Comware Based
Showing results for 
Search instead for 
Did you mean: 

ACL to global block traffic between subnet segments

Occasional Advisor

ACL to global block traffic between subnet segments

Dear community,

I have HPE Comware 5900 as my core L3 switch. is reserved for internal workstations etc. is used for lab networks and less trusted.

There are multiple VLAN interfaces configured where the 5900 act as the default gateway for internal as well for lab networks.

What I'd like to achieve is to deny traffic from the to I’m wondering what would be the best solution to realize the configuration?

I could imagine to define a reusable ACL as follows:

rule 0 deny ip source any destination
rule 10 permit ip

Apply this rule as inbound packet-filter to all VLAN interfaces that have a subnet of configured.

Are there other solutions to apply such ACL on a global level instead per interface?



Re: ACL to global block traffic between subnet segments

Hi @Tommek !

Unfortunately simple packet-filter won't work as you expect as it must be applied on interface, not globally. However, I think there is a way - QoS policy applied globally. I didn't have time to test it, but you can try it and see if it works:

acl number 3333
 rule 0 permit ip source destination
 rule 5 permit ip source destination
traffic classifier intervlan_routing
 if-match acl 3333
traffic behavior drop
 filter deny
 qos policy filter_intervlan
  classifier intervlan_routing behavior drop
 qos apply policy filter_intervlan global inbound


Please, pay attention that 'permit' statements in the ACL is not a mistake! The logic behind this configuration is pretty straightforward - we match "interesting" traffic between both networks with classifier "intervlan_routing" that uses ACL 3333 (that's why we need 'permit' here). Also we define a behavior "drop" that performs filtering action. Then we assemble both classifier and behavior in QoS policy "filter_intervlan" that literally says "whatever you match with ACL 3333, drop it" and apply the policy globally in inbound direction.

Please, test it and let me know if it works for you. 


I am an HPE employee

Accept or Kudo