Comware

Hi!

The first thing you need to keep in mind is that ACLs are not stateful, e.g. you need to explicitly allow traffic in BOTH directions in order to have a two way communication between desired hosts.

The second thing that may surprise you if you don't have any previous experience with Comware 7 - an ACL applied to a Vlan-interface by default affects both switched and routed traffic in the respective VLAN. This can be changed with the command "packet-filter filter route" (under the Vlan-interface context), but the default setting is "packet-filter filter all":

Parameters:
route: Filters packets forwarded at Layer 3 by the VLAN interface.
all: Filters all packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.

I use this setup for every VLAN (~ 30, on 5900AF, Comware 7) and have no issues

interface Vlan-interface14
 ip address 10.10.14.254 255.255.255.0
 packet-filter filter route
 packet-filter 3014 inbound
 dhcp select relay
 dhcp relay information enable
 dhcp relay server-address 10.10.9.1
 dhcp relay server-address 10.10.9.25
 
 
 acl number 3014 "Switches VLAN restrictions"
  #rule 0 permit udp source 10.10.14.0 0.0.0.255 destination-port range bootps bootpc
  #rule 0 comment "Allow DHCP requests" # commented out so no requests allowed!
  
  rule 2 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.3 0.0.0.0 
  rule 2 comment "Allow SINGLE management workstation 1 access TO ALL devices on VLAN14"

  rule 3 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.99 0.0.0.0 
  rule 3 comment "Allow SINGLE management workstation 2 access TO ALL devices on VLAN14"
  
  rule 5 permit udp source 10.10.14.0 0.0.0.255 destination-port eq dns
  rule 5 comment "Allow DNS queries BY ALL devices on VLAN14"
  
  rule 6 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.131 0.0.0.0
  rule 6 comment "Allow Radius Server 1 access BY ALL devices on VLAN14"
  rule 7 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.128 0.0.0.0
  rule 7 comment "Allow Radius Server 2 access BY ALL devices on VLAN14"

  rule 8 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.27 0.0.0.0
  rule 8 comment "Allow Kiwi Server access BY ALL devices on VLAN14"
 
 rule 9 permit ip source 10.10.14.0 0.0.0.255 destination 10.10.9.40 0.0.0.0
 rule 9 comment "Allow HP IMC Server access BY ALL devices on VLAN14"
 
 rule 16 deny ip source 10.10.14.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
 rule 16 comment "Deny VLAN14 to ANY 10.10.x.x VLAN traffic BY ALL devices on VLAN14"
 rule 17 deny ip source 10.10.14.0 0.0.0.255 destination 10.0.0.0 0.0.255.255
 rule 17 comment "Deny VLAN14 to Default 10.0.x.x VLAN traffic BY ALL devices on VLAN14"
 
 rule 20 permit ip

Ofcourse (these are different VLANs), you can restrict to specified ports)

 rule 11 permit tcp source 10.10.120.0 0.0.3.255 destination 10.10.22.1 0 destination-port eq www
 rule 12 permit tcp source 10.10.120.0 0.0.3.255 destination 10.10.22.1 0 destination-port eq 443

With these ACL rules I never needed both ways exceptions because in both above cases only first VLAN from each pair (14 -- 9 or 120 -- 22) is fully isolated
When BOTH VLANs are isolated, then ofcourse one has to have rules in ACLs for inbound in two separate ACLs applied to inbound for each VLAN interface

acl number 3025 "Access Control VLAN restrictions"

 rule 8 permit ip source 10.10.25.0 0.0.0.255 destination 10.10.26.0 0.0.0.255
 rule 8 comment "Allow VLAN25 access to VLAN26"

==================================

acl number 3026 "CCTV VLAN restrictions"

 rule 10 permit ip source 10.10.26.0 0.0.0.255 destination 10.10.25.0 0.0.0.255
 rule 10 comment "Allow VLAN26 access to VLAN25"

------------------------------
spgsitsupport
------------------------------