- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2014 01:51 PM
тАО01-05-2014 01:51 PM
HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
Hello,
when I set an outbound acl for an interface, all traffic is blocked correctly, however the traffic for the management
processor is not. Is this documented somewhere or a bug?
Cheers,
Thomas
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2014 03:47 PM
тАО01-05-2014 03:47 PM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
Could you post a snippet of the config in question (and obfuscate whatever is necessary)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2014 10:23 PM
тАО01-05-2014 10:23 PM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
Hello,
interface GigabitEthernet1/0/24 port link-mode route packet-filter ipv6 3001 outbound ipv6 address 2A01:x:y:z::2/64 acl ipv6 number 3001 rule 0 permit ipv6 source 2A01:a:b:c::/56 rule 10 deny ipv6 logging
from my provider I have a /64 transfer network and a /56 routed network. My switch has an ip address inside the /64
network. With the above configuration I can ssh into my switch using an IPv6 address on the public internet. This should
not be possible since the packets travelling back from my switch to a system on the internet should be blocked by the outbound ACL. However if I remove rule 0 from the above ACL systems which are route over the switch can no longer
contact the Internet as they should. Inbound ACLs work as they should.
I noticed this problem while debugging Police Based Routing. Since I have two uplinks with two different IPv6 address spaces. Both have a /64 transfer and a /56 network routed, I wanted to make sure that I don't get asymmetric routing eg packets comming in through one uplink and get answered on another uplink. This worked quite well for everything but not for the service processor eg sshing in to the switch from the internet. Inbound ACL apply as they should.
This is with the latest firmware available.
Cheers,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-06-2014 05:01 AM
тАО01-06-2014 05:01 AM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
Unless its some bug the only thing I can currently think of is if that /64 is part of your /56 and because of that is being allowed.
For example:
linknet: 2A01:a:b:c::1/64
routed (with 2A01:a:b:c::1 as nexthop): 2A01:a:b::/56
What if you try something like:
acl ipv6 number 3001
rule 0 deny ipv6 source 2A01:a:b:c::/56
rule 10 deny ipv6 logging
That is flipping rule 0 so it becomes an deny instead of allow. If the traffic gets blocked now you can go further and experiment with the prefix size to determine why that rule thinks your /64 is part of that larger /56.
By the way in order to protect the mgmt interface(s) I would go for a inbound acl instead of outbound (or both if you want to avoid leaking of for example logging information).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-06-2014 09:58 PM
тАО01-06-2014 09:58 PM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
Hello,
I already experimented and my conclusion is that it does not work. The question is why: Is it a bug or is it documented somewhere? And obviously I'm using inbound ACLs to protect my management processor. However outbound ACLs should apply to all traffic or should be documented. Also one thing that makes me think if I switch back to Cisco is the ACL logging. It is useless because you can't find out which source ip/destination ip source port destination port is triggering the ACL. So currently I can see this:
Jan 7 00:01:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 215 packet(s) Jan 7 00:06:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 764 packet(s) Jan 7 00:11:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 171 packet(s) Jan 7 00:46:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 65 packet(s) Jan 7 01:01:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 213 packet(s) Jan 7 01:06:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 789 packet(s) Jan 7 01:11:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 146 packet(s) Jan 7 01:46:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 63 packet(s) Jan 7 01:51:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 2 packet(s) Jan 7 02:01:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 202 packet(s) Jan 7 02:06:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 795 packet(s) Jan 7 02:11:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 148 packet(s) Jan 7 02:46:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 65 packet(s) Jan 7 03:01:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 167 packet(s) Jan 7 03:06:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 822 packet(s) Jan 7 03:11:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 156 packet(s) Jan 7 03:46:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 62 packet(s) Jan 7 03:51:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 3 packet(s) Jan 7 04:01:05 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 195 packet(s) Jan 7 04:06:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 806 packet(s) Jan 7 04:11:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 143 packet(s) Jan 7 04:46:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 63 packet(s) Jan 7 04:51:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 2 packet(s) Jan 7 05:01:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 194 packet(s) Jan 7 05:06:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 780 packet(s) Jan 7 05:11:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 169 packet(s) Jan 7 05:46:06 merlin %%10ACL/6/ACL_STATIS_INFO(l): Number 3101 rule 175 deny ip logging 65 packet(s)
Which is honestly totally useless. I hope that I'll find a command that enables me to see the individuals packets properties.
Cheers,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-07-2014 06:28 AM
тАО01-07-2014 06:28 AM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
My interpretation of your config:
interface GigabitEthernet1/0/24 port link-mode route packet-filter ipv6 3001 outbound ipv6 address 2A01:x:y:z::2/64
is that anything that is being sent out on gi 1/0/24 (that is traffic towards whatever is connected to gi 1/0/24) will first pass ACL 3001 which defines what is allowed or not (that is if its ipv6 traffic).
Regarding your log question that looks more like a stat dump every 5min than the actual traffic log.
I guess is this we see in your log output:
"
Set the interval for generating and outputting IPv4 packet filtering logs.
acl logging frequence <frequence>
Required. By default, the interval is 0. No IPv4 packet filtering logs are generated.
"
I think this is what you want:
"
Use an ACL to filter incoming or outgoing IPv4 or IPv6 packets. With a basic or advanced ACL, you can
log filtering events by specifying the logging keyword in the ACL rules and enabling the counting function.
"
However you have already setup logging for rule 10 so I dunno...
acl ipv6 number 3001 rule 0 permit ipv6 source 2A01:a:b:c::/56 rule 10 deny ipv6 logging
Perhaps you need to tweak your info-center configuration regarding logbuffer so it will accept all log levels (and not just informational and upwards)?
In a hardening guide for comware there was written that logbuffer and loghost should be configured to only accept "informational" level and upwards (to protect the cpu from unneccessary work) - im thinking of the "logging" keyword perhaps sits in a different loglevel currently not covered by your info-center configuration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-29-2014 07:37 AM
тАО08-29-2014 07:37 AM
Re: HP 5800-24G Switch (JC100A) outbound IPv6 acl does not apply to managment processor
It may be caused by the packet-filter default action in place.
It should be " packet-filter default deny" to deny everything that is not specified in the ACLs.
** Be carefull before changing this. You mau lose conectivity if there is no ACLs permiting the access.
Somenthing like that after applying:
[HP5900IRF]display packet-filter statistics interface Vlan-interface 30 outbound
Interface: Vlan-interface30
Out-bound policy:
ACL 3030
rule 5 permit tcp destination 172.25.30.10 0 destination-port eq 3389 logging counting (624 packets)
rule 10 deny icmp destination 172.25.30.12 0 logging counting
Default action: Deny
It may help
Thanks,
Joel