Hello,

the current ACL implementation of Comware is really in bad shape. I will revert back to my Cisco core on the weekend. Because of the following:

- Layer 3 ACLs apply on Layer2: Setting an ACL on an vlan interface also affects the Layer 2 traffic going through the switch.

- IPv6 outbound ACLs do not apply to the management processor.

- IPv6 ACLs are completly useless as it turns out.

- There is no logging interface which logs which rule has triggered the ACL. This is a nightmare when debugging

    ACLs rules or in this case implementation.

Cheers,

      Thomas

HP assigned problem security number: SSRT101416

It seems that an updated firmware sent to the above user fixed this issue so the rest of us will hopefully see this update online within 1-3 months (I guess it will go through the normal Early Access -> General Availability process).

The thing to look for in the release notes will be something like:

There is a new command - "ipv6 option drop enable".
This option drops packets, if the packets cannot be proccessed in hw.

Which I guess one would need to enable in order to get the IPv6 ACLs to work as you expect them to.

Well it´s a matter of fact that current switches, i.e. HP A5500-EI and A5800 do not support blocking IPv6 extension headers, Comware 5 has the following rules:

 
·         rule deny icmpv6 fragment *
·         rule deny ipv6 fragment *
·         rule deny icmpv6 routing *
·         rule deny ipv6 routing *

But if you apply them on ports it will tell you:

"FILTER/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy **** on interface ****.Not supported"

I do not know anything about a firmware for A5500-EI or A5800 that will make blocking extension headers possible.

I looks like the ACL engine in comware v5 currently cannot deal with ipv6 fragments.

You can configure it but after reboot the particular line is gone.

I have an ongoing supportcase with HP regarding this matter.