Comware

 View Only
last person joined: an hour ago 

Expand all | Collapse all

ACL requirement or maybe another solution

This thread has been viewed 8 times
  • 1.  ACL requirement or maybe another solution

    Posted Nov 15, 2023 09:50 AM

    Hi folks,

    I have a host (10.0.1.13) with a very old OS that can't be upgraded due to being reliant on the software to run an old printing solution.

    I need to make configuration changes that will allow other hosts on the same VLAN to be able to communicate with it but no communication allowed from any other VLANs to that host.

    I tried the following:

    acl advanced 3010
     rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.1.13 0
     rule 10 deny ip destination 10.0.1.13 0

    int vlan 501
    packet-filter 3010 outbound

    The above caused network disruption, no one was able to access anything until I reverted the last command.

    Please can someone tell me where I'm going wrong? I'd really appreciate it.



    ------------------------------
    Regards,
    Jay
    ------------------------------


  • 2.  RE: ACL requirement or maybe another solution

    Posted Nov 16, 2023 06:12 AM

    Hi Jay, I think there are two things to focus on:

    1) The direction of the packet-filter

    2) The implicit deny rule

    A filter applied to the inbound direction is applicable to packets going into the interface (e.g. devices on the subnet going to the internet). Your filter permits only one thing which is packets from the subnet to the same subnet. It denies 100% of everything else in that direction since there is an implicit deny at the end of the ACL. Since this rule can't match outbound traffic you are in effect blocking everything from outside the subnet getting to the devices on the subnet.

    This might explain it better than I can: https://community.hpe.com/t5/comware-based/acl-to-block-inter-vlan-traffic/td-p/7098842

    This describes the route keyword:

    https://abouthpnetworking.com/2015/02/09/comware7-routed-port-acl-packet-filter-applies-to-switched-traffic/

    So getting the ACL correct and associating with the right interface are key first steps. Start with an ACL with a deny of ping and allow everything else would help testing.




  • 3.  RE: ACL requirement or maybe another solution

    Posted Mar 01, 2024 10:33 AM

    Forgive me for dragging this back up from November last year. I know it's been some time but we're a very small team at the local authority I'm working for and there's lots to do on all aspects of IT infrastructure. I did manage to solve this with your input and the links you shared. 

    My config is now like this:

    acl advanced 3010
     rule 10 permit icmp source 10.0.3.0 0.0.0.255 destination 10.0.1.13 0
     rule 10 comment To allow ping from monitoring subnet
     rule 20 deny ip destination 10.0.1.13 0 logging
     rule 50 permit ip

    interface Vlan-interface501
     description Printing
     ip address 10.0.1.1 255.255.255.0
     packet-filter filter route
     packet-filter 3010 outbound

    and thankfully it works.



    ------------------------------
    Regards,
    Jay
    ------------------------------