Network Management

 View Only
  • 1.  3810M standard ACL on static port not working

    Posted Nov 04, 2024 02:40 PM

    Hello all,

    I believe this is a simple question, but I am struggling to make it work on my 3810M Aruba switch, which serves as a Layer 3 core switch on the network.

    I am applying this ACL to a static port on the core switch.

     
    ip access-list standard "TEST"
       10 permit 10.0.0.0 0.0.3.255
       20 permit 10.3.7.0 0.0.0.127
       50 deny 0.0.0.0 255.255.255.255 (I believe it is an optional since Aruba uses implicit deny rule)
    interface 1/35
       ip access-group "TEST" in
       untagged vlan 1

    However, it is not working. I am still able to ping the IP address on 1/35 from a 10.3.1.0/25 network. Strangely, when I ping from the 10.3.7.0 network, it logs the hit counts to the first entry.

    # show statistics aclv4 TEST port 1/35
     
     Hit Counts for ACL TEST
     
      Total
    (      41 )    10 permit 10.0.0.0 0.0.3.255
    (       0 )    20 permit 10.3.7.0 0.0.0.127
    (       0 )    50 deny 0.0.0.0 255.255.255.255

    I am not sure if I miss any key configuration, but would appreciate any feedback. 



  • 2.  RE: 3810M standard ACL on static port not working

    Posted Nov 04, 2024 04:28 PM
    Hi! you wrote that you want to apply the ACL to a switch static port, the interface 1/35  (thus dealing with a Static Port ACL, that is an ACL configured on a port to filter traffic entering the switch on that port, regardless of whether the traffic is routed, switched or addressed to a destination on the switch itself) but then, as far as I understand, you applied the ACL to VLAN 1 in the (in)gress direction...transforming the desired Static Port ACL into a VLAN ACL and this is impacting the way you should design the various ACL's ACEs (in case of a VACL the permit/deny ACEs, if I'm not mistaken, should be defined using source addresses - net or host - belonging to the VLAN's network segment, in your case the VLAN 1 network segment...and destination addresses - net or host - as destinations to which traffic could be routed through the VLAN SVI, traffic seen coming from within your VLAN 1 and destined to any other possible reacheable destination).







  • 3.  RE: 3810M standard ACL on static port not working

    Posted Nov 04, 2024 05:48 PM

    Hi Parnassus,

    Thanks for the prompt feedback.

    I followed the Aruba documentation here at Aruba 3810 / 5400R Access Security Guide for ArubaOS-Switch 16.09 - Creating ACLs and used the cmd : interface 1/35 ip access-group TEST in in the configuration mode.

    I don't think I applied it to a vlan though. My goal is to only allow traffic from vlan 1 and vlan 3 (10.3.7.0/25) to that port. 




  • 4.  RE: 3810M standard ACL on static port not working

    Posted Nov 05, 2024 07:52 AM

    Hi!

    "I don't think I applied it to a vlan though." you're right, I wrongly read the ACL application to interface believing it was applied to VLAN 1, sorry.

    So you applied the ACL to the (in)coming traffic traversing the physical interface 1/35 to its destination (and so here we are speaking about a RACL, I suppose) but...I ask you...does the "(in)coming" here mean "from the Switch outgoing through that interface" or the contrary?

    "My goal is to only allow traffic from vlan 1 and vlan 3 (10.3.7.0/25) to that port."

    So your goal is to filter (permit/drop) traffic incoming from VLAN 1 and VLAN 3 with destination that physical interface 1/35...what is the IP address of the destination device connected to that physical interface? I feel the DST should be specified in ACE rules as the permitted destination (as a.b.c.d Host with 0.0.0.0 wildcard mask).

    Something like (permit SRC net -> DST host):

    10 permit 10.0.0.0 0.0.3.255 a.b.c.d 0.0.0.0
    20 permit 10.3.7.0 0.0.0.127 a.b.c.d 0.0.0.0

    VLAN 1 = 10.0.0.0/22 0.0.3.255 subnet = 10.0.0.1 - 10.0.3.254 usable IP addresses range

    VLAN 3 = 10.3.7.0/25 0.0.0.127 subnet = 10.3.7.1 - 10.3.7.126 usable IP addresses range

    Supposing the a.b.c.d Host is residing on a different VLAN maybe you can transform/adapt the ACL by apply it (or, better, by applying them...you'll need more than one of it) on sources VLAN you want to permit to communicate with the a.b.c.d Host residing on the VLAN Id "x", denying all the others VLAN (so, since those ACLs should be applied where the traffic exactly generates and not far from there, you need an ACL for each VLAN you want to permit/to  deny communication to that particular a.b.c.d Host, this no matter the physical interface the Host is really connected to on the Switch).




  • 5.  RE: 3810M standard ACL on static port not working

    Posted Nov 05, 2024 12:33 PM

    Thanks again.

    Correct - "from the Switch outgoing through that interface. 

    what is the IP address of the destination device connected to that physical interface? - The IP address is 10.0.3.50 in VLAN 1. 

    To add DST, extended ACL will be used and applied to the interface close to the source. I just don't get it why standard ACL fails here.