Network Management

 View Only
last person joined: 2 days ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Expand all | Collapse all

Access-List not working layer3

This thread has been viewed 1 times
  • 1.  Access-List not working layer3

    Posted 28 days ago

    ver Version ArubaOS-CX TL.10.09.0002

    I have a pair of switches setup as a failover and both ACL's are identical on the switches and Layer 3 routing

    I have a simple ACL not working and not stopping traffic. What am I doing wrong?

    From machine A @ 192.168.0.150/24  I am trying to block RDP into VLan 170 for machine 192.168.170.15

    in the acl below 

    So the ACL is:

    access-list ip DEV
        10 permit udp any any
        15 deny tcp 192.168.0.0/255.255.255.0 192.168.70.0/255.255.255.0 eq rdp
        20 deny tcp any any eq rdp
        100 permit any any any

    and the int VLan 170 is

    interface vlan170
        vsx-sync active-gateways
        apply access-list ip DEV routed-in
        ip address 192.168.170.2/24
        active-gateway ip mac 02:02:00:00:01:01
        active-gateway ip 192.168.170.1
        exit



  • 2.  RE: Access-List not working layer3

    MVP GURU
    Posted 28 days ago
    Hi, could it be because you set:


    instead of :


    note 70 versus 170.





  • 3.  RE: Access-List not working layer3

    MVP GURU
    Posted 28 days ago
    But also (and more important)...IIRC...the ACL with the ACE blocking the TCP traffic from source 192.168.0.0 /24 subnet to destination 192.168.170.0 /24 subnet, in my opinion, should be applied to traffic toward the VLAN SVI (router) associated with the SOURCE subnet (192.168.0.0 /24) because you want to block the source traffic immediately from being able to going out its source VLAN to a another one VLAN (Host or Subnet)...and the this could be done against the SOURCE VLAN (block at beginning) instead of being done at destination...thus avoiding to block at the end (which requires an incoming logic to be applied instead of an outgoing logic). Isn'it?