HPE Community
Comware Based
1752794 Members
6303 Online
108789 Solutions
New Discussion

Re: outbound packet-filter on L3 interface not applied to traffic originated from this interface

 
d8ry1
Visitor

‎05-16-2017 03:32 AM - edited ‎05-16-2017 03:33 AM

‎05-16-2017 03:32 AM - edited ‎05-16-2017 03:33 AM

outbound packet-filter on L3 interface not applied to traffic originated from this interface

Hi,

Switch in question is HP 5500-24G-SFP HI running Comware Software, Version 5.20.99, Release 5501P21

Let's say our setup is as follows:

host1<192.168.1.2> --- <192.168.1.1> router <10.10.10.1> ---  <10.10.10.2>g1/0/1 HP5500hi <192.168.2.1> --- host2<192.168.2.2>

and only one ACL on the HP5500hi on interface g1/0/1:

# disp cur int g1/0/1
port link-mode route
packet-filter 3050 outbound
ip address 10.10.10.2 255.255.255.0

# disp cur conf acl-adv | b 3050
acl number 3050
hardware-count enable
rule 0 permit icmp
rule 999 deny ip
#
return

It seems that the switch completely ignores packet-filter outbound when traffic is originated on the switch itself. For example, I can ssh to both the router and host1 from HP5500hi (refer to the diagram). hardware-conting is enabled on the acl 3050 and these ssh connections are not hitting any of the two rules. Neither any pings (that should fall under rule 0) are hitting the ACL. 

If the connections are originated from host2 towards the router or host1, then the packet-filter is working as expected and I see hits on the acl for both: allowed icmp and denied rest.

I'm not seeing any of this on inbound packet-filters.

I expect that this is a normal behavior, but being not really obvious it makes me wonder if any documentation covers it. Could anybody point me into anything relevant?

note that it is NOT about packet-filter filter [ route | all ], which is available only on Vlan interfaces. 

Thanks,
Anton.

0 Kudos
1 REPLY 1
16again
Respected Contributor

‎06-07-2017 02:12 AM

‎06-07-2017 02:12 AM

Re: outbound packet-filter on L3 interface not applied to traffic originated from this interface

Does this packet filter work when switch port is normal L2 port ?   For this, you need to move L3 address to dummy VLAN and make the port access port in the VLAN

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.