Used VLANs in existence:
10.10.x.x various subnet mask
Default VLAN 1 (still some hosts in it)
10.0.x.x 255.255.0.0
I use this setup for every VLAN (~ 30, on 5900AF, Comware 7) and have no issues
interface Vlan-interface14
ip address 10.10.14.254 255.255.255.0
packet-filter filter route
packet-filter 3014 inbound
dhcp select relay
dhcp relay information enable
dhcp relay server-address 10.10.9.1
dhcp relay server-address 10.10.9.25
acl number 3014 "Switches VLAN restrictions"
#rule 0 permit udp source 10.10.14.0 0.0.0.255 destination-port range bootps bootpc
#rule 0 comment "Allow DHCP requests" # commented out so no requests allowed!
rule 2 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.3 0.0.0.0
rule 2 comment "Allow SINGLE management workstation 1 access TO ALL devices on VLAN14"
rule 3 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.99 0.0.0.0
rule 3 comment "Allow SINGLE management workstation 2 access TO ALL devices on VLAN14"
rule 5 permit udp source 10.10.14.0 0.0.0.255 destination-port eq dns
rule 5 comment "Allow DNS queries BY ALL devices on VLAN14"
rule 6 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.131 0.0.0.0
rule 6 comment "Allow Radius Server 1 access BY ALL devices on VLAN14"
rule 7 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.128 0.0.0.0
rule 7 comment "Allow Radius Server 2 access BY ALL devices on VLAN14"
rule 8 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.27 0.0.0.0
rule 8 comment "Allow Kiwi Server access BY ALL devices on VLAN14"
rule 9 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.40 0.0.0.0
rule 9 comment "Allow HP IMC Server access BY ALL devices on VLAN14"
rule 16 deny ip source 10.10.14.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
rule 16 comment "Deny VLAN14 to ANY 10.10.x.x VLAN traffic BY ALL devices on VLAN14"
rule 17 deny ip source 10.10.14.0 0.0.0.255 destination 10.0.0.0 0.0.255.255
rule 17 comment "Deny VLAN14 to Default 10.0.x.x VLAN traffic BY ALL devices on VLAN14"
rule 20 permit ip
Ofcourse (these are different VLANs), you can restrict to specified ports)
rule 11 permit tcp source 10.10.120.0 0.0.3.255 destination 10.10.22.1 0 destination-port eq www
rule 12 permit tcp source 10.10.120.0 0.0.3.255 destination 10.10.22.1 0 destination-port eq 443
With these ACL rules I never needed both ways exceptions because in both above cases only first VLAN from each pair (14 -- 9 or 120 -- 22) is fully isolated
When BOTH VLANs are isolated, then ofcourse one has to have rules in ACLs for inbound in two separate ACLs applied to inbound for each VLAN interface
acl number 3025 "Access Control VLAN restrictions"
rule 8 permit ip source 10.10.25.0 0.0.0.255 destination 10.10.26.0 0.0.0.255
rule 8 comment "Allow VLAN25 access to VLAN26"
==================================
acl number 3026 "CCTV VLAN restrictions"
rule 10 permit ip source 10.10.26.0 0.0.0.255 destination 10.10.25.0 0.0.0.255
rule 10 comment "Allow VLAN26 access to VLAN25"
------------------------------
spgsitsupport
------------------------------