HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Vlan ACL & HP A5500-24G EI how it work ?

 
DenisKh
Visitor

Vlan ACL & HP A5500-24G EI how it work ?

Good day everyone !

 

We have 2 vlans on this switch

vlan 1 (Default Vlan)

vlan 400 (Managing Vlan)

 

interface Vlan-interface1

 ip address 192.168.0.5 255.255.255.0

 undo dhcp select server global-pool

 

interface Vlan-interface400

 ip address 172.16.2.1 255.255.255.0

 packet-filter 3001 inbound

 

Here is ACL witch we use 

 

acl number 3001 

 hardware-count enable

 rule 0 permit ip source 192.168.0.216 0 destination 172.16.2.2 0 counting

 rule 5 deny ip counting

 

The host from network 192.168.0.216 cannot connect on 22 port on host 172.16.2.2  I realy don't understand why,

Pls, can anyone show me working example ? Or where is my mistake  I would be very grateful for any  help

Version 5.20.99, Release 2221P01-U

 

4 REPLIES
Apachez-
Trusted Contributor

Re: Vlan ACL & HP A5500-24G EI how it work ?

I havent been playing with VACL on HP A-series but they can basically function in two ways (at least when comparing with other vendors):

 

1) The VACL affects only traffic that is directed towards the vlan-interface itself (that is in you case traffic directed for 172.16.2.1).

 

OR

 

2) The VACL affects all traffic traversing the vlan, for example traffic between two clients who use the the same vlan.

 

In your case I think its a matter of misspelling.

 

Your ACL should read (since the ip of your vlan interface is 172.16.2.1 and not 172.16.2.2):

 

 rule 0 permit ip source 192.168.0.216 0 destination 172.16.2.1 0 counting

 

OR

 

change the ip of your vlan interface into:

 

 ip address 172.16.2.2 255.255.255.0

 

Regarding protecting management interfaces you can attach ACLs directly on the services themselfs (this way you wont have to do this manually on each and every interface you have), like so (IP addresses used are just an example):

 

 

acl number 2000 name v4-DENY-ANY
 hardware-count enable
 rule 0 deny
acl number 2001 name v4-MGMT-NTP
 hardware-count enable
 rule 0 permit source 1.1.1.1 0
 rule 5 deny
acl number 2002 name v4-MGMT-SSH
 hardware-count enable
 rule 0 permit source 2.2.2.2 0
 rule 5 deny
acl number 2003 name v4-MGMT-SNMP
 hardware-count enable
 rule 0 permit source 3.3.3.3 0
 rule 5 deny
acl number 2004 name v4-MGMT-TFTP
 hardware-count enable
 rule 0 permit source 4.4.4.4 0
 rule 5 deny
#

also dont forget to do something similar for v6.

 

And then just:

 

 ip http acl 2000
 undo ip http enable

 snmp-agent community read READONLY acl ipv6 2003 acl 2003
 snmp-agent community write READWRITE acl ipv6 2003 acl 2003

 tftp-server acl 2004
 tftp-server ipv6 acl 2004

 ip https acl 2000
 undo ip https enable

 ntp-service source-interface Loopback0
 ntp-service access peer 2001
 ntp-service access server 2000
 ntp-service access synchronization 2000
 ntp-service access query 2000
 ntp-service unicast-server 1.1.1.1

user-interface vty 0 15
 acl 2002 inbound
 acl ipv6 2002 inbound
 authentication-mode scheme
 user privilege level 1
 set authentication password cipher <REMOVED>
 protocol inbound ssh
 terminal type vt100
#

DenisKh
Visitor

Re: Vlan ACL & HP A5500-24G EI how it work ?

Thank you for  a detailed answer to my question !

Today i'm check it again

DenisKh
Visitor

Re: Vlan ACL & HP A5500-24G EI how it work ?

It's sounds crazy but it didn't work for me

 

acl number 3000 

 hardware-count enable

 rule 0 permit tcp source 192.168.0.240 0 destination 172.16.2.2 0 destination-port eq 22 logging

 rule 5 deny ip destination 172.16.2.0 0.0.0.5 logging

 

or 

 

acl number 3000 

 hardware-count enable

 rule 0 permit tcp source 192.168.0.240 0 destination 172.16.2.2 0 destination-port eq 22 logging counting

 rule 5 deny ip destination 172.16.2.2 0 logging

 

interface Vlan-interface400

 description --MNGM_NETWORK--

 ip address 172.16.2.1 255.255.255.0

 undo dhcp select server global-pool

 packet-filter 3000 inbound

 

And anyone who is in 192.168.0.0 can connect to host 172.16.2.2

 

How it can be ? I feel terribly stupid..

 

DenisKh
Visitor

Re: Vlan ACL & HP A5500-24G EI how it work ?

I'm realy stupid..I apply this filter on wrong interface  

Sorry