Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
0
Helpful
6
Replies

ACL Configs

harrisgirls
Level 1
Level 1

‎01-27-2012 07:11 AM - edited ‎03-04-2019 03:02 PM

Hello,

I am trying to test and setup some ACL's on a switch, the current setup is:

Core Switch - HP ProCurve 2610-24-PWR

Edge Switch - HP ProCurve 2510-24

VLANS 5, 10, 15, 20, 25, 30

I want to deny access to VLAN 5 from VLAN 20 which is are client VLAN.

Sorry for positng here but i do find the enterprise forums at HP useless and the cisco alot better!!!

Labels:
0 Helpful
6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

‎01-27-2012 07:19 AM

Hi,

access-list 199 deny ip x.x.x.x y.y.y.y  where x.x.x.x is vlan 20 subnet and y.y.y.y is vlan 5 subnet, don't forget the correct wildcard mask.

then under int vlan 20: ip access-group 199 in

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

harrisgirls
Level 1
Level 1
In response to cadet alain

‎02-02-2012 01:56 PM

Thanks, so would it be like this:

access-list 199 deny ip 10.4.20.0 10.4.5.0

then go into vlan 20 by doing:

int vlan 20: ip access-group 199 in

and then that should be it on the edge switch?

0 Helpful

harrisgirls
Level 1
Level 1

‎02-03-2012 03:37 AM

Hi,

When I input access-list i get this:

XXXX-g21-2510g-24-1(config)# access-list

Invalid input: access-list

this is on the 2510

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to harrisgirls

‎02-03-2012 12:50 PM

Hi,

the config I gave was for a Cisco device I didn't even read that you had HP devices but the concepts remain the same.

there should be a configuration guide for your device downloadable from HP.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

harrisgirls
Level 1
Level 1
In response to cadet alain

‎02-03-2012 12:52 PM

lol thanks.

I think I managed to get it working, I configured it on the core and it all works but when I go to an edge switch and ping a IP Address in a VLAN i've set to deny on the core it can still ping it, I plug back into core and it works..............do I need to do anything on the edge switch or the trunk on the core?

0 Helpful

Gautam Renjen
Cisco Employee
Cisco Employee
In response to harrisgirls

‎02-03-2012 03:41 PM

This could happen if the edge switch also has layer 3 interfaces / SVIs. In that case the traffic from a user A on Vlan 5 hits the edge switch, which routes it to vlan 20, and out goes the traffic to user B on Vlan 20, completely bypassing the core -switch. This could happen even if one SVI was in the Edge, the the ACLs on the core interfaces were not applied in both directions.

To resolve this, if your edge switch has both vlans as layer 3, apply acls there as well, else apply an acl on edge switch vlan and core switch vlan as well.

0 Helpful
Customers Also Viewed These Support Documents