Wired Intelligent Edge

 View Only

  • 1.  Problem with Extended ACL

    Posted Nov 14, 2017 08:53 AM

    Hi,

    I have a problem with an Extended ACL. I have 3 external locations that are accessible via a 4th location. Each of the 3 locations is connected to location 4 via OSPF. At all 3 locations there is the vlan 1000. For testing there is also the location 4. The 3 or 4 locations are nowhere to go except to the other sites in the Vlan 1000
    The locations have the following IP settings for the Vlan 1000

    Location 1:
    IP: 10.60.210.254/24
    Comware Switch HPE 5800-24G-SFP

    Location 2:
    IP: 10.60.211.254/24
    5406Rzl2

    Location 3:
    IP: 10.60.213.254/24
    5406Rzl2

    Location 4:
    IP: 10.60.212.254/24
    5406zl

    Today I tried to connect site 3 to 4. Unfortunately, the ACL rules do not work.

    Config Location 3:

    ip access-list extended "KW-in"
         10 permit ip 10.60.210.0 0.0.0.255 10.60.213.0 0.0.0.255 log
         20 permit ip 10.60.211.0 0.0.0.255 10.60.213.0 0.0.0.255 log
         30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
         40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    ip access-list extended "KW-out"
         10 permit ip 10.60.213.0 0.0.0.255 10.60.210.0 0.0.0.255 log
         20 permit ip 10.60.213.0 0.0.0.255 10.60.211.0 0.0.0.255 log
         30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
         40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit

    vlan 1000
       name "KW-Transfer"
       tagged B15-B16
       ip access-group "KW-in" in
       ip access-group "KW-out" out
       ip address 10.60.213.254 255.255.255.0
       exit

    Config Location 4

    ip access-list extended "KW-in"
         10 permit ip 10.60.210.0 0.0.0.255 10.60.212.0 0.0.0.255 log
         20 permit ip 10.60.211.0 0.0.0.255 10.60.212.0 0.0.0.255 log
         30 permit ip 10.60.213.0 0.0.0.255 10.60.212.0 0.0.0.255 log
         40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    ip access-list extended "KW-out"
         10 permit ip 10.60.212.0 0.0.0.255 10.60.210.0 0.0.0.255 log
         20 permit ip 10.60.212.0 0.0.0.255 10.60.211.0 0.0.0.255 log
         30 permit ip 10.60.212.0 0.0.0.255 10.60.213.0 0.0.0.255 log
         40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit

    vlan 1000
       name "KWTransfer-Test"
       tagged A5,A11-A12,Trk1
       ip access-group "KW-in" in
       ip access-group "KW-out" out
       ip address 10.60.212.254 255.255.255.0
       exit

    where is my mistake? For information, the devices do not sit directly on the switch but are still distributed to other switches.


    #ACLs


  • 2.  RE: Problem with Extended ACL

    Posted Feb 28, 2018 03:36 AM

    Basically ACL's work at Layer 3.... have you called these ACL's on layer 3 interfaces..? If yes, are those ports serving the purpose of blocking/allowing traffic to respective source & destinations.

     

    As your query seems to be configuration assitance. You may either contact our pre-sales team or open a support case if you believe configuration is not expected as per document,

     

    Please refer documents below for respective switches.

    5800 series : https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02647469

    5400 series : https://support.hpe.com/hpsc/doc/public/display?docId=c04943057

     



Related Content