- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- [A5500] Configure ACL
-
- Forums
-
Blogs
- Alliances
- Around the Storage Block
- Behind the scenes @ Labs
- HPE Careers
- HPE Storage Tech Insiders
- Infrastructure Insights
- Inspiring Progress
- Internet of Things (IoT)
- My Learning Certification
- OEM Solutions
- Servers: The Right Compute
- Shifting to Software-Defined
- Telecom IQ
- Transforming IT
- Infrastructure Solutions German
- L’Avenir de l’IT
- IT e Trasformazione Digitale
- Enterprise Topics
- ИТ для нового стиля бизнеса
- Blogs
-
Quick Links
- Community
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Contact
- Email us
- Tell us what you think
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Enterprise.nxt
- Marketplace
- Aruba Airheads Community
-
Forums
-
Blogs
-
InformationEnglish
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-22-2016 04:20 PM
03-22-2016 04:20 PM
Hi All,
I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.
There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.9) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.11.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.
So, the routing is :
UTM (VLAN1002 : 10.0.5.11) <> H3C (VPN-INSTANCE vpn_CustomerA VLAN1002 : 10.0.5.9) <> H3C (VPN-INSTANCE vpn_main VLAN 100 : 10.0.0.252) <> CPE (VLAN100 : 10.0.0.203) <> DEVICE (10.3.239.254)
I create an ACL just to block ICMP for test :
acl number 3002
rule 0 deny icmp destination 10.3.239.254 0
Then I put this ACL in interface Vlan 100 (to test in both direction) :
interface Vlan-interface100
ip binding vpn-instance vpn_main
ip address 10.0.0.252 255.255.255.0
ospf dr-priority 255
vrrp vrid 100 virtual-ip 10.0.0.252
vrrp vrid 100 priority 254
packet-filter 3002 outbound
packet-filter 3002 inbound
I test ping, unfortunately successuful :
ping -vpn-instance vpn_main 10.3.239.254
PING 10.3.239.254: 56 data bytes, press CTRL_C to break
Reply from 10.3.239.254: bytes=56 Sequence=1 ttl=121 time=373 ms
Reply from 10.3.239.254: bytes=56 Sequence=2 ttl=121 time=373 ms
Reply from 10.3.239.254: bytes=56 Sequence=3 ttl=121 time=404 ms
Reply from 10.3.239.254: bytes=56 Sequence=4 ttl=121 time=379 ms
Reply from 10.3.239.254: bytes=56 Sequence=5 ttl=121 time=391 ms
--- 10.3.239.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 373/384/404 ms
I modify rule in ACL like this :
rule 0 deny icmp vpn-instance vpn_main destination 10.3.239.254 0
But I get this error :
%Mar 23 00:16:20:078 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: Error occurred in ACL 3002.
%Mar 23 00:16:20:086 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: -Slot=2; Error occurred in ACL 3002.
I think vpn-instance parameter can't be configured in an ACL that is attached to an interface.
I think I must put this ACL in the vpn-instance but I don't know how :(
Help is welcome of course :)
Bonne nuit,
Jacques
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2016 03:40 AM
03-23-2016 03:40 AM
Re: [A5500] Configure ACL
Is the default ACL behavior, allow all?
If not, 1st add entry to ACL to allow all other traffic. Without it, all traffic is blocked, including routing protocols.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2016 04:03 AM
03-23-2016 04:03 AM
Re: [A5500] Configure ACL
The default ACL ?
I just have on ACL (number 3002), not other.
Do you think is there a routing problem ?
In fact, I don't know how to apply an ACL for a VPN-instance... :(
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2016 11:12 AM
03-23-2016 11:12 AM
Re: [A5500] Configure ACL
I meant the ACL might have to look like below, to block specified traffic, and allow the rest:
acl number 3002
0 deny icmp destination 10.3.239.254.0 0
10 permit ip
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2016 11:34 AM
03-23-2016 11:34 AM
SolutionHi,
For vpn-instance enabled SVI L3 interface try to use ACL without putting it to vpn-instance, when configure it.
Recent, we had issue when 7500 switch with SVI L3 interfaces don't process correctly ACL in/out when it was configured within vpn-instance. it does not hold a certain standard, but anyway - works!
Michal
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-23-2016 12:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-25-2016 04:49 AM
03-25-2016 04:49 AM
Re: [A5500] Configure ACL
You're right, without vpn-instance in ACL, it works !
I think I did a misconfiguration at the begininng of the configuration but now that's OK.
Thanks !
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2019 Hewlett Packard Enterprise Development LP