Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

Creating ACL on HPE Switch 5130 but blocking in two ways

This thread has been viewed 0 times

  • 1.  Creating ACL on HPE Switch 5130 but blocking in two ways

    Posted Jul 27, 2018 02:25 PM

    Good afternoon, I would like support for some questions about ACL on HPE 5130 Switch.
     
    In my environment, the switch 5130 is the company's core switch, I've created two VLANs, one for the internal network and the other as a sort of DMZ. At the moment, I am trying to create the ACLs so the DMZ does not access the internal network, but the internal network can access the DMZ.
     
    Doubts:
     
    1) When I create an ACL to block, for example, the ICMP protocol from the DMZ to the internal network, it blocks both ways, however I want to block only one way, is there any way to do this with this protocols and others like RDP, SMB?
     
    2) In search, I found that there is an implicit deny and not visible, but I had to create the explicit rule so that there was the total block at the end, does this implicit deny really exist?
     
    3) Finally, is there any document that outlines best practices for creating ACLs?
     
    Thank you.


    #ACLs


  • 2.  RE: Creating ACL on HPE Switch 5130 but blocking in two ways

    Posted Jul 29, 2018 10:22 PM

    For 1) you would want to explicitly permit "icmp-type 0" from the DMZ. Maybe some others, like type 3 as well, but definitely not type 8.