ProCurve ACL

Posted on 2016-09-12
Last Modified: 2016-09-19

I need to create an ACL and apply this to a VLAN.

I want this VLAN (102) to only be able to access the internet, all other traffic blocked - so will need to talk to a DNS Server and DHCP Server.

Has anyone got an example of this?
Question by:Ian Taylor
  • 3
LVL 36

Expert Comment

ID: 41795358
if you want traffic on the VLAN to only have access to the Internet, don't use ACLs and an internal DNS server, use a VLAN without any L3 interfaces in combination with DHCP on the firewall utilising external DNS servers.
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41795385
You have excellent and very granular example here. Maybe some new popular services are missing is missing since it is very granular and should be added. :)
ip access-list extended GUEST_access_in
 remark ACL for VLAN GUEST
remark Block traffic to private networks
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 remark Allowed DHCP
 permit udp any any eq bootps
 remark Allowed traffic
 permit tcp any eq www
 permit tcp any eq 443
 permit tcp any eq ftp-data
 permit tcp any eq ftp
 permit tcp any eq 22
 permit tcp any eq 465
 permit tcp any eq 587
 permit tcp any eq 993
 permit tcp any eq 995
 permit udp any eq domain
 permit udp any eq ntp
 remark Allowed outside VPN
 remark VPN-> PPTP
 permit tcp any eq 1723
 permit gre any
 remark VPN-> L2TP - IPSec
 permit udp any eq isakmp
 permit udp any eq non500-isakmp
 remark VNC
 permit tcp any eq 5900
 remark Apple
 permit tcp eq 5223
 permit udp range 16384 16403
 remark Amazon
 permit tcp eq 5223
 permit tcp eq 5223
 permit tcp eq 5223
 permit tcp eq 4244
 permit tcp eq 5242
 permit tcp eq 5242
 permit tcp eq 5242
 permit tcp eq 5242
 permit tcp eq 5242
 permit tcp eq 5223
 permit tcp eq 4244
 remark Facebook
 permit tcp object-group FACEBOOK gt 1024 log
 remark Android Market
 permit tcp any eq 5228
 permit udp any eq 5228
 remark XMPP
 permit tcp any eq 5222
 remark Allowed traffic for Web Services Dynamic Discovery
 permit udp host eq 3702
 remark UPnP
 permit udp host eq 1900
 remark Viber
 permit tcp any eq 4244
 permit tcp any eq 5242
 permit udp any eq 5243
 permit udp any eq 7985
 remark ICMP traffic
 permit icmp any echo
 permit icmp any echo-reply
 remark Blocked traffic
 deny   ip any any log
It Cisco, but it i very similar (if not the same) for HP. This is example for VLAN with ip address range

But I guess for most environments
remark Block traffic to private networks
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 deny   ip
 permit ip any any

would be enough.

Author Comment

by:Ian Taylor
ID: 41796936
Thanks, does this look right:

The subnet is

ip access-list extended "music dept in"
     10 deny ip
     20 permit udp eq 53
     30 permit udp eq 53
     40 permit tcp eq 80
     50 permit tcp eq 443
     60 deny ip
LVL 27

Accepted Solution

Predrag Jovic earned 500 total points
ID: 41797275
To me looks too restrictive. The first that pop to my mind  for example is that DHCP traffic will be dropped and clients will not be able to get IP address dynamically and as result DNSs that you configured in ACL will not be known (so you need to manually configure IP addresses in that VLAN). There could be need for ftp or something else, but I don't know what are requirements for that specific VLAN.

You have bad wildcard mask for is is not

10 deny ip
This will deny traffic from any ip address only to network
But the way you wrote the rest of the ACL you can even remove statement 10 and result will still be the same. :)

And typically can be replaced with keyword any (not sure for all models)
40 permit tcp any eq 80
60 deny ip any any

And you need to apply it to interface in right direction. :)
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41805022
Also maybe you could use CIDR notation /24 instead of wildcard mask in ACL according to manual Page 10-74.

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to add replacement disk to HP RAID ? 16 90
Redesigning network for lab and gaming, cisco switch, pfsense router 9 100
Network Config 9 72
VIRL IP adress 3 58
How to fix error ""Failed to validate the vCentre certificate. Either install or verify the certificate by using the vSphere Data Protection Configuration utility" when you are trying to connect to VDP instance from Vcenter.
Are you looking to recover an email message or a contact you just deleted mistakenly? Or you are searching for a contact that you erased from your MS Outlook ‘Contacts’ folder and now realized that it was important.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now