Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL Configs

Hello,

I am trying to test and setup some ACL's on a switch, the current setup is:

Core Switch - HP ProCurve 2610-24-PWR

Edge Switch - HP ProCurve 2510-24

VLANS 5, 10, 15, 20, 25, 30

I want to deny access to VLAN 5 from VLAN 20 which is are client VLAN.

Sorry for positng here but i do find the enterprise forums at HP useless and the cisco alot better!!!

6 REPLIES
Purple

ACL Configs

Hi,

access-list 199 deny ip x.x.x.x y.y.y.y  where x.x.x.x is vlan 20 subnet and y.y.y.y is vlan 5 subnet, don't forget the correct wildcard mask.

then under int vlan 20: ip access-group 199 in

Regards.

Alain

Don't forget to rate helpful posts.
New Member

ACL Configs

Thanks, so would it be like this:

access-list 199 deny ip 10.4.20.0 10.4.5.0

then go into vlan 20 by doing:

int vlan 20: ip access-group 199 in

and then that should be it on the edge switch?

New Member

ACL Configs

Hi,

When I input access-list i get this:

XXXX-g21-2510g-24-1(config)# access-list

Invalid input: access-list

this is on the 2510

Purple

ACL Configs

Hi,

the config I gave was for a Cisco device I didn't even read that you had HP devices but the concepts remain the same.

there should be a configuration guide for your device downloadable from HP.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

ACL Configs

lol thanks.

I think I managed to get it working, I configured it on the core and it all works but when I go to an edge switch and ping a IP Address in a VLAN i've set to deny on the core it can still ping it, I plug back into core and it works..............do I need to do anything on the edge switch or the trunk on the core?

Cisco Employee

ACL Configs

This could happen if the edge switch also has layer 3 interfaces / SVIs. In that case the traffic from a user A on Vlan 5 hits the edge switch, which routes it to vlan 20, and out goes the traffic to user B on Vlan 20, completely bypassing the core -switch. This could happen even if one SVI was in the Edge, the the ACLs on the core interfaces were not applied in both directions.

To resolve this, if your edge switch has both vlans as layer 3, apply acls there as well, else apply an acl on edge switch vlan and core switch vlan as well.

736
Views
0
Helpful
6
Replies
CreatePlease to create content