Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Post the config you came up with.

I think the first thing everybody gest wrong the first time is the *direction*.
And also the wrong interface.

If you want to filter access from VLAN10 to VLAN20, you apply the filter on VLAN10 interface, with the direction "in".

It's not intuitive, but it is logical.

Hello,

interface Vlan-interface10
 ip address 10.10.10.1 255.255.255.0

interface Vlan-interface20
 ip address 10.10.20.1 255.255.255.0
 packet-filter 3000 inbound

acl number 3000 name
 rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 50 deny ip

Lets start with the topic title.....what do you mean by "in one direction?"
Should VLAN10 be able to access VLAN20 resources , but VLAN20 be blocked to access VLAN10 resources?
If so, earlier suggestions will not work, but it requires
-stateful firewall (which a switch isn't)
-reflexive ACL ( old cisco router thingy)
-filtering on TCP connection established flag
-filtering on tcp/udp ports.  (>1024 are "client ports and <1023 are services)
I'm afraid L3 switch will have to use ugly combination of option 3 and 4....

Hello,

The answer to your question is, YES.

Unfortunately the HP 5900AF is our gatway and I have to manage ACL between VLANs from there.

Although, your answer is very clear, that 5900 cannot be able to do this.

Thanks!