HPE Community
Comware Based
1755670 Members
4960 Online
108837 Solutions
New Discussion

Re: ACL to global block traffic between subnet segments

 
Tommek
Occasional Advisor

‎10-15-2020 09:48 AM

‎10-15-2020 09:48 AM

ACL to global block traffic between subnet segments

Dear community,

I have HPE Comware 5900 as my core L3 switch.

10.10.0.0/16 is reserved for internal workstations etc.

192.168.0.0/16 is used for lab networks and less trusted.

There are multiple VLAN interfaces configured where the 5900 act as the default gateway for internal as well for lab networks.

What I'd like to achieve is to deny traffic from the 192.168.0.0/16 to 10.10.0.0/16. I’m wondering what would be the best solution to realize the configuration?

I could imagine to define a reusable ACL as follows:

rule 0 deny ip source any destination 10.10.0.0 0.0.255.255
rule 10 permit ip

Apply this rule as inbound packet-filter to all VLAN interfaces that have a subnet of 192.168.0.0/16 configured.

Are there other solutions to apply such ACL on a global level instead per interface?

 

0 Kudos
1 REPLY 1
Ivan_B
HPE Pro

‎10-15-2020 11:42 AM

‎10-15-2020 11:42 AM

Re: ACL to global block traffic between subnet segments

Hi @Tommek !

Unfortunately simple packet-filter won't work as you expect as it must be applied on interface, not globally. However, I think there is a way - QoS policy applied globally. I didn't have time to test it, but you can try it and see if it works:

acl number 3333
 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 10.10.0.0 0.0.255.255
 rule 5 permit ip source 10.10.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
#
traffic classifier intervlan_routing
 if-match acl 3333
#
traffic behavior drop
 filter deny
#
 qos policy filter_intervlan
  classifier intervlan_routing behavior drop
#
 qos apply policy filter_intervlan global inbound

 

Please, pay attention that 'permit' statements in the ACL is not a mistake! The logic behind this configuration is pretty straightforward - we match "interesting" traffic between both networks with classifier "intervlan_routing" that uses ACL 3333 (that's why we need 'permit' here). Also we define a behavior "drop" that performs filtering action. Then we assemble both classifier and behavior in QoS policy "filter_intervlan" that literally says "whatever you match with ACL 3333, drop it" and apply the policy globally in inbound direction.

Please, test it and let me know if it works for you. 

 

I am an HPE employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.