Comware

 View Only

  • 1.  ACL problem on 5300xl

    Posted Mar 13, 2007 09:32 AM
    Hi i have a ACL problem on a 5300xl.
    I only want some hosts to be able to access clients in vlan 21.
    See my config, and plz explain why its not working.


    Running configuration:

    ; J4819A Configuration Editor; Created on release #E.10.44

    hostname "SE-SW-001"

    snmp-server contact " "

    snmp-server location "Serverrum"

    max-vlans 256

    time timezone 60

    time daylight-time-rule Middle-Europe-and-Portugal

    connection-rate-filter sensitivity low

    ip access-list extended "100"
    permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127

    permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127

    permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127

    permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127

    permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127

    permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

    exit

    module 1 type J4907A
    module 2 type J4907A
    module 3 type J4907A

    ip default-gateway 10.206.22.1
    sntp server 207.46.130.100
    ip routing
    ip arp-age 30
    timesync sntp
    sntp unicast



    vlan 11
    name "VLAN11"
    untagged A3-A4
    ip address 128.1.50.41 255.255.0.0
    tagged A1
    ip igmp
    exit

    vlan 22
    name "VLAN22"
    untagged A5,A8-A14,B1,B3-B10,B12-B16,C1,C3-C10,C12-C16
    ip address 10.206.22.254 255.255.255.0
    tagged A1
    ip igmp
    exit

    vlan 23
    name "VLAN23"
    ip address 10.206.23.254 255.255.255.0
    ip helper-address 10.206.22.133
    tagged A1
    ip igmp
    exit

    vlan 25
    name "VLAN25"
    ip address 10.206.25.254 255.255.255.0
    ip helper-address 10.206.22.133
    tagged A1
    ip igmp
    exit

    vlan 20
    name "VLAN20"
    no ip address
    ip igmp
    exit

    vlan 24
    name "VLAN24"
    ip address 10.206.24.254 255.255.255.0
    ip helper-address 10.206.22.133
    tagged A1
    ip igmp
    exit

    vlan 21
    name "VLAN21"
    ip address 10.206.21.254 255.255.255.128
    tagged A1
    ip access-group "100" in
    exit


    ip route 0.0.0.0 0.0.0.0 10.206.22.1
    filter connection-rate A1-A16,B1-B16,C1-C16 notify-only
    spanning-tree
    spanning-tree priority 0
    password manager
    password operator





  • 2.  RE: ACL problem on 5300xl

    Posted Mar 13, 2007 01:00 PM
    Change the ACL applied on VLAN 21 from in to out.

    ip access-group "100" out


  • 3.  RE: ACL problem on 5300xl

    Posted Mar 13, 2007 11:04 PM
    Hi Matt!

    why should it be "out" direction?

    I only want those six machines to be able to reach the 10.206.21.128/25 network located behind vlan 21... shouldn't that be direction "in".

    plz explain.

    Thanks.


  • 4.  RE: ACL problem on 5300xl

    Posted Mar 14, 2007 12:09 AM
    With your ACL:

    ip access-list extended "100"
    permit ip 10.206.23.42 0.0.0.0 10.206.21.128 0.0.0.127
    permit ip 10.206.23.50 0.0.0.0 10.206.21.128 0.0.0.127
    permit ip 10.206.25.150 0.0.0.0 10.206.21.128 0.0.0.127
    permit ip 10.206.25.151 0.0.0.0 10.206.21.128 0.0.0.127
    permit ip 10.206.25.152 0.0.0.0 10.206.21.128 0.0.0.127
    permit ip 10.206.25.153 0.0.0.0 10.206.21.128 0.0.0.127

    The fist half is the source which will be coming 'in' via another VLAN. It will be leaving 'out' 10.206.21.218.

    That's probably not the best way of explaining it.

    What helped me understand this better was the ACL theory section in the IP Routing Foundations course - ftp://ftp.hp.com/pub/networking/training/IRF_SG_061305.zip


  • 5.  RE: ACL problem on 5300xl

    Posted Mar 15, 2007 02:42 AM
    I tried "out" instead of "in" and it worked nicely.

    Many thanks matt!
    I'll give you points...


Related Content