Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Acl not working correctly on hp 5820 switch

sandore
Occasional Advisor

Acl not working correctly on hp 5820 switch

Hello,

 

I am trying to configure acl between two vlans, so I want to allow a specific ip address which is 192.168.20.28 255.255.254.0 on interface vlan 20 to be able to reach any ip on the interface vlan 7 subnet 192.168.2.0 255.255.255.0.

So I configured basic acl 2001:

 

rule 0 permit source 192.168.20.28 0

rule 100 deny source any

 

now on the interface vlan 7 or on the port which connects vlan 7, I used:

packet filter 2001 inbound

but its blocking everything even ip 192.168.20.28

 

What is wrong with the acl?

2 REPLIES
sandore
Occasional Advisor

Re: Acl not working correctly on hp 5820 switch

I managed to solve the problem by creating advanced acl and applying it to the outbound interface not inbound, and its working successfully

Apachez-
Trusted Contributor

Re: Acl not working correctly on hp 5820 switch

This might be valid for your case where you attempt to apply an ACL on a VLAN rather than a physical interface:

 

"

A5800_5820X-CMW520-R1809P02

 

New feature: Applicable scope of packet filtering on a VLAN interface

 

Configuring the applicable scope of packet filtering on a VLAN interface


You can configure the packet filtering on a VLAN interface to filter the following packets:
• Packets forwarded at Layer 3 by the VLAN interface.
• All packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.


To configure the applicable scope of packet filtering on a VLAN interface:

 

Step

Command

Remarks

  

1. Enter system view.

# system-view

N/A

 

2. Create a VLAN interface and enter its view.

# interface vlan-interface vlan-interface-id

If the VLAN interface already exists, you directly enter its view.

By default, no VLAN interface exists.

  

3. Specify the applicable scope of packet filtering on the VLAN interface.

# packet-filter filter [ route | all ]

By default, the packet filtering filters all packets.

 

Command reference

# packet-filter filter

Use packet-filter filter to specify the applicable scope of packet filtering on a VLAN interface.

Use undo packet-filter filter to restore the default.

 

Syntax

# packet-filter filter [ route | all ]

# undo packet-filter filter

 

Default

The packet filtering filters all packets.

 

Views

VLAN interface view

 

Default command level

2: System level

 

Parameters

route: Filters packets forwarded at Layer 3 by the VLAN interface.

all: Filters all packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.

 

Examples

# Configure the packet filtering on VLAN-interface 2 to filter packets forwarded at Layer 3.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] packet-filter filter route

"

 

The above simply means if you just want to protect the VLAN-interface itself you should use the "route" option, while if you want to filter whatever flows within your VLAN (like traffic between clients who doesnt pass the VLAN-interface) then you should use the "all" option.

 

Another option is also to simply filter on the physical interfaces themselfs.

 

Basically (unless I forgot some) you have 4 options if you want to apply a filter:

 

1) In the physical interface.

2) In the VLAN.

3) In the VLAN-interface.

4) In the routingtable (usually in combination with uRPF, null routed hosts/ranges will then get dropped in both directions).