HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN ACL Filter doesn't work

 
aali
Frequent Advisor

VLAN ACL Filter doesn't work

Can't get ACL to work.   I have a simple setup with vlans 60-63 and each vlan represents vlan interface below

 

interface vlan 60

ip address 10.1.60.1 24

 

interface vlan 61

ip address 10.1.61.1 24

 

interface vlan 62

ip address 10.1.62.1 24

 

interface vlan 63

ip address 10.1.63.1 24

 

All I want to do is to block traffic from VLANs 61-63 to reach VLAN 60.  See the config below

 

acl number 3000
rule deny ip source 10.1.61.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.62.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.63.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.64.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

 

interface vlan 60

ip address 10.1.60.1 24

packet-filter 3000 outbound

 

 

I put a workstation on VLAN 63 and able to ping the vlan interface 60's ip address 10.1.60.1

 

Please advise!

 

Thanks,

 

4 REPLIES
Vince_Whirlwind
Trusted Contributor

Re: VLAN ACL Filter doesn't work

What if you put the rule "inbound" on the VLAN 63 interface instead?

 

What about other IP addresses on VLAN 60, aside from the router address?

Peter_Debruyne
Honored Contributor

Re: VLAN ACL Filter doesn't work

Hi,

 

agree with Vince, the test address is not valid, since it belongs to the switch itself (this traffic is not going 'out' on the vlan interface, but handled by the software of the switch).

So I would suggest to try to reach a real host on the remote vlans,

 

Best regards,Peter.

aali
Frequent Advisor

Re: VLAN ACL Filter doesn't work

Thanks Vince and Peter,

 

I will put a host and test instead of pinging the interface itself.

 

BTW, is it possible to block the interface as well from pinging?

 

Thanks,

 

Vince_Whirlwind
Trusted Contributor

Re: VLAN ACL Filter doesn't work

For your BTW, an outbound ACL looking for the opposite traffic on VLAN 60 should block it, I guess.