HP ProCurve 5412zl ACL Configuration Guide

hp-procurveswitch

I'm new to HP ProCurve and I am a problem getting host in a vlan connected to the internet. I am not certain if the ACL is blocking internet traffic or if there is someother configuration issue. I would like to temporarily disable the ACL without removing all of the rules. Is there a command in this model to disble the ACL. I tried the "ip dont-use-acl" command and received and "Invalid input: dont-use-acl" error.

Core Switch config:<br/>
hostname "Prod-Core"<br/>
module 1 type j8702a<br/>
module 2 type j8702a<br/>
module 3 type j8702a<br/>
module 4 type j8702a<br/>
module 5 type j9309a<br/>
module 6 type j8702a<br/>
mirror 1 port A24<br/>
fault-finder broadcast-storm sensitivity high<br/>
fault-finder bad-driver sensitivity high<br/>
fault-finder bad-transceiver sensitivity high<br/>
fault-finder bad-cable sensitivity high<br/>
fault-finder too-long-cable sensitivity high<br/>
fault-finder over-bandwidth sensitivity high<br/>
fault-finder loss-of-link sensitivity high<br/>
fault-finder duplex-mismatch-hdx sensitivity high<br/>
fault-finder duplex-mismatch-fdx sensitivity high<br/>
fault-finder link-flap sensitivity high<br/>
power-over-ethernet pre-std-detect ports F1-F24<br/>
timesync sntp<br/>
sntp unicast<br/>
sntp 60<br/>
sntp server priority 1 10.100.12.33<br/>
sntp server priority 2 10.100.12.32<br/>
time daylight-time-rule continental-us-and-canada<br/>
time timezone -360<br/>
web-management idle-timeout 900<br/>
ip access-list extended "vlan68-DEVEL_ACL"<br/>
     10 remark "ACL Applied to the vlan 68 interface (in)"<br/>
     11 remark "-----------------------------------------"<br/>
     12 remark "Allow traffic to flow within the DEVEL vlan"<br/>
     13 permit ip 10.100.68.0 0.0.3.255 10.100.68.0 0.0.3.255<br/>
     22 remark "Allow 80, 443 for Exchange and KBOX"<br/>
     23 remark "-----------------------------------------"<br/>
     24 permit tcp 10.100.68.0 0.0.3.255 10.100.15.40 0.0.0.0 eq 80<br/>
     25 permit tcp 10.100.68.0 0.0.3.255 10.100.15.40 0.0.0.0 eq 443<br/>
     26 permit tcp 10.100.68.0 0.0.3.255 10.100.15.91 0.0.0.0 eq 80<br/>
     27 permit tcp 10.100.68.0 0.0.3.255 10.100.15.91 0.0.0.0 eq 443<br/>
     28 permit tcp 10.100.68.0 0.0.3.255 10.100.15.98 0.0.0.0 eq 80<br/>
     29 permit tcp 10.100.68.0 0.0.3.255 10.100.15.98 0.0.0.0 eq 443<br/>
     30 remark "Block 80, 443"<br/>
     31 remark "-----------------------------------------"<br/>
     32 deny tcp 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255 eq 80<br/>
     33 deny tcp 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255 eq 443<br/>
     80 remark "Allow Other Dev to Prod traffic"<br/>
     81 remark "-------------------------------"<br/>
     82 permit ip 10.100.68.0 0.0.3.255 10.100.12.0 0.0.3.255<br/>
     90 remark "Allow Everything else (Internet)"<br/>
     91 remark "--------------------------------"<br/>
     92 permit ip 10.100.68.0 0.0.3.255 0.0.0.0 255.255.255.255<br/>
     100 remark "Allow return Internet traffic"<br/>
     101 remark "--------------------------------"
     102 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255<br/>
   exit<br/>
ip authorized-managers 10.100.12.0 255.255.252.0 access manager<br/>
ip default-gateway 10.100.12.1<br/>
ip route 0.0.0.0 0.0.0.0 10.100.12.1<br/>
ip routing<br/>
..........<br/>
..........<br/>
..........<br/>
snmp-server community "public" unrestricted<br/>
snmp-server host 10.100.13.130 community "public" trap-level critical<br/>
snmp-server contact "Dave Guyton - 2463" location "HQ"<br/>
vlan 1<br/>
   name "DEFAULT_VLAN"<br/>
   no untagged D1-D3,D7,D9,D11,D14,D16,E1-E4,F1-F24<br/>
   untagged A1-A24,B1-B24,C1-C24,D4-D6,D8,D10,D12-D13,D15,D17-D24<br/>
   ip address 10.100.12.10 255.255.252.0<br/>
   ip local-proxy-arp<br/>
   forbid D14,D16<br/>
   exit<br/>
vlan 5<br/>
   name "CharterInternetHA"<br/>
   untagged D1-D3<br/>
   no ip address<br/>
   forbid A1-A24,B3-B24,C1-C24,D5-D24<br/>
   exit<br/>
vlan 6<br/>
   name "AT&TInternetHA"<br/>
   untagged D7,D9,D11<br/>
   no ip address<br/>
   forbid A1-A24,B3-B24,C1-C24,D1-D6,D8,D10,D12-D24<br/>
   exit<br/>
vlan 7<br/>
   name "iSCSI VLAN"<br/>
   untagged E1-E4,F1-F24<br/>
   no ip address<br/>
   forbid A1-A24,B1-B24,C1-C24,D1-D24<br/>
   exit<br/>
vlan 10<br/>
   name "DMZ-Guest-WLAN"<br/>
   tagged D14,D16,D20<br/>
   no ip address<br/>
   exit<br/>
vlan 68<br/>
   name "DEVEL-68"<br/>
   tagged A19,D23-D24<br/>
   ip access-group "vlan68-DEVEL_ACL" in<br/>
   ip address 10.100.68.1 255.255.252.0<br/>
   ip local-proxy-arp<br/>
   exit<br/>
vlan 72<br/>
   name "VOICE"<br/>
   tagged D23-D24<br/>
   ip address 10.100.72.1 255.255.255.0<br/>
   ip local-proxy-arp<br/>
   dhcp-server<br/>
   exit<br/>
no spanning-tree bpdu-throttle<br/>
no autorun<br/>
no dhcp config-file-update<br/>
no dhcp image-file-update<br/>
dhcp-server pool "vlan72-Voice"<br/>
   authoritative<br/>
   default-router "10.100.72.1"<br/>
   dns-server "10.100.12.33,10.100.12.32"<br/>
   domain-name "memco.local"<br/>
   lease 08:00:00<br/>
   network 10.100.72.0 255.255.255.0<br/>
   option 4 ip "10.100.12.33,10.100.12.32"<br/>
   option 42 ip "10.100.12.33,10.100.12.32"<br/>
   option 156 ascii "ftpservers=10.100.13.16, layer2tagging=1, vlanid=72"<br/>
   range 10.100.72.75 10.100.72.253<br/>
   exit<br/>
dhcp-server enable<br/><br/>

 IP Route Entries<br/><br/>

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.<br/>
  ------------------ --------------- ---- --------- ---------- ---------- -----<br/>
  0.0.0.0/0          10.100.12.1     1    static               1          1<br/>
  10.100.12.0/22     DEFAULT_VLAN    1    connected            1          0<br/>
  10.100.68.0/22     DEVEL-68        68   connected            1          0<br/>
  10.100.72.0/24     VOICE           72   connected            1          0<br/>
  127.0.0.0/8        reject               static               0          0<br/>
  127.0.0.1/32       lo0                  connected            1          0<br/><br/><br/>
Dev Switch Config:<br/>
hostname "DEV-4th floor"<br/>
module 1 type j8702a<br/>
module 2 type j8702a<br/>
module 3 type j8702a<br/>
module 4 type j8702a<br/>
module 5 type j8702a<br/>
module 6 type j8702a<br/>
module 7 type j8702a<br/>
module 8 type j8702a<br/>
mirror 1 port A24<br/>
mirror 3 port A8<br/>
fault-finder broadcast-storm sensitivity high<br/>
fault-finder bad-driver sensitivity high<br/>
fault-finder bad-transceiver sensitivity high<br/>
fault-finder bad-cable sensitivity high<br/>
fault-finder too-long-cable sensitivity high<br/>
fault-finder over-bandwidth sensitivity high<br/>
fault-finder loss-of-link sensitivity high<br/>
fault-finder duplex-mismatch-hdx sensitivity high<br/>
fault-finder duplex-mismatch-fdx sensitivity high<br/>
power-over-ethernet pre-std-detect ports B13,B23,C19,F20,F22,F24,H1-H24<br/>
qos device-priority 10.100.13.116/0 priority 7<br/>
timesync sntp<br/>
sntp unicast<br/>
sntp 60<br/>
sntp server priority 1 10.100.12.33<br/>
sntp server priority 2 10.100.12.32<br/>
time daylight-time-rule continental-us-and-canada<br/>
time timezone -360<br/>
ip authorized-managers 10.100.12.0 255.255.252.0 access manager<br/>
ip default-gateway 10.100.12.1<br/>
ip timep manual 10.100.12.32<br/>
..........<br/>
..........<br/>
..........<br/>
snmp-server community "public" unrestricted<br/>
snmp-server host 10.100.12.45 community "public" trap-level not-info<br/>
no snmp-server enable traps link-change A4<br/>
snmp-server contact "Dave Guyton - 2463" location "HQ"<br/>
vlan 1<br/>
   name "DEFAULT_VLAN"<br/>
   no untagged G19,G21,G23,H1-H24<br/>
   untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G18,G20,G22,G24<br/>
   ip address 10.100.12.9 255.255.252.0<br/>
   forbid G19,G21,G23<br/>
   exit<br/>
vlan 10<br/>
   name "GuestVLAN"<br/>
   tagged G19,G21,G23<br/>
   no ip address<br/>
   exit<br/>
vlan 68<br/>
   name "DEVEL-68"<br/>
   untagged H1-H24<br/>
   tagged B19<br/>
   ip address 10.100.68.9 255.255.252.0<br/>
   exit<br/>
vlan 72<br/>
   name "VOICE"<br/>
   tagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F19,F21,F23,G1-G6,G8-G24,H1-H24<br/>
   ip address 10.100.72.9 255.255.255.0<br/>
   forbid F20,F22,F24,G7<br/>
   exit<br/>
no spanning-tree bpdu-throttle<br/>
no autorun<br/>
no dhcp config-file-update<br/>
no dhcp image-file-update<br/><br/>

 IP Route Entries<br/><br/>

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.<br/>
  ------------------ --------------- ---- --------- ---------- ---------- -----<br/>
  0.0.0.0/0          10.100.12.1     1    static               250        1<br/>
  10.100.12.0/22     DEFAULT_VLAN    1    connected            1          0<br/>
  10.100.68.0/22     DEVEL-68        68   connected            1          0<br/>
  10.100.72.0/24     VOICE           72   connected            1          0<br/>
  127.0.0.0/8        reject               static               0          0<br/>
  127.0.0.1/32       lo0                  connected            1          0<br/>

Best Answer

Thanks, config makes it easier :)

When you look at the config file, each item (excluding "module") is a configuration command you can give on the CLI. And every command is negated with a preceding "no". So if you want to disable the ACL for a duration, just 

no ip access-group "vlan68-DEVEL_ACL" in

This will remove it from the interface, but won't touch the rules. When you're done with testing, give command 

ip access-group "vlan68-DEVEL_ACL" in

and it's re-applied. Of course since this is applied to a VLAN, you need to be in the VLAN configuration context, so this is what it looks like in practice (with the prompt):

configure 
vlan 68
no ip access-group "vlan68-DEVEL_ACL" in

This will change the running config. If you need the configuration w/o ACL to survive a reboot, you need to give command

write memory

last to save to startup config. Even after this you re-apply the ACL the same way, just don't forget to "write memory" ;-)

Related Topic