- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- detailed Comware ACL packetfilter logging?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2016 12:59 AM - edited 04-05-2016 01:58 AM
03-25-2016 12:59 AM - edited 04-05-2016 01:58 AM
detailed Comware ACL packetfilter logging?
Hello,
I have a packetfilter (on cmw710-system-r2307) that allows some traffic and ends with a "deny ip logging". It is meant for a vlan contains printer that connect only to the print server or to the mailserver and not to any other devices in my internal network.
disp acl 3000
Advanced ACL 3000, named -none-, 3 rules,
ACL's step is 5
rule 0 permit tcp destination 10.10.10.1 0 destination-port eq 9100
rule 5 permit tcp destination 10.10.9.1 0 destination-port eq smtp
rule 10 deny ip logging
I have bound this ACL to the interface as an inbound filter
interface Vlan-interface11
ip address 172.22.11.26 255.255.255.0
packet-filter 3000 inbound
Now I see that rul 10 is being hit. This means some printers are configured wrong or I have forgotten some hosts/ports that should be allowed I can wait until somebody comes complaining, but I rather have a look wat traffic I'm dropping (it turned out some printers use special scanning modules that communicatie over different ports)
There doesn't seem te be any detailed logging to tell what is being blocked by rule 10.
What would be the right way to learn what is being blocked? Or should I use some other feature to block this traffic?
Regards,
Luukman
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2016 04:10 PM
04-05-2016 04:10 PM
Re: detailed Comware ACL packetfilter logging?
Hi Luukman,
If you deploy a packet-filter on a vlan interface not only routed traffic is filtered, but also inter vlan traffic. Maybe some other communication is going on in VLAN11 which will be blocked bij the ACL. If you don't want to block inter vlan traffic you need to configure:
interface Vlan-interface11
packet-filter filter route
To see which IP packets hit the deny rule you can make a packet trace. Latest code allow you to create a packet-capture on the switch. Debugging IP Packets with a ACL can also help. Create a specific acl for debugging with your source printer IP adresses to see which IP packets pass.
Hopefully it helps.