Solved: [A5500] Configure ACL

Jacques_GRILLOT · ‎03-22-2016

Hi All,

I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.

There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.9) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.11.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.

So, the routing is :

UTM (VLAN1002 : 10.0.5.11) <> H3C (VPN-INSTANCE vpn_CustomerA VLAN1002 : 10.0.5.9) <> H3C (VPN-INSTANCE vpn_main VLAN 100 : 10.0.0.252) <> CPE (VLAN100 : 10.0.0.203) <> DEVICE (10.3.239.254)

I create an ACL just to block ICMP for test :

acl number 3002
rule 0 deny icmp destination 10.3.239.254 0

Then I put this ACL in interface Vlan 100 (to test in both direction) :

interface Vlan-interface100
ip binding vpn-instance vpn_main
ip address 10.0.0.252 255.255.255.0
ospf dr-priority 255
vrrp vrid 100 virtual-ip 10.0.0.252
vrrp vrid 100 priority 254
packet-filter 3002 outbound
packet-filter 3002 inbound

I test ping, unfortunately successuful :

ping -vpn-instance vpn_main 10.3.239.254
PING 10.3.239.254: 56 data bytes, press CTRL_C to break
    Reply from 10.3.239.254: bytes=56 Sequence=1 ttl=121 time=373 ms
    Reply from 10.3.239.254: bytes=56 Sequence=2 ttl=121 time=373 ms
    Reply from 10.3.239.254: bytes=56 Sequence=3 ttl=121 time=404 ms
    Reply from 10.3.239.254: bytes=56 Sequence=4 ttl=121 time=379 ms
    Reply from 10.3.239.254: bytes=56 Sequence=5 ttl=121 time=391 ms

--- 10.3.239.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 373/384/404 ms

I modify rule in ACL like this :
rule 0 deny icmp vpn-instance vpn_main destination 10.3.239.254 0

But I get this error :

%Mar 23 00:16:20:078 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: Error occurred in ACL 3002.
%Mar 23 00:16:20:086 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: -Slot=2; Error occurred in ACL 3002.

I think vpn-instance parameter can't be configured in an ACL that is attached to an interface.
I think I must put this ACL in the vpn-instance but I don't know how :(

Help is welcome of course :)

Bonne nuit,

Jacques

16again · ‎03-23-2016

Is the default ACL behavior, allow all?
If not, 1st add entry to ACL to allow all other traffic. Without it, all traffic is blocked, including routing protocols.

Jacques_GRILLOT · ‎03-23-2016

The default ACL ?
I just have on ACL (number 3002), not other.
Do you think is there a routing problem ?

In fact, I don't know how to apply an ACL for a VPN-instance... :(

16again · ‎03-23-2016

I meant the ACL might have to look like below, to block specified traffic, and allow the rest:

acl number 3002
0 deny icmp destination 10.3.239.254.0 0
10 permit ip

Mike_ES · ‎03-23-2016

Hi,

For vpn-instance enabled SVI L3 interface try to use ACL without putting it to vpn-instance, when configure it.

Recent, we had issue when 7500 switch with SVI L3 interfaces don't process correctly ACL in/out when it was configured within vpn-instance. it does not hold a certain standard, but anyway - works!

Michal

Jacques_GRILLOT · ‎03-23-2016

Hi 16again and Mike_ES,

@16again : I'll try tonight;

@Mike_ES : would you mind giving me here your configuration, just to be sure ?

Jacques_GRILLOT · ‎03-25-2016

You're right, without vpn-instance in ACL, it works !
I think I did a misconfiguration at the begininng of the configuration but now that's OK.

Thanks !

[A5500] Configure ACL

[A5500] Configure ACL

Re: [A5500] Configure ACL

Re: [A5500] Configure ACL

Re: [A5500] Configure ACL

Re: [A5500] Configure ACL

Re: [A5500] Configure ACL

Re: [A5500] Configure ACL

Hewlett Packard Enterprise International