HPE Community
Comware Based
1753830 Members
9632 Online
108806 Solutions
New Discussion

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

 
dgeronik
Occasional Contributor

‎04-28-2016 02:06 AM - edited ‎04-28-2016 02:08 AM

‎04-28-2016 02:06 AM - edited ‎04-28-2016 02:08 AM

Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

i have an HP 5900AF acting as router to my network.

I have 2 VLANS for instance VLAN10(10.10.10.0) and VLAN20(10.10.20.0).

I need to block traffic from VLAN20 to everywhere but I need to have access to VLAN20 only from VLAN10.

I applied some access lists to interface VLAN20 in order to gaive access from VLAN10 to VLAN20 but it gave access bidirectional to both VLANs

 

0 Kudos
4 REPLIES 4
Vince-Whirlwind
Honored Contributor

‎05-01-2016 05:25 PM

‎05-01-2016 05:25 PM

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Post the config you came up with.

I think the first thing everybody gest wrong the first time is the *direction*.
And also the wrong interface.

If you want to filter access from VLAN10 to VLAN20, you apply the filter on VLAN10 interface, with the direction "in".

It's not intuitive, but it is logical.

0 Kudos
dgeronik
Occasional Contributor

‎05-01-2016 10:12 PM - edited ‎05-01-2016 10:12 PM

‎05-01-2016 10:12 PM - edited ‎05-01-2016 10:12 PM

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

interface Vlan-interface10
 ip address 10.10.10.1 255.255.255.0


interface Vlan-interface20
 ip address 10.10.20.1 255.255.255.0
 packet-filter 3000 inbound


acl number 3000 name
 rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 50 deny ip

0 Kudos
16again
Respected Contributor

‎05-02-2016 10:08 AM

‎05-02-2016 10:08 AM

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Lets start with the topic title.....what do you mean by "in one direction?"
Should VLAN10 be able to access VLAN20 resources , but VLAN20 be blocked to access VLAN10 resources?
If so, earlier suggestions will not work, but it requires
-stateful firewall (which a switch isn't)
-reflexive ACL ( old cisco router thingy)
-filtering on TCP connection established flag
-filtering on tcp/udp ports.  (>1024 are "client ports and <1023 are services)
I'm afraid L3 switch will have to use ugly combination of option 3 and 4....

0 Kudos
dgeronik
Occasional Contributor

‎05-04-2016 12:55 AM

‎05-04-2016 12:55 AM

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

The answer to your question is, YES.

Unfortunately the HP 5900AF is our gatway and I have to manage ACL between VLANs from there.

Although, your answer is very clear, that 5900 cannot be able to do this.

Thanks!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.