HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
Showing results for 
Search instead for 
Did you mean: 

ACL for internet only access

Occasional Contributor

ACL for internet only access

Hi all,

I'm creating an advanced ACL on a  Comware 5930 switch to limit client's access in the subnet. 

I have a vlan that consists of, default gateway for the vlan is and the ACL is applied as outbound to VLAN20 interface on my Core switch. 


Here is what I'm trying to accomplish using the ACL, 

- Be able to do dns, dhcp

- Not be able to access production subnets, 

- Lastly, access the internet over ports 80,443


is this ACL correct?

rule 0 remark "Allow dhcp requests"
rule 0 permit udp source destination any destination-port range bootps bootpc counting

rule 5 remark "Allow DNS queries"
rule 5 permit udp source destination any destination-port eq dns counting

rule 10 remark "Allow access to firewall's inside interface"
rule 10 permit ip source destination 0 counting

rule 15 remark "Allow access to the internet"
rule 15 permit ip source destination any destination-port range www 443 counting

rule 15 remark "Deny access to subnet(prod)"
rule 15 deny ip source destination

rule 20 remark "Deny access to subnet(prod)"
rule 20 deny ip source destination

rule 30 remark "Deny everything else"
rule 30 deny ip counting

Thank you

Respected Contributor

Re: ACL for internet only access



The "remark" keyword is not used in comware, "comment" is used, and - you can only make the comment, once the rule is made

So you need

rule 5 permit  blabla rule
rule 5 comment "blabla reason"

in that order

you apply rule 15 twice, that will delete your first rule 15.

Your first rule 15, says "permit ip  .... destination-port eq www 443"

Keyword "ip" indicates full range of ports on both tcp and udp. So either you want "tcp" or "udp" (probably tcp) instead of "ip", or else you need to loose the "destination-port range"-part.

The default deny (rule 30 in your list) is implicit and can be left out.


If the order of your two rule 15' s and rule 20 is as written, then you allow access on port 80 and 443 to and

I would reverse the order of your rule 15's (and 20) - unless of course that is intentional.

Again your rule 15(second one) and rule 20 is not used, since you have a default deny. If you supply rule 15 (second one) and 20 with the "counting" keyword, you could have use of them (you could see how many tried).


Søren Dideriksen, Network Administrator
Region Midtjylland