I have a single HP ProCurve 2610 in a remote location that is connected in with the rest of the network via SHDSL. There are two Layer-3 networks on this segment. ACLs are setup to deny one subnet (192.0.2.0/24) from ever being able to leave the switch by virtue of being applied to port attached to the upstream connection. The other subnet should be permitted to freely leave the switch. Both subnets are on the same VLAN.
Unfortunately SFlow very clearly show broadcast traffic from 192.0.2.0/24 on the upstream connection. ProCurve ACLs are not my strong suit but I feel like I'm missing something very simple here.
ip access-list extended "Filter for Camera Network"
deny ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255 log
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
interface 24
name "DSL - UPLINK"
access-group "Filter for Camera Network" in
exit
Unless I am mistaken traffic from 192.0.2.0/24 should be dropped as it crosses the uplink port (int 24) whereas all other traffic will be permited by the following default allow rule.
What exactly am I missing here?
EDIT:
Firstly, why do you have two subnets contained in the same VLAN?
Because that's how it was configured by a previous administrator and while it makes conceptual sense that a single subnet is "mapped" to a single VLAN there's no technical constraint that I am aware of that makes this have to be the case.
Instead of filtering inbound traffic on your uplink, you should be filtering outbound traffic.
The HP2600 series can only filter inbound traffic on interfaces. Should I change my filter to deny any to 192.0.2.0/24?
Best Answer
Firstly, why do you have two subnets contained in the same VLAN?. Although, that's not your problem here. I can't speak to the syntax of the commands as I haven't configured HP ProCurves, but it seems your logic is off. Instead of filtering inbound traffic on your uplink, you should be filtering outbound traffic. The uplink interface wouldn't receive traffic from that subnet, it would pass traffic through.