Comware Based
1748280 Members
4100 Online
108761 Solutions
New Discussion

Re: Can´t block access between vlans - HP A5120 L3

 
SOLVED
Go to solution
Dieg0
Advisor

Can´t block access between vlans - HP A5120 L3

Hi,

I have one HP A5120 EI as a core of my network and two v1910.
Trunked the port21 from 5120 for the first switch v1910 (TI) and the same on port 22 to the second v1910 (SLA).

On core 5120 have these vlans:

VLAN 1 - ADMINISTRATION - 172.16.100.240/28
VLAN 2 - SERVERS - 172.16.20.128/25
VLAN 3 - TI - 172.16.30.0/28
VLAN 4 - SLA - 172.16.40.0/25
VLAN 5 - DELIVERY - 172.16.50.0/27
VLAN 6 - TR - 172.16.60.0/27
VLAN 7 - OFFICE - 172.16.70.0/26
VLAN 8 - COM -172.16.80.0/26
VLAN 9 - SALES - 172.16.90.0/26
VLAN 10 - BOSS - 172.16.65.0/28

The core ip is 172.16.100.241

I have a desktop HOST A linked on first v1910 with ip 172.16.30.2 (VLAN TI) where the gateway is 172.16.30.14 (5120 vlan interface), this switch have the ip 172.16.100.253.

Another desktop HOST B linked on second v1910 with ip 172.16.40.120 (VLAN SLA) where the gateway is 172.16.40.126 (5120 vlan interface), this switch have the ip 172.16.100.254.

My desktop HOST C are linked on the core with IP 172.16.100.250

On the core 5120 I cant stop the ping from HOST B to HOST A. See below:


acl number 3004
rule 5 deny ip source 172.16.40.0 0.0.0.127

or

rule 5 deny ip source 172.16.40.0 0.0.0.127 destination 172.16.30.0 0.0.0.15

quit
int vlan 4
packet-filter 3004 inbound
quit
(or int vlan 3 because its INBOUND)

the ping continues...

Can someone help me? Thanks

5 REPLIES 5
Dieg0
Advisor

Re: Can´t block access between vlans - HP A5120 L3

Sorry, to be more specific...

What I need?

 

HOST A can ping HOST B but HOST B cant ping the HOST A.

 

VLAN TI ping VLAN SLA

VLAN SLA don't ping VLAN TI

 

Thanks advice.

Peter_Debruyne
Honored Contributor

Re: Can´t block access between vlans - HP A5120 L3

Hi,

 

in an advanced ACL, ICMP is set as a different protocol as IP, so just include in the rules:

 

rule 5 deny icmp source 172.16.40.0 0.0.0.127

and it should be ok.

 

Hope this helps,Peter

 

 

Dieg0
Advisor

Re: Can´t block access between vlans - HP A5120 L3

Thank you very much for reply.

Didnt work yet :(

Inside acl 3004 for vlan 4 with packt filter inbound

rule 10 deny icmp source 172.16.40.0 0.0.0.127

both sides stop ping

when inside of acl 3 for vlan 3 packet filter, nothing happens.
This thing is driving me crazy.

Peter_Debruyne
Honored Contributor
Solution

Re: Can´t block access between vlans - HP A5120 L3

1/ you want to filter the icmp echo (request) and icmp echo- reply from the different subnets

2/ Try to use the ? in the CLI. This is a sample MSR CLI output:

rule 1 permit ?
  <0-255>  Protocol number
  gre      GRE tunneling(47)
  icmp     Internet Control Message Protocol(1)
  igmp     Internet Group Management Protocol(2)
  ip       Any IP protocol
  ipinip   IP in IP tunneling(4)
  ospf     OSPF routing protocol(89)
  tcp      Transmission Control Protocol (6)
  udp      User Datagram Protocol (17)

rule 1 permit icmp ?
  counting      Specify Rule Counting
  destination   Specify destination address
  dscp          Specify DSCP
  fragment      Check fragment packet
  icmp-type     Specify type of icmp
  logging       Log matched packet
  precedence    Specify precedence
  reflective    Set reflective attribute
  source        Specify source address
  time-range    Specify a special time
  tos           Specify tos
  vpn-instance  Specify a VPN-Instance
  <cr>

rule 1 permit icmp icmp-type ?
  INTEGER<0-255>        ICMP type
  echo                  Type=8, Code=0
  echo-reply            Type=0, Code=0
  fragmentneed-DFset    Type=3, Code=4
  host-redirect         Type=5, Code=1
  host-tos-redirect     Type=5, Code=3
  host-unreachable      Type=3, Code=1
  information-reply     Type=16, Code=0
  information-request   Type=15, Code=0
  net-redirect          Type=5, Code=0
  net-tos-redirect      Type=5, Code=2
  net-unreachable       Type=3, Code=0
  parameter-problem     Type=12, Code=0
  port-unreachable      Type=3, Code=3
  protocol-unreachable  Type=3, Code=2
  reassembly-timeout    Type=11, Code=1
  source-quench         Type=4, Code=0
  source-route-failed   Type=3, Code=5
  timestamp-reply       Type=14, Code=0
  timestamp-request     Type=13, Code=0
  ttl-exceeded          Type=11, Code=0

So for 1 side you would configure:

 rule 10 permit icmp icmp-type echo
 rule 20 deny icmp icmp-type echo-reply

 

The  other side would be the inverse :

 rule 10 deny icmp icmp-type echo
 rule 20 permit icmp icmp-type echo-reply

 

You can still include the source/destination keywords if you want,

 

Hope this helps,Peter

 

 

 

 

 

Dieg0
Advisor

Re: Can´t block access between vlans - HP A5120 L3

tyvm