Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs on super-vlan/sub-vlans seem not to work

 
catbeard
Occasional Visitor

ACLs on super-vlan/sub-vlans seem not to work

I have some FF 5945s and 5940s; an ACL applied to a super-vlan does not seem to match/block any packets in its sub-vlan(s).

Does packet-filtering work on routed super-vlan/sub-vlan interfaces the same way it does on regular routed vlan-interfaces?

 

display packet-filter statistics interface Vlan-interface 999 in
Interface: Vlan-interface999
Inbound policy:
IPv4 ACL test, Hardware-count
From 2021-01-18 22:05:41 to 2021-01-18 22:06:50
rule 1 deny ip
Totally 0 packets permitted, 0 packets denied
Totally 0% permitted, 0% denied

IPv4 default action: Deny

2 REPLIES 2
drk787
HPE Pro

Re: ACLs on super-vlan/sub-vlans seem not to work

@catbeard  Hi, I did not see any restriction on applying the packet-filter on supervlan in the configuration guide 

Below are the restriction Restrictions and guidelines for Super VLAN configuration

The VLAN of a MAC address-to-VLAN entry cannot be configured as a super VLAN.

A VLAN cannot be configured as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs, see Security Configuration Guide.

A VLAN cannot be configured as both a super VLAN and a sub-VLAN.

Layer 2 multicast configuration for super VLANs does not take effect because they do not have physical ports

 

What exactly is the requirement and how did you configure

Thank You!
I am an HPE Employee

Accept or Kudo

catbeard
Occasional Visitor

Re: ACLs on super-vlan/sub-vlans seem not to work

Thanks for the reply.

I need to share subnets of IPs between diffrerent VLANs while filtering traffic from/between them. Supervlan seems perfect for this. Very simple test config for this problem:

vlan 100

vlan 999
supervlan
subvlan 100

interface Vlan-interface999
description v999 supervlan test
ip address 192.0.2.0 255.255.255.0
local-proxy-arp enable
packet-filter name test inbound hardware-count

acl advanced name test
rule 5 deny ip

 

I also have a basic DHCP pool set up. Everthing works as it should except the packet filter. Nothing ever matches or is blocked, no matter what the ACL contains.

After my initial post (and after reading a lot of other posts here!) I found that I can filter traffic sucessfully by reversing the ACL logic (permit instead of deny) and using a drop policy for the matched traffic.