Wired Intelligent Edge (Campus Switching and Routing)

ArubaOS-Switch – How to Configure an IPV4 Access Control List (ACL) to Deny incoming IP Packets

MVP
MVP
Requirement:

ArubaOS Switches



Solution:

In the following example, switches Rack2sw1 and Rack2sw2 are configured for IPV4 routing. Static routes are configured to enable IP connectivity between the loopback interfaces.

The access-list Deny_1_1_1_1 is applied inbound on switch Rack2sw1 Vlan 12. IP packets received with the source address 1.1.1.1 will be denied.

 

 



Configuration:


---------- Switch Configuration ----------


Rack2sw1# show running-config interface loopback 0

Running configuration:

interface loopback 0
   ip address 1.1.1.1

 

Rack2sw1# show running-config vlan 12

Running configuration:

vlan 12
   name "VLAN12"
   tagged Trk12
   ip address 192.168.12.1 255.255.255.0

 

Rack2sw1(config)# ip route 2.2.2.2 255.255.255.255 192.168.12.2

 

Rack2sw2# show running-config interface loopback 0

Running configuration:

interface loopback 0
   ip address 2.2.2.2

 

Rack2sw2# show running-config vlan 12

Running configuration:

vlan 12
   name "VLAN12"
   tagged Trk21
   ip address 192.168.12.2 255.255.255.0
   ip access-group "Deny_1_1_1_1" vlan-in​

 

Rack2sw2(config)# ip route 1.1.1.1 255.255.255.255 192.168.12.1

Rack2sw2(config)# ip access-list extended Deny_1_1_1_1
Rack2sw2(config-ext-nacl)# deny ip host 1.1.1.1 any
Rack2sw2(config-ext-nacl)# permit ip any any

Rack2sw2(config)# vlan 12 ip access-group Deny_1_1_1_1 vlan-in



Verification


---------- Switch Verification ----------


Rack2sw1# show ip route

                                IP Route Entries

  Destination            Gateway          VLAN    Type               Sub-Type   Metric     Dist.
  ------------------          ---------------       ----          ---------            ----------       ----------    -----
  1.1.1.1/32               lo0                                  connected                        1               0
  2.2.2.2/32              192.168.12.2    12         static                                1                1
  127.0.0.0/8            reject                              static                                 0                0
  127.0.0.1/32          lo0                                  connected                        1                0
  192.168.12.0/24    VLAN12          12           connected                        1               0


Rack2sw2# show ip route

                                IP Route Entries

  Destination            Gateway          VLAN    Type                Sub-Type   Metric     Dist.
  ------------------          ---------------        ----        ---------             ----------        ----------    -----
  1.1.1.1/32              192.168.12.1    12         static                                  1               1
  2.2.2.2/32               lo0                                  connected                          1               0
  127.0.0.0/8            reject                              static                                   0                0
  127.0.0.1/32          lo0                                  connected                          1                0
  192.168.12.0/24    VLAN12           12          connected                          1               0

 

---------- Access List Verification ----------


Rack2sw2# show access-list Deny_1_1_1_1

Access Control Lists

  Name: Deny_1_1_1_1
  Type: Extended
  Applied: Yes

 SEQ  Entry
-----------------------------------------------------------------------------
 10   Action: deny
      Src IP: 1.1.1.1           Mask: 0.0.0.0                     Port(s):
      Dst IP: 0.0.0.0           Mask: 255.255.255.255   Port(s):
      Proto : IP
      TOS   : -                 Precedence: -

 20   Action: permit
      Src IP: 0.0.0.0           Mask: 255.255.255.255   Port(s):
      Dst IP: 0.0.0.0           Mask: 255.255.255.255   Port(s):
      Proto : IP
      TOS   : -                 Precedence: -


---------- Testing -----------


Rack2sw1# ping 2.2.2.2 repetitions 5
2.2.2.2 is alive, iteration 1, time = 1 ms
2.2.2.2 is alive, iteration 2, time = 1 ms
2.2.2.2 is alive, iteration 3, time = 1 ms
2.2.2.2 is alive, iteration 4, time = 2 ms
2.2.2.2 is alive, iteration 5, time = 1 ms

Rack2sw1# ping 2.2.2.2 source loopback 0 repetitions 5
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Rack2sw2# show statistics aclv4 Deny_1_1_1_1 vlan 12 vlan-in

 Hit Counts for ACL Deny_1_1_1_1

  Total
(       5 )    10 deny ip 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255
(       5 )    20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Version history
Revision #:
1 of 1
Last update:
‎04-27-2020 07:42 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: