KB.15.15

Examples

Remote gateway case

Configuring ACL "101" (Example 112 (page 373)) and applying it outbound on VLAN 1 in

Figure 196 (page 373) includes the router gateway (10.0.8.1) needed by devices on other networks.

This can prevent the switch from sending ARP and other routing messages to the gateway router

to support traffic from authorized remote networks.

Example 112 ACE blocking an entire subnet

In Figure 196 (page 373), this ACE (see data in bold below) denies access to the 10 Net's 10.0.8.1

router gateway needed by the 20 Net (Subnet mask is 255.255.255.0.)

HP Switch(config)# access-list config

ip access-list extended "101"

deny ip 0.0.0.0 255.255.255.255 10.0.8.30 0.0.0.255

permit ip 0.0.0.0 255.255.255.255 0.0.0.00 255.255.255.255

exit

Figure 196 Inadvertently blocking a gateway

To avoid inadvertently blocking the remote gateway for authorized traffic from another network

(such as the 20 Net in this example):

1. Configure an ACE that specifically permits authorized traffic from the remote network.

2. Configure narrowly defined ACEs to block unwanted IP traffic that would otherwise use the

gateway; such ACEs might deny traffic for a particular application, particular hosts, or an

entire subnet.

3. Configure a "permit any" ACE to specifically allow any IP traffic to move through the gateway.

Local gateway case

If you use the switch as a gateway for traffic you want routed between subnets, use these general

steps to avoid blocking the gateway for authorized applications:

1. Configure gateway security first for routing with specific permit and deny statements.

2. Permit authorized traffic.

3. Deny any unauthorized traffic that you have not already denied in step 1 (page 373).

Unusual network activity 373