Re: 8212zl ACL Problem (392 Views)
Reply
Occasional Contributor
Posts: 11
Registered: ‎06-27-2013
Message 1 of 6 (419 Views)

8212zl ACL Problem

[ Edited ]

We have a 8212zl connected to multiple 2910zl network switches.  We use the 8212zl as our core switch to perform all routing.  When I try to apply a ACL (access control list) on the 8212zl VLAN 226 to block all traffic except from iteself and VLAN 213, none of the traffic will block.  Here is an example of the ACL:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255
10 permit 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255
exit

 

The VLAN has the following configuration:

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226IN" in
ip access-group "VLAN226IN" out
ip access-group "VLAN226IN" vlan
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1
exit

 

Does anyone have any ideas on what is happening?

 

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum Moderator

Trusted Contributor
Posts: 401
Registered: ‎02-25-2013
Message 2 of 6 (412 Views)

Re: 8212zl ACL Problem

I htink you should have:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 ip access-list standard "VLAN226OUT"
10 permit 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

name "VLAN226"
ip access-group "VLAN226IN" out
ip access-group "VLAN226OUT" in

Highlighted
Occasional Contributor
Posts: 11
Registered: ‎06-27-2013
Message 3 of 6 (392 Views)

Re: 8212zl ACL Problem

Here is what I currently have.  All my other VLAN's can still talk to this VLAN for some reason.  I also tried applying VLAN226IN to in and VLAN226OUT to out and that did nothing as well.

 

p access-list extended "VLAN226IN"
5 permit ip 172.20.20.13 0.0.0.255 172.20.226.0 0.0.0.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "VLAN226OUT"
10 permit ip 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226OUT" in
ip access-group "VLAN226IN" out
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1

 

Trusted Contributor
Posts: 401
Registered: ‎02-25-2013
Message 4 of 6 (388 Views)

Re: 8212zl ACL Problem

Do a traceroute. I wonder if your inter-VLAN routing has happened somewhere else?

Occasional Contributor
Posts: 11
Registered: ‎06-27-2013
Message 5 of 6 (386 Views)

Re: 8212zl ACL Problem

This is my output:

 

C:\Users\Administrator>ipconfig

 

Windows IP Configuration

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . :   

   IPv4 Address. . . . . . . . . . . : 172.20.100.5   

   Subnet Mask . . . . . . . . . . . : 255.255.255.0   

   Default Gateway . . . . . . . . . : 172.20.100.1

 

Tunnel adapter Local Area Connection* 9:

 

   Media State . . . . . . . . . . . : Media disconnected   

   Connection-specific DNS Suffix  . :

 

C:\Users\Administrator>tracert 172.20.226.1

 

Tracing route to 172.20.226.1 over a maximum of 30 hops

 

  1     1 ms     1 ms     1 ms  172.20.226.1

 

Trace complete.

 

C:\Users\Administrator>

Trusted Contributor
Posts: 401
Registered: ‎02-25-2013
Message 6 of 6 (383 Views)

Re: 8212zl ACL Problem

.1 is presumably the address on the core switch. How about tracerouting to something further in the .226 network?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.