- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Re: [A5500] Configure ACL
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2016 04:20 PM
тАО03-22-2016 04:20 PM
Hi All,
I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.
There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.9) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.11.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.
So, the routing is :
UTM (VLAN1002 : 10.0.5.11) <> H3C (VPN-INSTANCE vpn_CustomerA VLAN1002 : 10.0.5.9) <> H3C (VPN-INSTANCE vpn_main VLAN 100 : 10.0.0.252) <> CPE (VLAN100 : 10.0.0.203) <> DEVICE (10.3.239.254)
I create an ACL just to block ICMP for test :
acl number 3002
rule 0 deny icmp destination 10.3.239.254 0
Then I put this ACL in interface Vlan 100 (to test in both direction) :
interface Vlan-interface100
ip binding vpn-instance vpn_main
ip address 10.0.0.252 255.255.255.0
ospf dr-priority 255
vrrp vrid 100 virtual-ip 10.0.0.252
vrrp vrid 100 priority 254
packet-filter 3002 outbound
packet-filter 3002 inbound
I test ping, unfortunately successuful :
ping -vpn-instance vpn_main 10.3.239.254
PING 10.3.239.254: 56 data bytes, press CTRL_C to break
Reply from 10.3.239.254: bytes=56 Sequence=1 ttl=121 time=373 ms
Reply from 10.3.239.254: bytes=56 Sequence=2 ttl=121 time=373 ms
Reply from 10.3.239.254: bytes=56 Sequence=3 ttl=121 time=404 ms
Reply from 10.3.239.254: bytes=56 Sequence=4 ttl=121 time=379 ms
Reply from 10.3.239.254: bytes=56 Sequence=5 ttl=121 time=391 ms
--- 10.3.239.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 373/384/404 ms
I modify rule in ACL like this :
rule 0 deny icmp vpn-instance vpn_main destination 10.3.239.254 0
But I get this error :
%Mar 23 00:16:20:078 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: Error occurred in ACL 3002.
%Mar 23 00:16:20:086 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: -Slot=2; Error occurred in ACL 3002.
I think vpn-instance parameter can't be configured in an ACL that is attached to an interface.
I think I must put this ACL in the vpn-instance but I don't know how :(
Help is welcome of course :)
Bonne nuit,
Jacques
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2016 03:40 AM
тАО03-23-2016 03:40 AM
Re: [A5500] Configure ACL
Is the default ACL behavior, allow all?
If not, 1st add entry to ACL to allow all other traffic. Without it, all traffic is blocked, including routing protocols.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2016 04:03 AM
тАО03-23-2016 04:03 AM
Re: [A5500] Configure ACL
The default ACL ?
I just have on ACL (number 3002), not other.
Do you think is there a routing problem ?
In fact, I don't know how to apply an ACL for a VPN-instance... :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2016 11:12 AM
тАО03-23-2016 11:12 AM
Re: [A5500] Configure ACL
I meant the ACL might have to look like below, to block specified traffic, and allow the rest:
acl number 3002
0 deny icmp destination 10.3.239.254.0 0
10 permit ip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2016 11:34 AM
тАО03-23-2016 11:34 AM
SolutionHi,
For vpn-instance enabled SVI L3 interface try to use ACL without putting it to vpn-instance, when configure it.
Recent, we had issue when 7500 switch with SVI L3 interfaces don't process correctly ACL in/out when it was configured within vpn-instance. it does not hold a certain standard, but anyway - works!
Michal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2016 12:03 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2016 04:49 AM
тАО03-25-2016 04:49 AM
Re: [A5500] Configure ACL
You're right, without vpn-instance in ACL, it works !
I think I did a misconfiguration at the begininng of the configuration but now that's OK.
Thanks !