- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: A5800 and ACLs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 07:20 AM
03-19-2012 07:20 AM
A5800 and ACLs
I am relatively new to ACLs on this switch module and I was hoping someone could help me understand what I have to do to apply an ACL to a pair of VLANs.
Currently I have a internally designated VLAN and a dmz designated VLAN and traffic is permitted to pass between them. I would like to stop this behavior with the exception of a few ports/protocols, but for now a simple block all will be sufficient.
My internally desginated vlan is 192.168.1.0 and my dmz desginated VLAN is 192.168.2.0. Both are 24 bit subnets.
I've created the following acl:
acl number 3000 rule 0 deny ip source 192.168.1.0 0 destination 192.168.2.0 0
Now, according to some of the documentation I've read I have to do something with traffic classifier? Is this correct? Any info on what my next step should be would be awesome. Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 09:03 AM
03-19-2012 09:03 AM
Re: A5800 and ACLs
Ok so I setup some tests and I got working what I need to work. This was accomplished by the following procedure:
acl number 3000 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 # interface GigabitEthernet1/0/1 packet-filter 3000 inbound packet filter 3000 outbound
Now I want to make some rules for specific hosts with specific tcp ports. Is there a way to combine tcp ports into one? For example if I want to allow 80 and 443 to host 192.168.2.5, what would the rule look like?
acl number 3000 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 1 permit tcp source 192.168.2.4 0.0.0.0 destination 192.168.2.5 0.0.0.0 destination-port eq 80,443
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2012 05:25 AM
03-23-2012 05:25 AM
Re: A5800 and ACLs
I'm not sure about combining multiple ports into one statement, remember you can simply add a separate rule with the new destination port below the first.
In your example however, I believe this won't work because the ACL is applied based on rule number. So it will apply rule 0 first - Denying everything, and dropping the traffic. You need the most specific statements at the top of the ACL and the 'catch all' ones at the bottom. The explicit deny should usually be at the bottom of the ACL rules set.
Make rule 0 equal to rule 20, and specify the others to start with rule 5.. 10 etc. If you leave spaces then it makes it easier to modify the ACL later on.
Cheers,
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2012 07:43 AM
03-27-2012 07:43 AM
Re: A5800 and ACLs
ACLs are usually one to one. Usually you do your deny rules first and then the last rule is a implicit permit to allow any traffic not covered under deny rules as allowed. I would not try to combine port rules together in one rule. I would have separate rules for each so you can analyze traffic problems easier.