Comware

Hello,

This is my first ACL work and i'm a little confuse ....

Routing is active on my Procurve 2610.

I've got 4 VLAN :

Default_vlan : 192.168.1.0 (router adress : 192.168.1.253)

VLAN1 : 192.168.2.0 (192.168.2.253)
VLAN3 : 192.168.3.0 (192.168.3.253)
VLAN4 : 192.168.4.0 (192.168.4.253)


I wrote those lines :

no ip access-list extended 102
no ip access-list extended 103
no ip access-list extended 104

;---------------------------------------------
;Extended named ACL for Vlan 2
;------------------------------
ip access-list extended "102"
; blocking VLAN 3 and 4 going to Vlan 2
deny ip 192.168.3.0 0.255.255.255 192.168.2.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.2.0 0.255.255.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit


;Extended named ACL for Vlan 3
;------------------------------
ip access-list extended "103"
; blocking VLAN 2 and 4 going to Vlan 3
deny ip 192.168.2.0 0.255.255.255 192.168.3.0 0.255.255.255
deny ip 192.168.4.0 0.255.255.255 192.168.3.0 0.255.255.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit


;Extended named ACL for Vlan 4
;------------------------------
ip access-list extended "104"
; blocking VLAN 2 and 3 going to Vlan 4
deny ip 192.168.2.0 0.255.255.255 192.168.4.0 0.255.255.255
deny ip 192.168.3.0 0.255.255.255 192.168.4.0 0.255.255.255

; Permiting all other traffic
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

Applied ACL to ports corresponding to VLANs.

I want VLAN2 - 3 - 4 can see VLAN1
But VLAN 2 3 and 4 not see each other


Can someone help me writing those ACL ? I read again and again the Access Security Guide and try lots of thing without a good result.
When I apply ACLs every VLAN can't see anyone.
But DHCP work (adress-helper -> 192.168.1.10)

Sorry for my english : i'm french.


Regards,

Cyril

are you sure procurve uses "reverse" subnetmasks 0.255.255.255 ?
i'd expect normal masks of 255.0.0.0.
(in the whole config)

Pieter

I looked up the guide, yes in the acl revers-mask is used.

hi
please send me sh run print

first : your masks 0.255.255.255 must be changed in 0.0.0.255

second
instead of explicit deny followed by permit any.
I would chose to use rules to permit the trafic you need.

when using acls, an implicit "deny any" is always included at the end of the acl even if not registered as a line in the acl.

with explicyt deny, when a vlan is added, you need to modify all acl's
with explit permit you only add a new acl for the new vlan, existing acl's stay untouched

Hi,

Tanks for your reply : here it is my swich running configuration.


; J9088A Configuration Editor; Created on release #R.11.07

hostname "ProCurve Switch 2610-48"

snmp-server contact "CYRIL"

ip routing

snmp-server community "public" Unrestricted

vlan 1

name "DEFAULT_VLAN"

untagged 1-4,49-52

ip address 192.168.100.253 255.255.255.0

no untagged 5-48

exit

vlan 2

name "VLAN_2"

untagged 5-12

ip address 192.168.2.253 255.255.255.0

ip helper-address 192.168.100.10

exit

vlan 3

name "VLAN_3"

untagged 13-14

ip address 192.168.3.253 255.255.255.0

ip helper-address 192.168.100.10

exit

vlan 4

name "VLAN_4"

untagged 15-22

ip address 192.168.4.253 255.255.255.0

ip helper-address 192.168.100.10

exit

vlan 5

name "VLAN_5"

untagged 23-48

ip address 192.168.5.253 255.255.255.0

ip helper-address 192.168.100.10

exit



I'll try with a simple acl : only on VLAN 5 for this test.

Ok ! I found my problem !!
The switch only apply changes when I unplug him !
After tests and documention read everything is ok.

I'll post my definitive result if it can help someone.

Tanks for your help.

I want VLAN2 - 3 - 4 can see VLAN1
But VLAN 2 3 and 4 not see each other

please copy my config to your switch and make test

hostname "ProCurve Switch 2610-48"
snmp-server contact "CYRIL"
ip access-list standard "1"
deny 192.168.3.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "2"
deny 192.168.2.0 0.0.0.255
deny 192.168.4.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "3"
deny 192.168.2.0 0.0.0.255
deny 192.168.3.0 0.0.0.255
permit 0.0.0.0 255.255.255.255
exit
interface 5
-- MORE --, next page: Space, next line: Enter, quit: Control-C access-group "1" in
exit
interface 6
access-group "1" in
exit
interface 7
access-group "1" in
exit
interface 8
access-group "1" in
exit
interface 9
access-group "1" in
exit
interface 10
access-group "1" in
exit
interface 11
access-group "2" in
exit
interface 12
access-group "2" in
exit
-- MORE --, next page: Space, next line: Enter, quit: Control-Cinterface 13
access-group "2" in
exit
interface 14
access-group "2" in
exit
interface 15
access-group "3" in
exit
interface 16
access-group "3" in
exit
interface 17
access-group "3" in
exit
interface 18
access-group "3" in
exit
interface 19
access-group "3" in
exit
interface 20
access-group "3" in
-- MORE --, next page: Space, next line: Enter, quit: Control-Cexit
interface 21
access-group "3" in
exit
interface 22
access-group "3" in
exit
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-4,24-28
ip address 192.168.100.253 255.255.255.0
no untagged 5-23
exit
vlan 2
name "VLAN_2"
untagged 5-10
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 3
name "VLAN_3"
-- MORE --, next page: Space, next line: Enter, quit: Control-C untagged 11-14
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 4
name "VLAN_4"
untagged 15-22
ip address 192.168.4.253 255.255.255.0
ip helper-address 192.168.100.10
exit
vlan 5
name "VLAN_5"
untagged 23
ip address 192.168.5.253 255.255.255.0
ip helper-address 192.168.100.10
exit

ProCurve Switch 2610-48(config)#