- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Vlan ACL & HP A5500-24G EI how it work ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2014 03:27 PM
07-10-2014 03:27 PM
Vlan ACL & HP A5500-24G EI how it work ?
Good day everyone !
We have 2 vlans on this switch
vlan 1 (Default Vlan)
vlan 400 (Managing Vlan)
interface Vlan-interface1
ip address 192.168.0.5 255.255.255.0
undo dhcp select server global-pool
interface Vlan-interface400
ip address 172.16.2.1 255.255.255.0
packet-filter 3001 inbound
Here is ACL witch we use
acl number 3001
hardware-count enable
rule 0 permit ip source 192.168.0.216 0 destination 172.16.2.2 0 counting
rule 5 deny ip counting
The host from network 192.168.0.216 cannot connect on 22 port on host 172.16.2.2 I realy don't understand why,
Pls, can anyone show me working example ? Or where is my mistake I would be very grateful for any help
Version 5.20.99, Release 2221P01-U
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2014 05:10 PM
07-10-2014 05:10 PM
Re: Vlan ACL & HP A5500-24G EI how it work ?
I havent been playing with VACL on HP A-series but they can basically function in two ways (at least when comparing with other vendors):
1) The VACL affects only traffic that is directed towards the vlan-interface itself (that is in you case traffic directed for 172.16.2.1).
OR
2) The VACL affects all traffic traversing the vlan, for example traffic between two clients who use the the same vlan.
In your case I think its a matter of misspelling.
Your ACL should read (since the ip of your vlan interface is 172.16.2.1 and not 172.16.2.2):
rule 0 permit ip source 192.168.0.216 0 destination 172.16.2.1 0 counting
OR
change the ip of your vlan interface into:
ip address 172.16.2.2 255.255.255.0
Regarding protecting management interfaces you can attach ACLs directly on the services themselfs (this way you wont have to do this manually on each and every interface you have), like so (IP addresses used are just an example):
acl number 2000 name v4-DENY-ANY
hardware-count enable
rule 0 deny
acl number 2001 name v4-MGMT-NTP
hardware-count enable
rule 0 permit source 1.1.1.1 0
rule 5 deny
acl number 2002 name v4-MGMT-SSH
hardware-count enable
rule 0 permit source 2.2.2.2 0
rule 5 deny
acl number 2003 name v4-MGMT-SNMP
hardware-count enable
rule 0 permit source 3.3.3.3 0
rule 5 deny
acl number 2004 name v4-MGMT-TFTP
hardware-count enable
rule 0 permit source 4.4.4.4 0
rule 5 deny
#
also dont forget to do something similar for v6.
And then just:
ip http acl 2000
undo ip http enable
snmp-agent community read READONLY acl ipv6 2003 acl 2003
snmp-agent community write READWRITE acl ipv6 2003 acl 2003
tftp-server acl 2004
tftp-server ipv6 acl 2004
ip https acl 2000
undo ip https enable
ntp-service source-interface Loopback0
ntp-service access peer 2001
ntp-service access server 2000
ntp-service access synchronization 2000
ntp-service access query 2000
ntp-service unicast-server 1.1.1.1
user-interface vty 0 15
acl 2002 inbound
acl ipv6 2002 inbound
authentication-mode scheme
user privilege level 1
set authentication password cipher <REMOVED>
protocol inbound ssh
terminal type vt100
#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2014 08:43 PM
07-10-2014 08:43 PM
Re: Vlan ACL & HP A5500-24G EI how it work ?
Thank you for a detailed answer to my question !
Today i'm check it again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2014 03:33 AM - edited 07-11-2014 03:45 AM
07-11-2014 03:33 AM - edited 07-11-2014 03:45 AM
Re: Vlan ACL & HP A5500-24G EI how it work ?
It's sounds crazy but it didn't work for me
acl number 3000
hardware-count enable
rule 0 permit tcp source 192.168.0.240 0 destination 172.16.2.2 0 destination-port eq 22 logging
rule 5 deny ip destination 172.16.2.0 0.0.0.5 logging
or
acl number 3000
hardware-count enable
rule 0 permit tcp source 192.168.0.240 0 destination 172.16.2.2 0 destination-port eq 22 logging counting
rule 5 deny ip destination 172.16.2.2 0 logging
interface Vlan-interface400
description --MNGM_NETWORK--
ip address 172.16.2.1 255.255.255.0
undo dhcp select server global-pool
packet-filter 3000 inbound
And anyone who is in 192.168.0.0 can connect to host 172.16.2.2
How it can be ? I feel terribly stupid..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2014 04:05 AM
07-11-2014 04:05 AM
Re: Vlan ACL & HP A5500-24G EI how it work ?
I'm realy stupid..I apply this filter on wrong interface
Sorry