IP Access-List question (Core Layer 3 to Edge Switch)

last person joined: 20 hours ago

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution

Back to discussions

Expand all | Collapse all

IP Access-List question (Core Layer 3 to Edge Switch)

This thread has been viewed 1 times

1. IP Access-List question (Core Layer 3 to Edge Switch)

0 Kudos
sphar1970
Posted May 15, 2020 05:38 AM

Reply Reply Privately
Hi Everyone,

We have a Core Layer 3 'hub' switch (to 'spoke' Edge switches) with several /24 VLANs, a ADDC / DHCP Server 10.17.8.3

We have recently increased the subnet range:
From: 10.17.8.0 - 10.17.16.0
To: 10.17.8.0 to 10.17.18.0

We have the following ACL:

ip access-list extended "Deny Crosstalk"
permit ip 0.0.0.0 255.255.255.255 10.17.8.0 0.0.0.255
deny ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

The VLAN below
vlan 60
name "Floor 2"
untagged B4
ip address 10.17.18.1 255.255.255.0
ip helper-address 10.17.8.3
ip access-group "Deny Crosstalk" in
exit

On the Edge switch we can ping 'downlinked' Edge switches but not the Core switch 10.17.18.1 interface

However if we remove ip access-group "Deny Crosstalk" in from VLAN 60 we can ping the Core switch 10.17.18.1 interface

If we then connect a laptop to the Edge switch it obtains an IP Address and we can ping remote resources but after 3-5 seconds we get:

General Failure.
PING transmit failed. General Failure.

It may have something to do with the subnet mask 0.0.0.255 below.

permit ip 0.0.0.0 255.255.255.255 10.17.8.0 0.0.0.255

If anyone could shed some light on the above that would be greatly appreciated.

Thanks.
2. RE: IP Access-List question (Core Layer 3 to Edge Switch)

0 Kudos
MVP GURU

parnassus
Posted May 15, 2020 10:48 AM

Reply Reply Privately
Hi! For the sake of simplicity...could you post between </> (thus using the Insert/Edit code sample button above)...the outputs of these two commands below:

show access-list "Deny Crosstalk" show access-list "Deny Crosstalk" config

You have to consider that an ACL assumes a particular meaning according to where it is applied (I mean: from the point of view of the VLAN interface to which it is applied, for the incoming traffic seen precisely from that interface)...so, as example, the first ACE (permit) rule:
permit ip 0.0.0.0 255.255.255.255 10.17.8.0 0.0.0.255
means that ANY source is permitted to connect to 10.17.8.0/24 using the IP protocol.

The next ACE (deny) rule:
deny ip 0.0.0.0 255.255.255.255 10.17.0.0 0.0.255.255 log
means that ANY source is denied to connect to 10.17.0.0/16 (so any host addressed within the range 10.17.0.1 - 10.17.255.254).

The final ACE (Permit), before the hidden implicit final ANY/ANY Deny:
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
means that ANY Source is permitted to connect to ANY Destination (if not previously denied) using the IP protocol.

Given the above...if you apply this ACE to VLAN 60 what it does to connections incoming FROM VLAN 60 hosts hitting the VLAN 60 interface and with destinations to other VLANs?
3. RE: IP Access-List question (Core Layer 3 to Edge Switch)

0 Kudos
sphar1970
Posted May 15, 2020 07:22 PM

Reply Reply Privately
Hi Parnassus

Output as follows:

show access-list "Deny Crosstalk" Access Control Lists Name: Deny Crosstalk Type: Extended Applied: Yes ID action IP Mask proto oper port(s) Log ----------------------------------------------------------------------------- 1 permit src: 0.0.0.0 255.255.255.255 IP dst: 10.17.8.0 0.0.0.255 IP 2 deny src: 0.0.0.0 255.255.255.255 IP log dst: 10.17.0.0 0.0.255.255 IP 3 permit src: 0.0.0.0 255.255.255.255 IP dst: 0.0.0.0 255.255.255.255 IP show access-list "Deny Crosstalk" config Access Control Lists Name: Deny Crosstalk Type: Extended Applied: Yes ID action IP Mask proto oper port(s) Log ----------------------------------------------------------------------------- 1 permit src: 0.0.0.0 255.255.255.255 IP dst: 10.17.8.0 0.0.0.255 IP 2 deny src: 0.0.0.0 255.255.255.255 IP log dst: 10.17.0.0 0.0.255.255 IP 3 permit src: 0.0.0.0 255.255.255.255 IP dst: 0.0.0.0 255.255.255.255 IP
4. RE: IP Access-List question (Core Layer 3 to Edge Switch)

0 Kudos
sphar1970
Posted May 16, 2020 07:24 PM

Reply Reply Privately
Hi Parnassus,

Show ACLs below (without HTML as it gets quarantined for 'moderation')

show access-list "Deny Crosstalk"
Access Control Lists
Name: Deny Crosstalk
Type: Extended
Applied: Yes
ID action IP Mask proto oper port(s) Log
-----------------------------------------------------------------------------
1 permit src: 0.0.0.0 255.255.255.255 IP
dst: 10.17.8.0 0.0.0.255 IP
2 deny src: 0.0.0.0 255.255.255.255 IP log
dst: 10.17.0.0 0.0.255.255 IP
3 permit src: 0.0.0.0 255.255.255.255 IP
dst: 0.0.0.0 255.255.255.255 IP
show access-list "Deny Crosstalk" config
Access Control Lists
Name: Deny Crosstalk
Type: Extended
Applied: Yes
ID action IP Mask proto oper port(s) Log
-----------------------------------------------------------------------------
1 permit src: 0.0.0.0 255.255.255.255 IP
dst: 10.17.8.0 0.0.0.255 IP
2 deny src: 0.0.0.0 255.255.255.255 IP log
dst: 10.17.0.0 0.0.255.255 IP
3 permit src: 0.0.0.0 255.255.255.255 IP
dst: 0.0.0.0 255.255.255.255 IP

Wired Intelligent Edge

IP Access-List question (Core Layer 3 to Edge Switch)

1. IP Access-List question (Core Layer 3 to Edge Switch)

2. RE: IP Access-List question (Core Layer 3 to Edge Switch)

3. RE: IP Access-List question (Core Layer 3 to Edge Switch)

4. RE: IP Access-List question (Core Layer 3 to Edge Switch)