LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

[A5500] Configure ACL

SOLVED
Go to solution

[A5500] Configure ACL

Hi All,

I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.

There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.9) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.11.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.

So, the routing is :

UTM (VLAN1002 : 10.0.5.11) <> H3C (VPN-INSTANCE vpn_CustomerA VLAN1002 : 10.0.5.9) <> H3C (VPN-INSTANCE vpn_main VLAN 100 : 10.0.0.252) <> CPE (VLAN100 : 10.0.0.203) <> DEVICE (10.3.239.254)

I create an ACL just to block ICMP for test :

acl number 3002
 rule 0 deny icmp destination 10.3.239.254 0

Then I put this ACL in interface Vlan 100 (to test in both direction) :

interface Vlan-interface100
 ip binding vpn-instance vpn_main
 ip address 10.0.0.252 255.255.255.0
 ospf dr-priority 255
 vrrp vrid 100 virtual-ip 10.0.0.252
 vrrp vrid 100 priority 254
 packet-filter 3002 outbound
 packet-filter 3002 inbound

I test ping, unfortunately successuful :

ping -vpn-instance vpn_main 10.3.239.254
  PING 10.3.239.254: 56  data bytes, press CTRL_C to break
    Reply from 10.3.239.254: bytes=56 Sequence=1 ttl=121 time=373 ms
    Reply from 10.3.239.254: bytes=56 Sequence=2 ttl=121 time=373 ms
    Reply from 10.3.239.254: bytes=56 Sequence=3 ttl=121 time=404 ms
    Reply from 10.3.239.254: bytes=56 Sequence=4 ttl=121 time=379 ms
    Reply from 10.3.239.254: bytes=56 Sequence=5 ttl=121 time=391 ms

  --- 10.3.239.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 373/384/404 ms

 

I modify rule in ACL like this :
rule 0 deny icmp vpn-instance vpn_main destination 10.3.239.254 0

But I get this error :

%Mar 23 00:16:20:078 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: Error occurred in ACL 3002.
%Mar 23 00:16:20:086 2016 sw-mop-irf ACL/4/ACL_OTHER_ERROR: -Slot=2; Error occurred in ACL 3002.

I think vpn-instance parameter can't be configured in an ACL that is attached to an interface.
I think I must put this ACL in the vpn-instance but I don't know how :(

Help is welcome of course :)

Bonne nuit,

Jacques

 

6 REPLIES
16again
Respected Contributor

Re: [A5500] Configure ACL

Is the default ACL behavior, allow all?
If not, 1st add entry to ACL to allow all other traffic.  Without it, all traffic is blocked, including routing protocols.

Re: [A5500] Configure ACL

The default ACL ?
I just have on ACL (number 3002), not other.
Do you think is there a routing problem ?

In fact, I don't know how to apply an ACL for a VPN-instance... :(

 

16again
Respected Contributor

Re: [A5500] Configure ACL

I meant the ACL might have to look like below, to block specified traffic, and allow the rest:

acl number 3002
0 deny icmp destination 10.3.239.254.0  0
10 permit ip

 

 

Mike_ES
Valued Contributor
Solution

Re: [A5500] Configure ACL

Hi,

For vpn-instance enabled SVI L3 interface try to use ACL without putting it to vpn-instance, when configure it.

Recent, we had issue when 7500 switch with SVI L3 interfaces don't process correctly ACL in/out when it was configured within vpn-instance. it does not hold a certain standard, but anyway - works!

Michal

Re: [A5500] Configure ACL

Hi 16again and Mike_ES,

@16again : I'll try tonight;

@Mike_ES : would you mind giving me here your configuration, just to be sure ?

Re: [A5500] Configure ACL

You're right, without vpn-instance in ACL, it works !
I think I did a misconfiguration at the begininng of the configuration but now that's OK.

Thanks !