Comware Based
Showing results for 
Search instead for 
Did you mean: 

Configuring ACL on 5900 Switches

Frequent Advisor

Configuring ACL on 5900 Switches

I have a two 5900 switches in an IRF and need help configuring ACL and VRRP.


First of all, do I need VRRP with switches are configured in an IRF.  Both switches are connected to two physical Firewalls, but how do I configure Primary or Secondary Gateway IP addresses without VRRP.


5900s have multiple VLANs for Inter vlan traffic and I want to prevent those VLANs reaching VLAN 100 and VLAN 101.  Can some one share the ACL script showing how to prevent VLANs 10,20,30 and so on reaching to VLANs 100  and 101.





Frequent Advisor

Re: Configuring ACL on 5900 Switches

Hello, you would not need VRRP in an IRF stack to accomplish the multiple default gateways.  I've not had the chance to implement something like this, but from what I understand you could configure a PBR using traffic classifiers in a QoS policy with "if match" statements that match source traffic and "redirect" options to point to the correct default gateway based off source address and or various other options.  These policies can be applied globally on the switch or directly to the VLAN you are redirecting.  Check out the routing configuration guide for details.  In regards to your VLAN filtering, there may be an easier way to accomplish that I am not aware of, but using ACLs you can do something like this


acl number 3000 name blockvlan

 description block vlan 100 and 101 access

 rule 0 deny ip destination

 rule 1 deny ip destination


interface vlan-interface 10

packet-filter name blockvlan inbound

interface vlan-interface 20

packet-filter name blockvlan inbound

interface vlan-interface 30

packet-filter name blockvlan inbound


I believe there is an implicit allow at the end of the ACL in A series switches unless you change that default behavior, so there would be no need to accept traffic.   Hopefully this helps. 


Occasional Advisor

Re: Configuring ACL on 5900 Switches



No, you don't need VRRP in IRF. IRF creates a virtual switching system using the 2 physical switches. You will have only one IP address for the 2 switches. It's important, though, that you configure MAD to avoid problems with duplicate IP adresses in case of IRF split. 


About ACLs i'm not sure but think that you could use VACLs (Vlan ACLs). You can find the configuration guides for IRF and ACLs on HPs support site.