Comware

Good Day,

We are building a dev environment on a unique VLAN (in VSphere).  What we need to do now is make sure that machines in that VLAN can only get out to the web (for 3rd party devs to access things), but prevent the VLAN from having any insight into the rest of our network.  The ComWare swtich that the VM environment is tied to is configured as the gateway for the VLAN.  I've looked at the syntax examples in the HPE documents, and all they really do is confuse things.

(IPs are examples only) What we want is for anything with an address of 10.10.10.x (VMs for devs) from being able to reach 10.20.20.x (our primary gateway)

I've tried this: rule 1 deny tcp 10.10.10.0 0 destination tcp 10.20.20.0 0

A machine in the 10.10.10.0 range is still able to ping 10.20.20.0

What syntax do I need to use to lock down the dev environment?  The HPE example of using an ACL to limit access for time of day is nice but entirely useless to me.

You could do something like this:

acl number 3111 name VM-devs
  rule 0 deny ip source 10.10.10.0 0.255.255.255 destination 10.20.20.0 0.255.255.255

Hope this helps, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Oct 03, 2022 04:17 PM
From: Rick Salt
Subject: Advanced ACL syntax for HPE 5700

Good Day,

We are building a dev environment on a unique VLAN (in VSphere).  What we need to do now is make sure that machines in that VLAN can only get out to the web (for 3rd party devs to access things), but prevent the VLAN from having any insight into the rest of our network.  The ComWare swtich that the VM environment is tied to is configured as the gateway for the VLAN.  I've looked at the syntax examples in the HPE documents, and all they really do is confuse things.

(IPs are examples only) What we want is for anything with an address of 10.10.10.x (VMs for devs) from being able to reach 10.20.20.x (our primary gateway)

I've tried this: rule 1 deny tcp 10.10.10.0 0 destination tcp 10.20.20.0 0

A machine in the 10.10.10.0 range is still able to ping 10.20.20.0

What syntax do I need to use to lock down the dev environment?  The HPE example of using an ACL to limit access for time of day is nice but entirely useless to me.

The key point here is the wildcard mask.

This great web tool makes it easy to work out wildcard masks for any given subnet: https://www.subnet-calculator.com/cidr.php

A wildcard mask of 0 (your example) means a single host.

Ian.
Original Message:
Sent: Oct 03, 2022 04:17 PM
From: Rick Salt
Subject: Advanced ACL syntax for HPE 5700

Good Day,

We are building a dev environment on a unique VLAN (in VSphere).  What we need to do now is make sure that machines in that VLAN can only get out to the web (for 3rd party devs to access things), but prevent the VLAN from having any insight into the rest of our network.  The ComWare swtich that the VM environment is tied to is configured as the gateway for the VLAN.  I've looked at the syntax examples in the HPE documents, and all they really do is confuse things.

(IPs are examples only) What we want is for anything with an address of 10.10.10.x (VMs for devs) from being able to reach 10.20.20.x (our primary gateway)

I've tried this: rule 1 deny tcp 10.10.10.0 0 destination tcp 10.20.20.0 0

A machine in the 10.10.10.0 range is still able to ping 10.20.20.0

What syntax do I need to use to lock down the dev environment?  The HPE example of using an ACL to limit access for time of day is nice but entirely useless to me.

ACL looking like that:

acl number 3029 "Radios VLAN restrictions"
 rule 0 permit udp source 10.10.29.0 0.0.0.15 destination-port range bootps bootpc
 rule 0 comment "Allow DHCP requests"
 
 rule 2 permit ip source 10.10.29.0 0.0.0.15 destination 10.10.9.99 0.0.0.0 
 rule 2 comment "Allow management workstation"
 
 rule 5 permit udp source 10.10.29.0 0.0.0.15 destination-port eq dns
 rule 5 comment "Allow DNS queries"
 
 rule 16 deny ip source 10.10.29.0 0.0.0.15 destination 10.10.0.0 0.0.255.255
 rule 16 comment "Deny VLAN29 to ANY 10.10.x.x VLAN traffic"
 
 rule 17 deny ip source 10.10.29.0 0.0.0.15 destination 10.0.0.0 0.0.255.255
 rule 17 comment "Deny VLAN29 to Default 10.0.x.x VLAN traffic"
 
 rule 20 permit ip
​

And it is applied to inbound on VLAN 29

[HPE5900-SR1-Vlan-interface29]dis thi
#
interface Vlan-interface29
 ip address 10.10.29.14 255.255.255.240
 packet-filter filter route
 packet-filter 3029 inbound
​

------------------------------
spgsitsupport
------------------------------

Original Message:
Sent: Oct 03, 2022 04:17 PM
From: Rick Salt
Subject: Advanced ACL syntax for HPE 5700

Good Day,

We are building a dev environment on a unique VLAN (in VSphere).  What we need to do now is make sure that machines in that VLAN can only get out to the web (for 3rd party devs to access things), but prevent the VLAN from having any insight into the rest of our network.  The ComWare swtich that the VM environment is tied to is configured as the gateway for the VLAN.  I've looked at the syntax examples in the HPE documents, and all they really do is confuse things.

(IPs are examples only) What we want is for anything with an address of 10.10.10.x (VMs for devs) from being able to reach 10.20.20.x (our primary gateway)

I've tried this: rule 1 deny tcp 10.10.10.0 0 destination tcp 10.20.20.0 0

A machine in the 10.10.10.0 range is still able to ping 10.20.20.0

What syntax do I need to use to lock down the dev environment?  The HPE example of using an ACL to limit access for time of day is nice but entirely useless to me.