Comware

Hi folks,

I have a host (10.0.1.13) with a very old OS that can't be upgraded due to being reliant on the software to run an old printing solution.

I need to make configuration changes that will allow other hosts on the same VLAN to be able to communicate with it but no communication allowed from any other VLANs to that host.

I tried the following:

acl advanced 3010
 rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.1.13 0
 rule 10 deny ip destination 10.0.1.13 0

int vlan 501
packet-filter 3010 outbound

The above caused network disruption, no one was able to access anything until I reverted the last command.

Please can someone tell me where I'm going wrong? I'd really appreciate it.

Hi Jay, I think there are two things to focus on:

1) The direction of the packet-filter

2) The implicit deny rule

A filter applied to the inbound direction is applicable to packets going into the interface (e.g. devices on the subnet going to the internet). Your filter permits only one thing which is packets from the subnet to the same subnet. It denies 100% of everything else in that direction since there is an implicit deny at the end of the ACL. Since this rule can't match outbound traffic you are in effect blocking everything from outside the subnet getting to the devices on the subnet.

This might explain it better than I can: https://community.hpe.com/t5/comware-based/acl-to-block-inter-vlan-traffic/td-p/7098842

This describes the route keyword:

https://abouthpnetworking.com/2015/02/09/comware7-routed-port-acl-packet-filter-applies-to-switched-traffic/

So getting the ACL correct and associating with the right interface are key first steps. Start with an ACL with a deny of ping and allow everything else would help testing.