HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Block Traffic Between VLANs in one direction with ACL in HP 5900AF

 
dgeronik
Occasional Contributor

Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

i have an HP 5900AF acting as router to my network.

I have 2 VLANS for instance VLAN10(10.10.10.0) and VLAN20(10.10.20.0).

I need to block traffic from VLAN20 to everywhere but I need to have access to VLAN20 only from VLAN10.

I applied some access lists to interface VLAN20 in order to gaive access from VLAN10 to VLAN20 but it gave access bidirectional to both VLANs

 

4 REPLIES
Vince-Whirlwind
Honored Contributor

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Post the config you came up with.

I think the first thing everybody gest wrong the first time is the *direction*.
And also the wrong interface.

If you want to filter access from VLAN10 to VLAN20, you apply the filter on VLAN10 interface, with the direction "in".

It's not intuitive, but it is logical.

dgeronik
Occasional Contributor

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

interface Vlan-interface10
 ip address 10.10.10.1 255.255.255.0


interface Vlan-interface20
 ip address 10.10.20.1 255.255.255.0
 packet-filter 3000 inbound


acl number 3000 name
 rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 50 deny ip

16again
Respected Contributor

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Lets start with the topic title.....what do you mean by "in one direction?"
Should VLAN10 be able to access VLAN20 resources , but VLAN20 be blocked to access VLAN10 resources?
If so, earlier suggestions will not work, but it requires
-stateful firewall (which a switch isn't)
-reflexive ACL ( old cisco router thingy)
-filtering on TCP connection established flag
-filtering on tcp/udp ports.  (>1024 are "client ports and <1023 are services)
I'm afraid L3 switch will have to use ugly combination of option 3 and 4....

dgeronik
Occasional Contributor

Re: Block Traffic Between VLANs in one direction with ACL in HP 5900AF

Hello,

The answer to your question is, YES.

Unfortunately the HP 5900AF is our gatway and I have to manage ACL between VLANs from there.

Although, your answer is very clear, that 5900 cannot be able to do this.

Thanks!