- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HP5830 - Interface VLAN ACLs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2012 05:48 AM
03-20-2012 05:48 AM
HP5830 - Interface VLAN ACLs
Hi all,
Recently I've been attempting to control traffic between certain VLANs by using advanced ACLs.
However, I have noticed that when applying the ACLs to the VLAN interface, they only seem to work when I apply them in the opposite direction to that which I am used to.
Example:
system-view
acl number 3000 name BLOCK_INTO_VLAN
rule deny ip source 10.201.64.0 0.0.0.255 destination any
rule permit ip source any destination any
interface vlan-interface 104
packet-filter name BLOCK_INTO_VLAN inbound
quit
The above command does not block traffic from source addresses in the 10.201.64.0/24 range trying to get into that VLAN.
However, when I apply the packet-filter in the outbound direction it does block the traffic!
Am I just misunderstanding the syntax of HP switch ACLs?
Cheers,
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2012 10:02 AM
03-20-2012 10:02 AM
Re: HP5830 - Interface VLAN ACLs
I understand that the HP5830 supports QoS, and that by using QoS you can get the same functionality. Are you saying that the only way to apply ACLs is by creating a QoS policy and applying that, rather than simply applying the ACL using packet filter? From the documentation I have read I should be able to apply ACLs the way I have in my first post....
Has anyone else seen any similar issues with ACLs on VLAN interfaces?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2012 08:33 AM - edited 03-27-2012 09:10 AM
03-27-2012 08:33 AM - edited 03-27-2012 09:10 AM
Re: HP5830 - Interface VLAN ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2012 09:09 AM
03-27-2012 09:09 AM
Re: HP5830 - Interface VLAN ACLs
acl number 3000 name BLOCK_INTO_VLAN
rule 1 deny ip source 10.201.64.0 0.0.0.255 destination any
rule 2 permit ip source any destination any
Don't you need to rule_id in to have separate rules?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2012 11:35 AM
03-27-2012 11:35 AM
Re: HP5830 - Interface VLAN ACLs
Hello Michael,
What is the IP on you VLAN 104 interface? Because it sounds like you have the right idea and it should be working.
Regarding the Rule_ID, it doesn't matter, the system will just put one in if you don't. You can manually use rule_ids in case you want to put in more rules in the middle later. Example: start out with Rule 1 and your permit all as rule 10. That way you can put in an extra 8 rules before having to redo rule 10.
-RK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2012 06:38 AM
03-31-2012 06:38 AM
Re: HP5830 - Interface VLAN ACLs
The VLAN interface is 10.201.32.1 255.255.255.0
Have you tested application of ACLs to VLAN interfaces?
Cheers, Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2012 06:01 PM
03-31-2012 06:01 PM
Re: HP5830 - Interface VLAN ACLs
Check your application direction. Packet filter on a VLAN interface filters only Layer 3 traffic. If the incoming traffic on the VLAN interface is sourced from A, it is impossible for the same VLAN interface to send traffic sourced from A in the outbound direction.
To filter traffic sourced from 1.1.1.0, you have two ways: 1. apply the ACL to the inbound direction of VLAN-interface 10, or apply the ACL to the outbound direction of VLAN 20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2013 11:59 AM
01-10-2013 11:59 AM
Re: HP5830 - Interface VLAN ACLs
Hello!
The direction of the traffic to which the ACL filtering is applied is relative to the VLAN interface on the device, not the VLAN (outside of the device):
inbound: Filters packets received by the interface (sent from the VLAN)
outbound: Filters packets forwarded from the interface (sent to VLAN)
Hope this helps!