- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: ACL/QoS A5500 EI
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 01:49 PM
04-24-2013 01:49 PM
ACL/QoS A5500 EI
Hello All ,
I'm have configured two acl's on an h3c 5500 ie switch with QoS enabled. My filters and QoS seem to be wokring up to our firewall. But I still cannot get out of the interet. This is the configration on the switch.WE have permitted the traffic through the firewall. So I'm not too sure where else the issue could be.
Thanks.
Advanced ACL 3000, named -none-, 6 rules,
ACL's step is 5
rule 0 permit ip source 10.X.X.X 0 destination 10.X.X.X 0
rule 5 permit ip source 10.X.X.X 0 destination 130.X.X.X 0
rule 10 permit ip source 10.X.X.X 0 destination 130.XX.X 0
rule 15 permit ip source 10.X.X.X 0 destination 130.X.X.X 0
rule 20 permit ip source 10.X.X.X 0 destination 130.X.X.X 0
rule 25 permit ip source 10.X.X.X 0 destination 130.X.X.X 0
Advanced ACL 3001, named -none-, 2 rules,
ACL's step is 5
rule 0 deny ip source 10.X.X.X 0
rule 5 deny ip source 10.X.X.X 0 destination 130.X.X.X 0
Interface: GigabitEthernet1/0/32
Direction: Inbound
Policy: test5
Classifier: test1
Operator: AND
Rule(s) : If-match acl 3000
Behavior: test3
Filter Enable: permit
Classifier: test2
Operator: AND
Rule(s) : If-match acl 3001
Behavior: test4
Filter Enable: deny
Interface: GigabitEthernet1/0/32
Direction: Outbound
Policy: test5
Classifier: test1
Operator: AND
Rule(s) : If-match acl 3000
Behavior: test3
Filter Enable: permit
Classifier: test2
Operator: AND
Rule(s) : If-match acl 3001
Behavior: test4
Filter Enable: deny
User Defined QoS Policy Information:
Policy: test5
Classifier: test1
Behavior: test3
Filter enable: permit
Classifier: test2
Behavior: test4
Filter enable: deny
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 02:59 PM
04-24-2013 02:59 PM
Re: ACL/QoS A5500 EI
I am not sure I understand what you are trying to do here. Could you include a small diagram or text with which subnet should be allowed to which subnets and which should be blocked ?
Since you are not using any QOS specific features, but only the filter commands, I would not use the QOS policy for the packet filtering, but simply define 1 ACL with permit/deny rules, and use the "packet-filter" command on the interfaces.
Also note that in your example, you seem to be using acl 3001 to filter traffic. Now since this uses the qos classifier, you have to make sure the traffic is "selected" for the classifier, so in the ACL you must PERMIT the traffic (so it is matching the classifier), next the QOS policy will apply the FILTER DENY on the selected (permitted by the ACL) traffic.
In the current example, no traffic would "match" the acl 3001, so it would not get filtered ...
(I know this is confusing, this is why the packet-filter command is preferred, when available)
Hope this helps,Peter