HPE Community
Comware Based
1753905 Members
10503 Online
108810 Solutions
New Discussion

ACL to block inter-vlan traffic

 
SOLVED
Go to solution
spgsitsupport
Regular Advisor

‎08-21-2020 02:42 AM - edited ‎08-21-2020 02:43 AM

‎08-21-2020 02:42 AM - edited ‎08-21-2020 02:43 AM

ACL to block inter-vlan traffic

ACLs on Comware do my head in (I just can't get the logic)

Vlan 110  - main LAN 10.10.110.0/23

Vlan 120 - BYOD 10.10.120.0/22

Vlan 5 - firewall routed link 10.10.5.0/28

I need to block any communication (apart from DHCP) between V110 & V120, but allow machines on V120 to access Internet

DNS on V120 machines points to an external source

Tried Acl 3120

 

 rule 0 permit udp source 10.10.120.0 0.0.3.255 destination-port range bootps bootpc
 rule 0 comment "Allow DHCP requests"
 rule 5 permit udp source 10.10.120.0 0.0.3.255 destination-port eq dns
 rule 5 comment "Allow DNS queries"
 rule 10 permit ip source 10.10.120.0 0.0.3.255 destination 10.10.5.0 0.0.0.15 counting
 rule 10 comment "Allow access to firewall routed link VLAN"
 rule 20 deny ip counting
interface Vlan-interface120
 packet-filter filter route
 packet-filter 3120 inbound

 

 

While DHCP works, I get NO internet access from machines on V120

As soon as the acl in undone, Internet access works (but also does all the other access)

I do not want to explicitely block Vlan 110 by IP range, because in fact I want to block it from any other Vlans (existing & future)

Anybody has any idea?

 

Thanks

 

Seb

0 Kudos
2 REPLIES 2
Ivan_B
HPE Pro

‎08-21-2020 03:14 AM

‎08-21-2020 03:14 AM

Solution

Re: ACL to block inter-vlan traffic

Hi @spgsitsupport !

The logic of ACL in Comware is pretty straight-forward and does not differ from other vendors. This ACL has zero chanses to work on any vendor's router/L3 switch, because you have one major flaw:

rule 0 permit udp source 10.10.120.0 0.0.3.255 destination-port range bootps bootpc
rule 0 comment "Allow DHCP requests"
rule 5 permit udp source 10.10.120.0 0.0.3.255 destination-port eq dns
rule 5 comment "Allow DNS queries"
rule 10 permit ip source 10.10.120.0 0.0.3.255 destination 10.10.5.0 0.0.0.15 counting
rule 10 comment "Allow access to firewall routed link VLAN"
rule 20 deny ip counting
#
interface Vlan-interface120
packet-filter filter route
packet-filter 3120 inbound

What this ACL does:
rule 0 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range, ANY destination IP, and destination UDP port in bootps bootpc, it is ALLOWED
RULE
rule 5 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range, ANY destination IP and destination UDP port dns, it is ALLOWED
rule 10 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range and destination IP from 10.10.5.0/28 range, it is ALLOWED
rule 20 - drop the rest

Now just think what destination IP will have your Internet traffic. For example, if you ping a well-known Google's DNS from a host in Vlan120, how the IP header will look like? I bet it will be like this one:

IP.src=10.10.120.10 (for example)
IP.dst = 8.8.8.8

Do you see the problem now? Routers do not change IP source and destination on routing. Unless there is NAT, of course. So how do you imagine the rule 10 can match this type of traffic when it will be looking for Vlan5's range in the IP destination field? What you really allow with this rule is the traffic from Vlan120 to Vlan5, nothing else.

Here is how the ACL should look like if you need to deny Vlan120 -> 110 access and allow Internet connection for the hosts in Vlan120:

rule 0 permit udp source 10.10.120.0 0.0.3.255 destination-port range bootps bootpc
rule 0 comment "Allow DHCP requests"
rule 5 permit udp source 10.10.120.0 0.0.3.255 destination-port eq dns
rule 5 comment "Allow DNS queries"
rule 7 deny ip source 10.10.120.0 0.0.3.255 destination 10.10.110.0 0.0.1.255
rule 7 comment "Deny Vlan120-Vlan110 traffic"
rule 20 permit ip

The difference is in rule 7 and in rule 20. Rule 10 is redundant, you do not need it unless you want BYOD devices to manage the firewall, which I highly doubt.

And don't forget to set the default route through the Firewall's IP address in Vlan5.

Now about "I do not want to explicitely block Vlan 110 by IP range, because in fact I want to block it from any other Vlans (existing & future)". If you already know what IP range your future VLANs will use, for example if they all will utilize 10.0.0.0/8 range, then you can modify the rule 7 in a way it will drop ALL traffic from Vlan120 to the 10.0.0.0/8 range (except the traffic allowed in rules before this one) :

rule 7 deny ip source 10.10.120.0 0.0.3.255 destination 10.0.0.0 0.0.0.255

Try this ACL and let me know if it works.

 

 

I am an HPE employee

Accept or Kudo

spgsitsupport
Regular Advisor

‎08-21-2020 10:48 AM - edited ‎08-28-2020 03:45 AM

‎08-21-2020 10:48 AM - edited ‎08-28-2020 03:45 AM

Re: ACL to block inter-vlan traffic

Nice one, clear & precise explanation, best I ever found!

But with the below, I cannot get connectivity to NPS server authentication (which makes no sense to me)

acl number 3051 "Aerohive51 VLAN restrictions"
 rule 0 permit udp source 10.10.51.0 0.0.0.255 destination-port range bootps bootpc
 rule 0 comment "Allow DHCP requests"
  rule 3 permit udp source 10.10.51.0 0.0.0.255 destination-port range 1812 1813
 rule 3 comment "Allow Radius access"
 rule 4 permit udp source 10.10.51.0 0.0.0.255 destination-port eq ntp
 rule 5 permit udp source 10.10.51.0 0.0.0.255 destination-port eq dns
 rule 5 comment "Allow DNS queries"
 rule 10 deny ip source 10.10.51.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
 rule 10 comment "Deny VLAN51 to ANY 10.10.x.x VLAN traffic"
  
 rule 20 permit ip
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.