Comware

 View Only
last person joined: 2 hours ago 

Expand all | Collapse all

ACL requirement or maybe another solution

This thread has been viewed 5 times
  • 1.  ACL requirement or maybe another solution

    Posted Nov 15, 2023 09:50 AM

    Hi folks,

    I have a host (10.0.1.13) with a very old OS that can't be upgraded due to being reliant on the software to run an old printing solution.

    I need to make configuration changes that will allow other hosts on the same VLAN to be able to communicate with it but no communication allowed from any other VLANs to that host.

    I tried the following:

    acl advanced 3010
     rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.1.13 0
     rule 10 deny ip destination 10.0.1.13 0

    int vlan 501
    packet-filter 3010 outbound

    The above caused network disruption, no one was able to access anything until I reverted the last command.

    Please can someone tell me where I'm going wrong? I'd really appreciate it.



    ------------------------------
    Regards,
    Jay
    ------------------------------


  • 2.  RE: ACL requirement or maybe another solution

    Posted Nov 16, 2023 06:12 AM

    Hi Jay, I think there are two things to focus on:

    1) The direction of the packet-filter

    2) The implicit deny rule

    A filter applied to the inbound direction is applicable to packets going into the interface (e.g. devices on the subnet going to the internet). Your filter permits only one thing which is packets from the subnet to the same subnet. It denies 100% of everything else in that direction since there is an implicit deny at the end of the ACL. Since this rule can't match outbound traffic you are in effect blocking everything from outside the subnet getting to the devices on the subnet.

    This might explain it better than I can: https://community.hpe.com/t5/comware-based/acl-to-block-inter-vlan-traffic/td-p/7098842

    This describes the route keyword:

    https://abouthpnetworking.com/2015/02/09/comware7-routed-port-acl-packet-filter-applies-to-switched-traffic/

    So getting the ACL correct and associating with the right interface are key first steps. Start with an ACL with a deny of ping and allow everything else would help testing.