HPE Community
Comware Based
1753886 Members
7163 Online
108809 Solutions
New Discussion юеВ

Re: ACLs on super-vlan/sub-vlans seem not to work

 
catbeard
Visitor

тАО01-18-2021 02:12 PM

тАО01-18-2021 02:12 PM

ACLs on super-vlan/sub-vlans seem not to work

I have some FF 5945s and 5940s; an ACL applied to a super-vlan does not seem to match/block any packets in its sub-vlan(s).

Does packet-filtering work on routed super-vlan/sub-vlan interfaces the same way it does on regular routed vlan-interfaces?

 

display packet-filter statistics interface Vlan-interface 999 in
Interface: Vlan-interface999
Inbound policy:
IPv4 ACL test, Hardware-count
From 2021-01-18 22:05:41 to 2021-01-18 22:06:50
rule 1 deny ip
Totally 0 packets permitted, 0 packets denied
Totally 0% permitted, 0% denied

IPv4 default action: Deny

0 Kudos
2 REPLIES 2
drk787
HPE Pro

тАО01-20-2021 07:16 PM

тАО01-20-2021 07:16 PM

Re: ACLs on super-vlan/sub-vlans seem not to work

@catbeard  Hi, I did not see any restriction on applying the packet-filter on supervlan in the configuration guide 

Below are the restriction Restrictions and guidelines for Super VLAN configuration

тАвThe VLAN of a MAC address-to-VLAN entry cannot be configured as a super VLAN.

тАвA VLAN cannot be configured as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs, see Security Configuration Guide.

тАвA VLAN cannot be configured as both a super VLAN and a sub-VLAN.

тАвLayer 2 multicast configuration for super VLANs does not take effect because they do not have physical ports

 

What exactly is the requirement and how did you configure

Thank You!
I am an HPE Employee

Accept or Kudo

0 Kudos
catbeard
Visitor

тАО01-21-2021 08:16 AM

тАО01-21-2021 08:16 AM

Re: ACLs on super-vlan/sub-vlans seem not to work

Thanks for the reply.

I need to share subnets of IPs between diffrerent VLANs while filtering traffic from/between them. Supervlan seems perfect for this. Very simple test config for this problem:

vlan 100

vlan 999
supervlan
subvlan 100

interface Vlan-interface999
description v999 supervlan test
ip address 192.0.2.0 255.255.255.0
local-proxy-arp enable
packet-filter name test inbound hardware-count

acl advanced name test
rule 5 deny ip

 

I also have a basic DHCP pool set up. Everthing works as it should except the packet filter. Nothing ever matches or is blocked, no matter what the ACL contains.

After my initial post (and after reading a lot of other posts here!) I found that I can filter traffic sucessfully by reversing the ACL logic (permit instead of deny) and using a drop policy for the matched traffic.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.