6 Replies Latest reply on Jul 10, 2013 10:55 AM by jtphoneman

    Question on Hardware ACL

    jtphoneman New Member


      Hello, I have a 1544 in production with 7 Vlans built, vlans 9,26,100,105,204,165 and 166. I need to make sure vlan 9 denies all traffic that originates from vlan 26,165 and 204. I need to make sure vlan 26 denies all request orginating from vlan 9, 166 and 204.   Basically, I do not want any machines in vlan 26, 165 or 204 be able to ping vlan 9 or any machines in vlan 9, 166 or 204 to be able to ping vlan 26.  I am trying to do this with Hardware ACL's.Below are the Vlans and ACL's. I am just trying to get this config verified before I add these ACL's to the working 1544..Thanks

      !

      !

      interface vlan 9

        description Probate

        ip address  192.168.9.254  255.255.255.0

        ip route-cache express

        no shutdown

      !

      interface vlan 26

        description Revenue_Commission

        ip address  192.168.26.253  255.255.255.0

        ip route-cache express

        no shutdown

      !

      interface vlan 100

        description Courthouse_Voice

        ip address  192.168.100.254  255.255.255.0

        ip route-cache express

        no shutdown

      !

      interface vlan 105

        description Goverment_BLDG_P2P

        ip address  10.10.10.2  255.255.255.0

        ip route-cache express

        no shutdown

      !

      interface vlan 165

        description Rev_Public_Lan

        ip address  192.168.165.1  255.255.255.252

        ip route-cache express

        no shutdown

      !

      interface vlan 166

        description Rev_Public_Lan

        ip address  192.168.166.1  255.255.255.252

        ip route-cache express

        no shutdown

      !

      interface vlan 204

        description Courthouse_Wlan

        ip address  192.168.204.254  255.255.255.0

        ip route-cache express

        no shutdown

      !

      !

      ip hw-access-list extended HW-BLOCK-VLANS_9

        deny ip 192.168.204.0 0.0.0.255 192.168.9.0 0.0.0.255

        deny ip 192.168.26.0 0.0.0.255 192.168.9.0 0.0.0.255

        deny ip 192.168.165.0 0.0.0.255 192.168.9.0 0.0.0.7

        permit ip any any

      !

      ip hw-access-list extended HW-BLOCK-VLANS_26

        deny ip 192.168.204.0 0.0.0.255 192.168.26.0 0.0.0.255

        deny ip 192.168.9.0 0.0.0.255 192.168.26.0 0.0.0.255

        deny ip 192.168.166.0 0.0.0.255 192.168.9.0 0.0.0.7

        permit ip any any

      !

      !

      hw-access-map MY-HW-MAP-9

        forward ip HW-BLOCK-VLANS_9

        vlans 26,165,204

      !

      hw-access-map MY-HW-MAP-26

        forward ip HW-BLOCK-VLANS_26

        vlans 9,166,204

        • Re: Question on Hardware ACL
          levi Employee

          jtphoneman:

           

          Thank you for asking this question in the support community.  The configuration appears to be correct for what you are attempting to accomplish.  Here is the Configuring Hardware ACLs in AOS guide for reference.  Please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi

            • Re: Question on Hardware ACL
              jtphoneman New Member

              Levi, I must have missed somthing even with the ACL's applied I can still ping interface vlan 9 from source of interface vlan 26 which am trying to deny.. See below running config:

               

              interface vlan 1
                no ip address
                ip route-cache express
                no shutdown
              !
              interface vlan 9
                description Probate
                ip address  192.168.9.254  255.255.255.0
                ip route-cache express
                no shutdown
              !
              interface vlan 26
                description Revenue_Commission
                ip address  192.168.26.253  255.255.255.0
                ip route-cache express
                no shutdown
              !
              interface vlan 100
                description Courthouse_Voice
                ip address  192.168.100.254  255.255.255.0
                ip route-cache express
                no shutdown
              !
              interface vlan 105
                description Goverment_BLDG_P2P
                ip address  10.10.10.2  255.255.255.0
                ip route-cache express
                no shutdown
              !
              interface vlan 165
                description Rev_Public_Lan
                ip address  192.168.165.1  255.255.255.252
                ip route-cache express
                no shutdown
              !
              interface vlan 166
                description Probate_Public_Lan
                ip address  192.168.166.1  255.255.255.252
                ip route-cache express
                no shutdown
              !
              interface vlan 204
                description Courthouse_Wlan
                ip address  192.168.204.254  255.255.255.0
                ip route-cache express
                no shutdown
              !
              !
              !
              ip hw-access-list extended HW-BLOCK-VLANS_26
                deny   ip 192.168.204.0 0.0.0.255  192.168.26.0 0.0.0.255
                deny   ip 192.168.9.0 0.0.0.255  192.168.26.0 0.0.0.255
                deny   ip 192.168.166.0 0.0.0.7  192.168.9.0 0.0.0.255
                permit ip any  any
              !
              ip hw-access-list extended HW-BLOCK-VLANS_9
                deny   ip 192.168.204.0 0.0.0.255  192.168.9.0 0.0.0.255
                deny   ip 192.168.26.0 0.0.0.255  192.168.9.0 0.0.0.255
                deny   ip 192.168.165.0 0.0.0.7  192.168.26.0 0.0.0.255
                permit ip any  any
              !
              hw-access-map MY-HW-MAP-26
                forward ip HW-BLOCK-VLANS_26
              !
              hw-access-map MY-HW-MAP-9
                vlans 26,165,204
                forward ip HW-BLOCK-VLANS_9
              !
              !
              !
              !
              !
              end
              Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
              Type CTRL+C to abort.
              Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
                      '*' = Request timed out, '-' = Destination host unreachable
                      'x' = TTL expired in transit, 'e' = Unknown error

              Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
              !!!!!
              Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
              Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
              Type CTRL+C to abort.
              Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
                      '*' = Request timed out, '-' = Destination host unreachable
                      'x' = TTL expired in transit, 'e' = Unknown error

              Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
              !!!!!
              Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
              Courthouse_1544_SW1#

                • Re: Question on Hardware ACL
                  levi Employee

                  jtphoneman:

                   

                  The configuration you pasted above is different from the one you sent originally.

                   

                  hw-access-map MY-HW-MAP-26

                    forward ip HW-BLOCK-VLANS_26

                    vlans 9,166,204

                   

                  Levi

                    • Re: Question on Hardware ACL
                      jtphoneman New Member

                      Thanks Levi, I have corrected the config and applied it to the 1544. Not sure what I am missing but I can still ping vlan 26 from 9 and 9 from 26. The only difference in the below config is that I do not have the ACL's applied to vlan 204 yet so I would not think that would affect the outcome of the ping test.  Do you see what I have wrong in the configuration? Below is a output from the running config:

                      !

                       

                      interface vlan 1
                        no ip address
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 9
                        description Probate
                        ip address  192.168.9.254  255.255.255.0
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 26
                        description Revenue_Commission
                        ip address  192.168.26.253  255.255.255.0
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 100
                        description Courthouse_Voice
                        ip address  192.168.100.254  255.255.255.0
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 105
                        description Goverment_BLDG_P2P
                        ip address  10.10.10.2  255.255.255.0
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 165
                        description Rev_Public_Lan
                        ip address  192.168.165.1  255.255.255.252
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 166
                        description Probate_Public_Lan
                        ip address  192.168.166.1  255.255.255.252
                        ip route-cache express
                        no shutdown
                      !
                      interface vlan 204
                        description Courthouse_Wlan
                        ip address  192.168.204.254  255.255.255.0
                        ip route-cache express
                        no shutdown
                      !

                      !
                      ip hw-access-list extended HW-BLOCK-VLANS_26
                        deny   ip 192.168.204.0 0.0.0.255  192.168.26.0 0.0.0.255
                        deny   ip 192.168.9.0 0.0.0.255  192.168.26.0 0.0.0.255
                        deny   ip 192.168.166.0 0.0.0.7  192.168.26.0 0.0.0.255
                        permit ip any  any
                      !
                      ip hw-access-list extended HW-BLOCK-VLANS_9
                        deny   ip 192.168.204.0 0.0.0.255  192.168.9.0 0.0.0.255
                        deny   ip 192.168.26.0 0.0.0.255  192.168.9.0 0.0.0.255
                        deny   ip 192.168.165.0 0.0.0.7  192.168.9.0 0.0.0.255
                        permit ip any  any
                      !
                      hw-access-map MY-HW-MAP-26
                        vlans 9,166
                        forward ip HW-BLOCK-VLANS_26
                      !
                      hw-access-map MY-HW-MAP-9
                        vlans 26,165
                        forward ip HW-BLOCK-VLANS_9
                      !
                      !
                      !
                      ip route 0.0.0.0 0.0.0.0 10.10.10.1
                      ip route 192.168.200.0 255.255.255.0 10.10.10.1

                      !
                      !
                      !
                      !
                      end
                      Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
                      Type CTRL+C to abort.
                      Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
                              '*' = Request timed out, '-' = Destination host unreachable
                              'x' = TTL expired in transit, 'e' = Unknown error

                      Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
                      Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
                      Type CTRL+C to abort.
                      Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
                              '*' = Request timed out, '-' = Destination host unreachable
                              'x' = TTL expired in transit, 'e' = Unknown error

                      Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
                      Courthouse_1544_SW1#