- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Can´t block access between vlans - HP A5120 L3
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2014 12:53 PM
04-15-2014 12:53 PM
Hi,
I have one HP A5120 EI as a core of my network and two v1910.
Trunked the port21 from 5120 for the first switch v1910 (TI) and the same on port 22 to the second v1910 (SLA).
On core 5120 have these vlans:
VLAN 1 - ADMINISTRATION - 172.16.100.240/28
VLAN 2 - SERVERS - 172.16.20.128/25
VLAN 3 - TI - 172.16.30.0/28
VLAN 4 - SLA - 172.16.40.0/25
VLAN 5 - DELIVERY - 172.16.50.0/27
VLAN 6 - TR - 172.16.60.0/27
VLAN 7 - OFFICE - 172.16.70.0/26
VLAN 8 - COM -172.16.80.0/26
VLAN 9 - SALES - 172.16.90.0/26
VLAN 10 - BOSS - 172.16.65.0/28
The core ip is 172.16.100.241
I have a desktop HOST A linked on first v1910 with ip 172.16.30.2 (VLAN TI) where the gateway is 172.16.30.14 (5120 vlan interface), this switch have the ip 172.16.100.253.
Another desktop HOST B linked on second v1910 with ip 172.16.40.120 (VLAN SLA) where the gateway is 172.16.40.126 (5120 vlan interface), this switch have the ip 172.16.100.254.
My desktop HOST C are linked on the core with IP 172.16.100.250
On the core 5120 I cant stop the ping from HOST B to HOST A. See below:
acl number 3004
rule 5 deny ip source 172.16.40.0 0.0.0.127
or
rule 5 deny ip source 172.16.40.0 0.0.0.127 destination 172.16.30.0 0.0.0.15
quit
int vlan 4
packet-filter 3004 inbound
quit
(or int vlan 3 because its INBOUND)
the ping continues...
Can someone help me? Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2014 12:22 PM - edited 04-19-2014 06:56 AM
04-16-2014 12:22 PM - edited 04-19-2014 06:56 AM
Re: Can´t block access between vlans - HP A5120 L3
Sorry, to be more specific...
What I need?
HOST A can ping HOST B but HOST B cant ping the HOST A.
VLAN TI ping VLAN SLA
VLAN SLA don't ping VLAN TI
Thanks advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 06:47 AM
04-22-2014 06:47 AM
Re: Can´t block access between vlans - HP A5120 L3
Hi,
in an advanced ACL, ICMP is set as a different protocol as IP, so just include in the rules:
rule 5 deny icmp source 172.16.40.0 0.0.0.127
and it should be ok.
Hope this helps,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 08:21 AM - edited 04-22-2014 08:21 AM
04-22-2014 08:21 AM - edited 04-22-2014 08:21 AM
Re: Can´t block access between vlans - HP A5120 L3
Thank you very much for reply.
Didnt work yet :(
Inside acl 3004 for vlan 4 with packt filter inbound
rule 10 deny icmp source 172.16.40.0 0.0.0.127
both sides stop ping
when inside of acl 3 for vlan 3 packet filter, nothing happens.
This thing is driving me crazy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2014 10:56 PM
04-22-2014 10:56 PM
Solution1/ you want to filter the icmp echo (request) and icmp echo- reply from the different subnets
2/ Try to use the ? in the CLI. This is a sample MSR CLI output:
rule 1 permit ?
<0-255> Protocol number
gre GRE tunneling(47)
icmp Internet Control Message Protocol(1)
igmp Internet Group Management Protocol(2)
ip Any IP protocol
ipinip IP in IP tunneling(4)
ospf OSPF routing protocol(89)
tcp Transmission Control Protocol (6)
udp User Datagram Protocol (17)
rule 1 permit icmp ?
counting Specify Rule Counting
destination Specify destination address
dscp Specify DSCP
fragment Check fragment packet
icmp-type Specify type of icmp
logging Log matched packet
precedence Specify precedence
reflective Set reflective attribute
source Specify source address
time-range Specify a special time
tos Specify tos
vpn-instance Specify a VPN-Instance
<cr>
rule 1 permit icmp icmp-type ?
INTEGER<0-255> ICMP type
echo Type=8, Code=0
echo-reply Type=0, Code=0
fragmentneed-DFset Type=3, Code=4
host-redirect Type=5, Code=1
host-tos-redirect Type=5, Code=3
host-unreachable Type=3, Code=1
information-reply Type=16, Code=0
information-request Type=15, Code=0
net-redirect Type=5, Code=0
net-tos-redirect Type=5, Code=2
net-unreachable Type=3, Code=0
parameter-problem Type=12, Code=0
port-unreachable Type=3, Code=3
protocol-unreachable Type=3, Code=2
reassembly-timeout Type=11, Code=1
source-quench Type=4, Code=0
source-route-failed Type=3, Code=5
timestamp-reply Type=14, Code=0
timestamp-request Type=13, Code=0
ttl-exceeded Type=11, Code=0
So for 1 side you would configure:
rule 10 permit icmp icmp-type echo
rule 20 deny icmp icmp-type echo-reply
The other side would be the inverse :
rule 10 deny icmp icmp-type echo
rule 20 permit icmp icmp-type echo-reply
You can still include the source/destination keywords if you want,
Hope this helps,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 10:43 AM
04-23-2014 10:43 AM