Network Management

Reply
kmd
Contributor II

Re: 2 domains on 1 lan

Thank you CClemmer! 

When I input your suggestion:

deny any 10.0.0.0 255.0.0.0 172.60.0.0 255.255.255.0

I get:
Invalid Source IPv4 address/netmask

 

But, when I input: 

deny any 10.0.0.0 0.0.0.0 172.60.0.0 0.0.0.0

deny any 172.60.0.0 0.0.0.0 10.0.0.0 0.0.0.0

It takes it, but when I run Advanced Port Scanner, it sees the computer 172.60.0.10 from 10.1.10.70.

Aruba Employee

Re: 2 domains on 1 lan

What version of AOS is on your switch? 

 

Using a netmask of 0.0.0.0 basically invalidates the entry, since it's telling the switch that no bits of the source address are relevant. You could try using:

 

deny any 10.1.0.0 255.255.0.0 172.60.0.0 255.255.255.0

deny any 172.60.0.0 255.255.255.0 10.1.0.0 255.255.0.0

 

That may still miss some subnets in the 10 network, but would pick up your test client of 10.1.10.70.


Charlie Clemmer
Aruba Customer Engineering
kmd
Contributor II

Re: 2 domains on 1 lan

I'm running version 7.4.1.7

When I try those entries, it tells me:   Invalid Source IPv4 address/netmask

Plus, when I do a show running-config, it shows multiple access lists. Perhaps this is normal, but I thought I would mention it. The attached file is my running-config.

I really appreciate your time on this!

Thank you

 

Aruba Employee

Re: 2 domains on 1 lan

Apparently I'm running low on coffee this week...

 

On ACLs, the netmask/wildcard bits is the inverse of a typical subnet mask, so you would use the following format:

 

deny any 10.0.0.0 0.255.255.255 172.60.0.0 0.0.0.255

 

That explains why the error was thrown on the source IP mask.


Charlie Clemmer
Aruba Customer Engineering
kmd
Contributor II

Re: 2 domains on 1 lan

Hi CClemmer.

Sorry. Its been a busy 2 weeks and I have finally gotten around to testing this.

To refresh; I want to prevent 10.0.0.0 255.0.0.0 from seeing 172.60.0.0 255.255.255.0 and vice versa.

 

On my S2500 MAS which is my router, I ran the following commands:   

(Aruba-DataCenter-1) (config-ext-admin-ACL)#deny any 172.60.0.0 0.0.0.255 10.0.0.0 0.255.255.255

 

(Aruba-DataCenter-1) (config-ext-admin-ACL)#deny any 10.0.0.0 0.255.255.255 172.60.0.0 0.0.0.255

But, when I run Advanced Port Scanner, from 172.x.x.x, I can see the IP's, MAC addresses and Manufacturer of the machies on 10.x.x.x.

I'm not sure what is going on.

Any other advice, I will gladly try.

Thank you.

 

Aruba Employee

Re: 2 domains on 1 lan

Okay, the ACL was created successfully it sounds. Did you apply it to the VLAN interface?


Charlie Clemmer
Aruba Customer Engineering
kmd
Contributor II

Re: 2 domains on 1 lan

Sorry no. Could you provide me with direction on that...... as well?

I need to buy you a beer.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: