmnbat/dpC1cgpIjL
    ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
    ntp enable
    !
    !
    !
    !
    !
    !
    ssh server vrf default
    ssh server vrf mgmt
    vsf member 1
        type jl724a
    access-list ip VLAN30Deny
        10 deny icmp 10.10.31.0/255.255.255.0 10.10.32.0/255.255.255.0 count
        20 permit any any any
    vlan 1,30,32
    spanning-tree
    interface mgmt
        no shutdown
        ip dhcp
    qos dscp-map 0 local-priority 0
    qos dscp-map 1 local-priority 0
    qos dscp-map 2 local-priority 0
    qos dscp-map 3 local-priority 0
    qos dscp-map 4 local-priority 0
    qos dscp-map 5 local-priority 0
    qos dscp-map 6 local-priority 0
    qos dscp-map 7 local-priority 0
    qos dscp-map 8 local-priority 1
    qos dscp-map 9 local-priority 1
    qos dscp-map 10 local-priority 1
    qos dscp-map 11 local-priority 1
    qos dscp-map 12 local-priority 1
    qos dscp-map 13 local-priority 1
    qos dscp-map 14 local-priority 1
    qos dscp-map 15 local-priority 1
    interface 1/1/1
        no shutdown
        no routing
        vlan access 30
    interface 1/1/2
        no shutdown
        no routing
        vlan access 1
    interface 1/1/3
        no shutdown
        no routing
        vlan access 1
    interface 1/1/4
        no shutdown
        no routing
        vlan access 1
    interface 1/1/5
        no shutdown
        no routing
        vlan access 32
    interface 1/1/6
        no shutdown
        no routing
        vlan access 1
    interface 1/1/7
        no shutdown
        no routing
        vlan access 1
    interface 1/1/8
        no shutdown
        no routing
        vlan access 1
    interface 1/1/9
        no shutdown
        no routing
        vlan access 1
    interface 1/1/10
        no shutdown
        no routing
        vlan access 1
    interface 1/1/11
        no shutdown
        no routing
        vlan access 1
    interface 1/1/12
        no shutdown
        no routing
        vlan access 1
    interface 1/1/13
        no shutdown
        no routing
        vlan access 1
    interface 1/1/14
        no shutdown
        no routing
        vlan access 1
    interface 1/1/15
        no shutdown
        no routing
        vlan access 1
    interface 1/1/16
        no shutdown
        no routing
        vlan access 1
    interface 1/1/17
        no shutdown
        no routing
        vlan access 1
    interface 1/1/18
        no shutdown
        no routing
        vlan access 1
    interface 1/1/19
        no shutdown
        no routing
        vlan access 1
    interface 1/1/20
        no shutdown
        no routing
        vlan access 1
    interface 1/1/21
        no shutdown
        no routing
        vlan access 1
    interface 1/1/22
        no shutdown
        no routing
        vlan access 1
    interface 1/1/23
        no shutdown
        no routing
        vlan access 1
    interface 1/1/24
        no shutdown
        no routing
        vlan access 1
    interface 1/1/25
        no shutdown
        no routing
        vlan access 1
    interface 1/1/26
        no shutdown
        no routing
        vlan access 1
    interface 1/1/27
        no shutdown
        no routing
        vlan access 1
    interface 1/1/28
        no shutdown
        no routing
        vlan access 1
    interface vlan 1
        ip dhcp
        no ipv6 dhcp
    interface vlan 30
        ip address 10.10.31.1/24
        apply access-list ip VLAN30Deny routed-out
    interface vlan 32
        ip address 10.10.32.1/24
    !
    !
    !
    !
    !
    https-server vrf default
    https-server vrf mgmt
    dhcp-server vrf default
        pool VLAN30
            range 10.10.31.2 10.10.31.254 prefix-len 24
            default-router 10.10.31.1
            dns-server 8.8.8.8 4.2.2.2
            lease 00:08:00
            exit
        pool VLAN32
            range 10.10.32.2 10.10.32.254 prefix-len 24
            default-router 10.10.32.1
            dns-server 8.8.8.8 4.2.2.2
            lease 00:08:00
            exit
        enable
    6200(config)#


  • 2.  RE: ACL is not working in the Aruba 6200F version ML.10.15.1020

    Posted Jul 06, 2025 08:50 AM

    ACLs are not stateful. That means, it will not track a session and automatically permit return flows. This can be achieved with reflexive policies, however that is not supported on the 6200 switches.

    There are some tricks you can do to allow TCP sessions and ICMP echo responses. However, keep in mind that the switches are not stateful devices. This will not help for UDP data flows but allow TCP responses and ICMP replies.

    Apply this ACL on VLAN30 direction inbound. 

    access-list ip VLAN30-in
    10 permit icmp 10.10.31.0/255.255.255.0 10.10.32.0/255.255.255.0 icmp-type echo-reply count
    20 permit tcp 10.10.31.0/255.255.255.0 10.10.32.0/255.255.255.0 established count
    30 deny any 10.10.31.0/255.255.255.0 10.10.32.0/255.255.255.0 count
    40 permit any any any


    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



Related Content