- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- ACL for internet only access
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2018 04:26 PM - edited 01-17-2018 10:21 AM
01-16-2018 04:26 PM - edited 01-17-2018 10:21 AM
ACL for internet only access
Hi all,
I'm creating an advanced ACL on a Comware 5930 switch to limit client's access in the 192.168.20.0/24 subnet.
I have a vlan that consists of 192.168.20.0/24, default gateway for the vlan is 192.168.20.1 and the ACL is applied as outbound to VLAN20 interface on my Core switch.
Here is what I'm trying to accomplish using the ACL,
- Be able to do dns, dhcp
- Not be able to access production subnets 10.0.0.0/24, 206.189.204.0/24
- Lastly, access the internet over ports 80,443
is this ACL correct?
rule 0 remark "Allow dhcp requests"
rule 0 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port range bootps bootpc counting
rule 5 remark "Allow DNS queries"
rule 5 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port eq dns counting
rule 10 remark "Allow access to firewall's inside interface"
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 10.10.110.254 0 counting
rule 15 remark "Allow access to the internet"
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination any destination-port range www 443 counting
rule 15 remark "Deny access to 10.0.0.0/24 subnet(prod)"
rule 15 deny ip source 192.168.20.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
rule 20 remark "Deny access to 206.189.204.0/24 subnet(prod)"
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 206.189.204.0 0.0.0.255
rule 30 remark "Deny everything else"
rule 30 deny ip counting
Thank you
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2018 12:48 AM
01-25-2018 12:48 AM
Re: ACL for internet only access
Hi,
Syntax:
The "remark" keyword is not used in comware, "comment" is used, and - you can only make the comment, once the rule is made
So you need
rule 5 permit blabla rule rule 5 comment "blabla reason"
in that order
you apply rule 15 twice, that will delete your first rule 15.
Your first rule 15, says "permit ip .... destination-port eq www 443"
Keyword "ip" indicates full range of ports on both tcp and udp. So either you want "tcp" or "udp" (probably tcp) instead of "ip", or else you need to loose the "destination-port range"-part.
The default deny (rule 30 in your list) is implicit and can be left out.
Semantics:
If the order of your two rule 15' s and rule 20 is as written, then you allow access on port 80 and 443 to 10.0.0.0/24 and 206.189.204.0/24.
I would reverse the order of your rule 15's (and 20) - unless of course that is intentional.
Again your rule 15(second one) and rule 20 is not used, since you have a default deny. If you supply rule 15 (second one) and 20 with the "counting" keyword, you could have use of them (you could see how many tried).
Regards
Region Midtjylland