Wired

I connect two PC to a CX6000 within the same VLAN. The access-list only have one ACE. If the length of source or destination ip address subnet mask is 24, source PC1 can ping destination PC2. If I change the length of source or destination ip address subnet mask to 32, source PC1 cannot ping destination PC2. Please kindly advise, thanks

#CX6000
#ACL
#Access-List​​​

Can you please share the two access-lists? And what are the source and destination IP that you use to test?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 06, 2023 06:32 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

I connect two PC to a CX6000 within the same VLAN. The access-list only have one ACE. If the length of source or destination ip address subnet mask is 24, source PC1 can ping destination PC2. If I change the length of source or destination ip address subnet mask to 32, source PC1 cannot ping destination PC2. Please kindly advise, thanks

#CX6000
#ACL
#Access-List​​​

hi Herman,

The ip address of PC1 is 192.168.10.10 and the ip address of PC2 is 192.168.10.20. I tested three scenarios.

The first ACL only have one ACE as the following commands
10 permit any 192.168.10.0/24 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC1 can ping PC2.

The second ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

The third ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.20/32
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

Winston
Original Message:
Sent: Jan 06, 2023 07:08 AM
From: Herman Robers
Subject: CX6000 Access-List source and destination ip subnet mask length

Can you please share the two access-lists? And what are the source and destination IP that you use to test?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 06, 2023 06:32 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

I connect two PC to a CX6000 within the same VLAN. The access-list only have one ACE. If the length of source or destination ip address subnet mask is 24, source PC1 can ping destination PC2. If I change the length of source or destination ip address subnet mask to 32, source PC1 cannot ping destination PC2. Please kindly advise, thanks

#CX6000
#ACL
#Access-List​​​

Could it be that you applied the ACL to both ports? I would expect that if you apply it only to the port for PC1, that all 3 would work.
If you apply it to the port for PC2, it would only work with the first, as the ping return packet will have 192.168.10.20->192.168.10.10 and that only matches on the first ACL.

Note that switch ACLs are stateless, which means that if there is an ACL on the return traffic port, it must be allowed there.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 06, 2023 07:28 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

hi Herman,

The ip address of PC1 is 192.168.10.10 and the ip address of PC2 is 192.168.10.20. I tested three scenarios.

The first ACL only have one ACE as the following commands
10 permit any 192.168.10.0/24 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC1 can ping PC2.

The second ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

The third ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.20/32
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

Winston
Original Message:
Sent: Jan 06, 2023 07:08 AM
From: Herman Robers
Subject: CX6000 Access-List source and destination ip subnet mask length

Can you please share the two access-lists? And what are the source and destination IP that you use to test?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 06, 2023 06:32 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

I connect two PC to a CX6000 within the same VLAN. The access-list only have one ACE. If the length of source or destination ip address subnet mask is 24, source PC1 can ping destination PC2. If I change the length of source or destination ip address subnet mask to 32, source PC1 cannot ping destination PC2. Please kindly advise, thanks

#CX6000
#ACL
#Access-List​​​

hi Herman,

I read the acl manual from Aruba once again. Thank you for your advise and remind. The key points have two. First, the default action is deny. Second, the ping has return traffic. It's different from firewall.

Winston
Original Message:
Sent: Jan 06, 2023 10:23 AM
From: Herman Robers
Subject: CX6000 Access-List source and destination ip subnet mask length

Could it be that you applied the ACL to both ports? I would expect that if you apply it only to the port for PC1, that all 3 would work.
If you apply it to the port for PC2, it would only work with the first, as the ping return packet will have 192.168.10.20->192.168.10.10 and that only matches on the first ACL.

Note that switch ACLs are stateless, which means that if there is an ACL on the return traffic port, it must be allowed there.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 06, 2023 07:28 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

hi Herman,

The ip address of PC1 is 192.168.10.10 and the ip address of PC2 is 192.168.10.20. I tested three scenarios.

The first ACL only have one ACE as the following commands
10 permit any 192.168.10.0/24 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC1 can ping PC2.

The second ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.0/24
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

The third ACL also only have one ACE as the following commands
10 permit any 192.168.10.10/32 192.168.10.20/32
After apply the ACL to the VLAN that associated with PC1 and PC2 connected interfaces. PC cannot ping PC2.

Winston
Original Message:
Sent: Jan 06, 2023 07:08 AM
From: Herman Robers
Subject: CX6000 Access-List source and destination ip subnet mask length

Can you please share the two access-lists? And what are the source and destination IP that you use to test?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 06, 2023 06:32 AM
From: Winston Lee
Subject: CX6000 Access-List source and destination ip subnet mask length

I connect two PC to a CX6000 within the same VLAN. The access-list only have one ACE. If the length of source or destination ip address subnet mask is 24, source PC1 can ping destination PC2. If I change the length of source or destination ip address subnet mask to 32, source PC1 cannot ping destination PC2. Please kindly advise, thanks

#CX6000
#ACL
#Access-List​​​