HPE Community
Comware Based
1752591 Members
3538 Online
108788 Solutions
New Discussion

ACL for internet only access

 
737Captain
Occasional Contributor

‎01-16-2018 04:26 PM - edited ‎01-17-2018 10:21 AM

‎01-16-2018 04:26 PM - edited ‎01-17-2018 10:21 AM

ACL for internet only access

Hi all,

I'm creating an advanced ACL on a  Comware 5930 switch to limit client's access in the 192.168.20.0/24 subnet. 

I have a vlan that consists of 192.168.20.0/24, default gateway for the vlan is 192.168.20.1 and the ACL is applied as outbound to VLAN20 interface on my Core switch. 

 

Here is what I'm trying to accomplish using the ACL, 

- Be able to do dns, dhcp

- Not be able to access production subnets 10.0.0.0/24, 206.189.204.0/24 

- Lastly, access the internet over ports 80,443

 

is this ACL correct?

rule 0 remark "Allow dhcp requests"
rule 0 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port range bootps bootpc counting

rule 5 remark "Allow DNS queries"
rule 5 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port eq dns counting

rule 10 remark "Allow access to firewall's inside interface"
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 10.10.110.254 0 counting

rule 15 remark "Allow access to the internet"
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination any destination-port range www 443 counting

rule 15 remark "Deny access to 10.0.0.0/24 subnet(prod)"
rule 15 deny ip source 192.168.20.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 20 remark "Deny access to 206.189.204.0/24 subnet(prod)"
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 206.189.204.0 0.0.0.255

rule 30 remark "Deny everything else"
rule 30 deny ip counting

Thank you

0 Kudos
1 REPLY 1
sdide
Respected Contributor

‎01-25-2018 12:48 AM

‎01-25-2018 12:48 AM

Re: ACL for internet only access

Hi,

Syntax:

The "remark" keyword is not used in comware, "comment" is used, and - you can only make the comment, once the rule is made

So you need

rule 5 permit  blabla rule
rule 5 comment "blabla reason"

in that order

you apply rule 15 twice, that will delete your first rule 15.

Your first rule 15, says "permit ip  .... destination-port eq www 443"

Keyword "ip" indicates full range of ports on both tcp and udp. So either you want "tcp" or "udp" (probably tcp) instead of "ip", or else you need to loose the "destination-port range"-part.

The default deny (rule 30 in your list) is implicit and can be left out.

Semantics:

If the order of your two rule 15' s and rule 20 is as written, then you allow access on port 80 and 443 to 10.0.0.0/24 and 206.189.204.0/24.

I would reverse the order of your rule 15's (and 20) - unless of course that is intentional.

Again your rule 15(second one) and rule 20 is not used, since you have a default deny. If you supply rule 15 (second one) and 20 with the "counting" keyword, you could have use of them (you could see how many tried).

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.