HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL for internet only access

 
737Captain
Occasional Contributor

ACL for internet only access

Hi all,

I'm creating an advanced ACL on a  Comware 5930 switch to limit client's access in the 192.168.20.0/24 subnet. 

I have a vlan that consists of 192.168.20.0/24, default gateway for the vlan is 192.168.20.1 and the ACL is applied as outbound to VLAN20 interface on my Core switch. 

 

Here is what I'm trying to accomplish using the ACL, 

- Be able to do dns, dhcp

- Not be able to access production subnets 10.0.0.0/24, 206.189.204.0/24 

- Lastly, access the internet over ports 80,443

 

is this ACL correct?

rule 0 remark "Allow dhcp requests"
rule 0 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port range bootps bootpc counting

rule 5 remark "Allow DNS queries"
rule 5 permit udp source 192.168.20.0 0.0.0.255 destination any destination-port eq dns counting

rule 10 remark "Allow access to firewall's inside interface"
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 10.10.110.254 0 counting

rule 15 remark "Allow access to the internet"
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination any destination-port range www 443 counting

rule 15 remark "Deny access to 10.0.0.0/24 subnet(prod)"
rule 15 deny ip source 192.168.20.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 20 remark "Deny access to 206.189.204.0/24 subnet(prod)"
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 206.189.204.0 0.0.0.255

rule 30 remark "Deny everything else"
rule 30 deny ip counting

Thank you

1 REPLY
sdide
Respected Contributor

Re: ACL for internet only access

Hi,

Syntax:

The "remark" keyword is not used in comware, "comment" is used, and - you can only make the comment, once the rule is made

So you need

rule 5 permit  blabla rule
rule 5 comment "blabla reason"

in that order

you apply rule 15 twice, that will delete your first rule 15.

Your first rule 15, says "permit ip  .... destination-port eq www 443"

Keyword "ip" indicates full range of ports on both tcp and udp. So either you want "tcp" or "udp" (probably tcp) instead of "ip", or else you need to loose the "destination-port range"-part.

The default deny (rule 30 in your list) is implicit and can be left out.

Semantics:

If the order of your two rule 15' s and rule 20 is as written, then you allow access on port 80 and 443 to 10.0.0.0/24 and 206.189.204.0/24.

I would reverse the order of your rule 15's (and 20) - unless of course that is intentional.

Again your rule 15(second one) and rule 20 is not used, since you have a default deny. If you supply rule 15 (second one) and 20 with the "counting" keyword, you could have use of them (you could see how many tried).

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland