Comware

 View Only

  • 1.  ACL on ProCurve 5400 serie

    Posted Apr 03, 2013 11:22 AM

    Hi All,

     

    I'm trying to implement an extended ACL, but the behaviour is not what I expected.
    I want to control the traffic from subnet 10.22.30./24 to network 10.10.0.0/16
    When I activate the config below.

    I block all the traffic from 10.10.0.0/16 to 10.22.30.0/24
    Even if i make a ACE permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255.

    The traffic from 10.10.0.0/16 to 10.22.30.0/24 is blocked.
    The traffic from 10.22.30.0/24 to 10.10.0.0/16 is filtered as expected.

    I do not want to filter the traffic from 10.10.0.0/16 to 10.22.30.0/24

    Please check the config:

     

    ip access-list extended "X-name"
       10 remark "Allow RDP"
       10 permit tcp 10.22.30.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 3389
       20 remark "Allow to serverX"
       20 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0 eq 2356
       30 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0 eq 1433
       40 remark "Allow serverX to serverX"
       40 permit tcp 10.22.30.14 0.0.0.0 10.10.10.95 0.0.0.0 eq 80
       50 permit tcp 10.22.30.15 0.0.0.0 10.10.10.95 0.0.0.0 eq 80
       100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
       exit
    interface B10
    ip access-group X-name in
    exit

    vlan 1
       name "DEFAULT_VLAN"
       untagged A1,B1,B5,B11-B23,F1
       ip address 10.10.0.1 255.255.0.0
       tagged A2,F2
       no untagged B2-B4,B6-B10,B24
       exit

    vlan 10
       name "Name"
       untagged B10
       ip address 10.22.30.1 255.255.255.0
       exit

     

    What do I miss? Please help....?


    #ACLs


  • 2.  RE: ACL on ProCurve 5400 serie

    Posted Apr 03, 2013 06:10 PM

    hi, do you know where is your source interfaces and destination interfaces or vlan?

    I think B10 is the interface of your servers, however, you also need to permit your source to use these ports.

    I think you also need to config out as well as below.

    ========================

    interface B10
    ip access-group X-name in

    ip access-group X-name out

    ========================



  • 3.  RE: ACL on ProCurve 5400 serie

    Posted Apr 05, 2013 11:12 AM

    Thanks for the replies.
    I try to avoid applying ACL's to the interfaces that belong to VLAN 1. That means that I have to create multiple ACL's and I only want to to filter traffic from network 10.22.30.0/24 . I cannot imagine that I have to create all kind of ACL's to achieve that.
    There is no option to apply an ACL on an interface in the outbound direction.
    As i understood, if you apply an ACL on the VLAN, that port functionality doesn't work.

    Is it an option to add an additional ACL on the VLAN 10, like this:

    permit ip 10.10.0.0/24 10.22.30.0/24

     

    And place this ACL in the outbound direction:

    int vlan 10 ip access-group 'add-ACL' out

     

     

    Please advise...



  • 4.  RE: ACL on ProCurve 5400 serie

    Posted Apr 10, 2013 11:54 AM

    When I said "all ports" I didn't mean all interfaces I was refering to all TCP/UDP ports.  

     

    I use an ACL to restrict access from a "guest" network to just a few resources and the internet.  I created the ACL and applied it to the "in" side of my VLAN and it works great.

     

    Your examples shows you have the ACL applied to the interface itself and I was just saying try remove it from the interface and apply it to your VLAN 10.

     

    Yes your proposed ACL applied to the "out" of the VLAN 10 interface should work 

     

    So to test apply your ip access-list extended X-name to the "in" side of VLAN 10 and then apply int vlan 10 ip access-group 'add-ACL' out

     

     



  • 5.  RE: ACL on ProCurve 5400 serie

    Posted Apr 04, 2013 02:48 PM

    Instead of applying the access group on the interface apply it to the vlan -in

     

    Vlan 10 ip access-group "x-name" in

     

    With regards to why this did not work:

    permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255

    "This line is not applied to the "in bound" side of the interface because B10 is a member of VLAN 10.  There are no packets with a source of 10.10.0.0/16 coming into the interface.

     

    It seems backwards until you understand the in/out direction is in reference to the interface not the switch itself.  So inbound traffic on interface 10 will be from (source) your 10.22.30.0/24  and not source 10.10.0.0/16.  This may work if you apply that statment to your out... but if I remember correctly you should try to avoid applying ACL to out bound traffic.

     

    You can also try a test without specifying the port numbers.  Just to see if it is working correctly to the server on all ports.. then once you verify your statment is working correctly move on to the specific ports.

       20 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0
       30 permit tcp 10.22.30.0 0.0.0.255 10.10.11.214 0.0.0.0

     

    Good Luck

    Dominic



Related Content