cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Question on Hardware ACL

Jump to solution


Hello, I have a 1544 in production with 7 Vlans built, vlans 9,26,100,105,204,165 and 166. I need to make sure vlan 9 denies all traffic that originates from vlan 26,165 and 204. I need to make sure vlan 26 denies all request orginating from vlan 9, 166 and 204.   Basically, I do not want any machines in vlan 26, 165 or 204 be able to ping vlan 9 or any machines in vlan 9, 166 or 204 to be able to ping vlan 26.  I am trying to do this with Hardware ACL's.Below are the Vlans and ACL's. I am just trying to get this config verified before I add these ACL's to the working 1544..Thanks

!

!

interface vlan 9

  description Probate

  ip address  192.168.9.254  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 26

  description Revenue_Commission

  ip address  192.168.26.253  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 100

  description Courthouse_Voice

  ip address  192.168.100.254  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 105

  description Goverment_BLDG_P2P

  ip address  10.10.10.2  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 165

  description Rev_Public_Lan

  ip address  192.168.165.1  255.255.255.252

  ip route-cache express

  no shutdown

!

interface vlan 166

  description Rev_Public_Lan

  ip address  192.168.166.1  255.255.255.252

  ip route-cache express

  no shutdown

!

interface vlan 204

  description Courthouse_Wlan

  ip address  192.168.204.254  255.255.255.0

  ip route-cache express

  no shutdown

!

!

ip hw-access-list extended HW-BLOCK-VLANS_9

  deny ip 192.168.204.0 0.0.0.255 192.168.9.0 0.0.0.255

  deny ip 192.168.26.0 0.0.0.255 192.168.9.0 0.0.0.255

  deny ip 192.168.165.0 0.0.0.255 192.168.9.0 0.0.0.7

  permit ip any any

!

ip hw-access-list extended HW-BLOCK-VLANS_26

  deny ip 192.168.204.0 0.0.0.255 192.168.26.0 0.0.0.255

  deny ip 192.168.9.0 0.0.0.255 192.168.26.0 0.0.0.255

  deny ip 192.168.166.0 0.0.0.255 192.168.9.0 0.0.0.7

  permit ip any any

!

!

hw-access-map MY-HW-MAP-9

  forward ip HW-BLOCK-VLANS_9

  vlans 26,165,204

!

hw-access-map MY-HW-MAP-26

  forward ip HW-BLOCK-VLANS_26

  vlans 9,166,204

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

:

The configuration you pasted above is different from the one you sent originally.

hw-access-map MY-HW-MAP-26

  forward ip HW-BLOCK-VLANS_26

  vlans 9,166,204

Levi

View solution in original post

0 Kudos
6 Replies
Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

:

Thank you for asking this question in the support community.  The configuration appears to be correct for what you are attempting to accomplish.  Here is the Configuring Hardware ACLs in AOS guide for reference.  Please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

Levi, I must have missed somthing even with the ACL's applied I can still ping interface vlan 9 from source of interface vlan 26 which am trying to deny.. See below running config:

interface vlan 1
  no ip address
  ip route-cache express
  no shutdown
!
interface vlan 9
  description Probate
  ip address  192.168.9.254  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 26
  description Revenue_Commission
  ip address  192.168.26.253  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 100
  description Courthouse_Voice
  ip address  192.168.100.254  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 105
  description Goverment_BLDG_P2P
  ip address  10.10.10.2  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 165
  description Rev_Public_Lan
  ip address  192.168.165.1  255.255.255.252
  ip route-cache express
  no shutdown
!
interface vlan 166
  description Probate_Public_Lan
  ip address  192.168.166.1  255.255.255.252
  ip route-cache express
  no shutdown
!
interface vlan 204
  description Courthouse_Wlan
  ip address  192.168.204.254  255.255.255.0
  ip route-cache express
  no shutdown
!
!
!
ip hw-access-list extended HW-BLOCK-VLANS_26
  deny   ip 192.168.204.0 0.0.0.255  192.168.26.0 0.0.0.255
  deny   ip 192.168.9.0 0.0.0.255  192.168.26.0 0.0.0.255
  deny   ip 192.168.166.0 0.0.0.7  192.168.9.0 0.0.0.255
  permit ip any  any
!
ip hw-access-list extended HW-BLOCK-VLANS_9
  deny   ip 192.168.204.0 0.0.0.255  192.168.9.0 0.0.0.255
  deny   ip 192.168.26.0 0.0.0.255  192.168.9.0 0.0.0.255
  deny   ip 192.168.165.0 0.0.0.7  192.168.26.0 0.0.0.255
  permit ip any  any
!
hw-access-map MY-HW-MAP-26
  forward ip HW-BLOCK-VLANS_26
!
hw-access-map MY-HW-MAP-9
  vlans 26,165,204
  forward ip HW-BLOCK-VLANS_9
!
!
!
!
!
end
Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
        '*' = Request timed out, '-' = Destination host unreachable
        'x' = TTL expired in transit, 'e' = Unknown error

Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
        '*' = Request timed out, '-' = Destination host unreachable
        'x' = TTL expired in transit, 'e' = Unknown error

Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#

Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

:

The configuration you pasted above is different from the one you sent originally.

hw-access-map MY-HW-MAP-26

  forward ip HW-BLOCK-VLANS_26

  vlans 9,166,204

Levi

0 Kudos
Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

Thanks Levi, I have corrected the config and applied it to the 1544. Not sure what I am missing but I can still ping vlan 26 from 9 and 9 from 26. The only difference in the below config is that I do not have the ACL's applied to vlan 204 yet so I would not think that would affect the outcome of the ping test.  Do you see what I have wrong in the configuration? Below is a output from the running config:

!

interface vlan 1
  no ip address
  ip route-cache express
  no shutdown
!
interface vlan 9
  description Probate
  ip address  192.168.9.254  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 26
  description Revenue_Commission
  ip address  192.168.26.253  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 100
  description Courthouse_Voice
  ip address  192.168.100.254  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 105
  description Goverment_BLDG_P2P
  ip address  10.10.10.2  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 165
  description Rev_Public_Lan
  ip address  192.168.165.1  255.255.255.252
  ip route-cache express
  no shutdown
!
interface vlan 166
  description Probate_Public_Lan
  ip address  192.168.166.1  255.255.255.252
  ip route-cache express
  no shutdown
!
interface vlan 204
  description Courthouse_Wlan
  ip address  192.168.204.254  255.255.255.0
  ip route-cache express
  no shutdown
!

!
ip hw-access-list extended HW-BLOCK-VLANS_26
  deny   ip 192.168.204.0 0.0.0.255  192.168.26.0 0.0.0.255
  deny   ip 192.168.9.0 0.0.0.255  192.168.26.0 0.0.0.255
  deny   ip 192.168.166.0 0.0.0.7  192.168.26.0 0.0.0.255
  permit ip any  any
!
ip hw-access-list extended HW-BLOCK-VLANS_9
  deny   ip 192.168.204.0 0.0.0.255  192.168.9.0 0.0.0.255
  deny   ip 192.168.26.0 0.0.0.255  192.168.9.0 0.0.0.255
  deny   ip 192.168.165.0 0.0.0.7  192.168.9.0 0.0.0.255
  permit ip any  any
!
hw-access-map MY-HW-MAP-26
  vlans 9,166
  forward ip HW-BLOCK-VLANS_26
!
hw-access-map MY-HW-MAP-9
  vlans 26,165
  forward ip HW-BLOCK-VLANS_9
!
!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.0 255.255.255.0 10.10.10.1

!
!
!
!
end
Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
        '*' = Request timed out, '-' = Destination host unreachable
        'x' = TTL expired in transit, 'e' = Unknown error

Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
        '*' = Request timed out, '-' = Destination host unreachable
        'x' = TTL expired in transit, 'e' = Unknown error

Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#

Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

:

Traffic between VLAN interfaces on the unit should not be affected by the HACL, it would all be handled internally via the CPU (which is what you are doing when you use source pings from the CLI).  When you get a chance, can you test this by pinging from/to devices on the LAN?

Levi

Anonymous
Not applicable

Re: Question on Hardware ACL

Jump to solution

Thanks, that is correct.  Pings from Lan do not work.

Thx for your help