- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: ACL to global block traffic between subnet seg...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 09:48 AM
10-15-2020 09:48 AM
ACL to global block traffic between subnet segments
Dear community,
I have HPE Comware 5900 as my core L3 switch.
10.10.0.0/16 is reserved for internal workstations etc.
192.168.0.0/16 is used for lab networks and less trusted.
There are multiple VLAN interfaces configured where the 5900 act as the default gateway for internal as well for lab networks.
What I'd like to achieve is to deny traffic from the 192.168.0.0/16 to 10.10.0.0/16. I’m wondering what would be the best solution to realize the configuration?
I could imagine to define a reusable ACL as follows:
rule 0 deny ip source any destination 10.10.0.0 0.0.255.255
rule 10 permit ip
Apply this rule as inbound packet-filter to all VLAN interfaces that have a subnet of 192.168.0.0/16 configured.
Are there other solutions to apply such ACL on a global level instead per interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 11:42 AM
10-15-2020 11:42 AM
Re: ACL to global block traffic between subnet segments
Hi @Tommek !
Unfortunately simple packet-filter won't work as you expect as it must be applied on interface, not globally. However, I think there is a way - QoS policy applied globally. I didn't have time to test it, but you can try it and see if it works:
acl number 3333
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 10.10.0.0 0.0.255.255
rule 5 permit ip source 10.10.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
#
traffic classifier intervlan_routing
if-match acl 3333
#
traffic behavior drop
filter deny
#
qos policy filter_intervlan
classifier intervlan_routing behavior drop
#
qos apply policy filter_intervlan global inbound
Please, pay attention that 'permit' statements in the ACL is not a mistake! The logic behind this configuration is pretty straightforward - we match "interesting" traffic between both networks with classifier "intervlan_routing" that uses ACL 3333 (that's why we need 'permit' here). Also we define a behavior "drop" that performs filtering action. Then we assemble both classifier and behavior in QoS policy "filter_intervlan" that literally says "whatever you match with ACL 3333, drop it" and apply the policy globally in inbound direction.
Please, test it and let me know if it works for you.