Wired Intelligent Edge

Hi,

I am trying to restrict traffic on a vlan using ACLs on a 5400R zl2 Switch.

Any host on VLAN 210 should not have access to hosts on VLAN 1, except host 10.3.2.10

I have the following configuration:

; J9850A Configuration Editor; Created on release #KB.16.03.0003
; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45
hostname "HP-5406Rzl2"
module A type j9990a
module B type j9990a
ip access-list extended "vlan210-acl"
     10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0
     20 permit icmp 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0
     30 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 255.255.255.0
     40 deny icmp 0.0.0.0 255.255.255.255 10.3.2.0 255.255.255.0
     50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
     60 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
ip route 0.0.0.0 0.0.0.0 10.3.2.1
ip routing
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "Administration (1)"
   no untagged B1-B9
   untagged A1-A24,B10-B24
   ip address 10.3.2.101 255.255.255.0
   exit
vlan 210
   name "Restricted (210)"
   untagged B1
   tagged B19
   ip access-group "vlan210-acl" in
   ip address 10.200.10.1 255.255.255.0
   dhcp-server
   exit
device-profile name "default-ap-profile"
   cos 0
   exit
dhcp-server pool "vlan210-pool"
   authoritative
   default-router "10.200.10.1"
   dns-server "8.8.8.8,8.8.4.4"
   domain-name "vlan210.pool"
   network 10.200.10.0 255.255.255.0
   range 10.200.10.10 10.200.10.250
   exit
dhcp-server enable
activate software-update disable
activate provision disable
password manager

But when I plug my laptop into a port on VLAN210 I am able to access all hosts on VLAN 1 despite the ACL:-(

What am I missing?

Remember that ACLs use inverse subnet masks, you're doing an AND on the host portion of the subnet.  In your example you will not hit rule 30, it will fall through to rule 50 (permit ip any any).  The mask for 10.3.2.0/24 is 0.0.0.255.  The CLI will translate /24 into 0.0.0.255 (deny ip any 10.3.2.0/24) so I always use the CIDR format when configuring ACLs.  

Try: 

ip access-list extended "test1"
      10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0
      20 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 0.0.0.255
      30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

When in doubt I will add "log" to the end of the ACE to determine which rules are being hit, then display the statistics for them.  

HP-Switch-5406Rzl2(config-ext-nacl)# show statistics aclv4 test1 vlan 210 in

Hit Counts for ACL test1

Total
( 39174 ) 10 permit ip 0.0.0.0 255.255.255.255 10.3.2.10 0.0.0.0 log
( 19587 ) 20 deny ip 0.0.0.0 255.255.255.255 10.3.2.0 0.0.0.255 log
( 0 ) 30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Also note that your rules 20/40/60 are covered by 10/30/50, respectively.  

Hope that helps.  

and it works!

Thanks, Michael, for a quick and excellent response!