I have an IRF stack with 2 x A5500-24G-4SFP HI. Version is Comware Software, Version 5.20.99, Release 5501P19.
There are 2 VLAN and 2 VPN-Instance. VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main. VLAN 1002 (10.0.5.9) is binding vpn-instance vpn_CustomerA. I configure vpn-target between the vpn-instance and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa. There is an UTM in VLAN1002 and its IP address is 10.0.5.11. There is a CPE in VLAN100 and its IP address is 10.0.0.203. An there is a device behind CPE and its IP address is 10.3.239.254.
ping -vpn-instance vpn_main 10.3.239.254 PING 10.3.239.254: 56 data bytes, press CTRL_C to break Reply from 10.3.239.254: bytes=56 Sequence=1 ttl=121 time=373 ms Reply from 10.3.239.254: bytes=56 Sequence=2 ttl=121 time=373 ms Reply from 10.3.239.254: bytes=56 Sequence=3 ttl=121 time=404 ms Reply from 10.3.239.254: bytes=56 Sequence=4 ttl=121 time=379 ms Reply from 10.3.239.254: bytes=56 Sequence=5 ttl=121 time=391 ms
--- 10.3.239.254 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 373/384/404 ms
I modify rule in ACL like this : rule 0 deny icmp vpn-instance vpn_main destination 10.3.239.254 0
I think vpn-instance parameter can't be configured in an ACL that is attached to an interface. I think I must put this ACL in the vpn-instance but I don't know how :(
Is the default ACL behavior, allow all? If not, 1st add entry to ACL to allow all other traffic. Without it, all traffic is blocked, including routing protocols.
For vpn-instance enabled SVI L3 interface try to use ACL without putting it to vpn-instance, when configure it.
Recent, we had issue when 7500 switch with SVI L3 interfaces don't process correctly ACL in/out when it was configured within vpn-instance. it does not hold a certain standard, but anyway - works!
