HPE Community
Other HPE Product Questions
1834163 Members
2520 Online
110064 Solutions
New Discussion

Comware 7 + Need help with VACL (Internet Access)

 
Kalagan76
Occasional Contributor

‎10-12-2022 02:20 AM

‎10-12-2022 02:20 AM

Comware 7 + Need help with VACL (Internet Access)

Hi all,

Where i work we have a HPE FlexFabric 5710.

I'm new in the company and discovered that almost all  VLAN interfaces are up and there's no ACL. So basically, VLAN are pointless and can all communicate with each others.
I don't have a lot of knowledge about VACL but i'm trying to do my best to fix it. My biggest issue is this:

I have a VLAN name 1705 who use 10.14.5.0/24 -(GTW: 10.14.5.254). i can restrict with which VLAN this one can "talk" and it works well.
Now, if i want to allow internet access to this VLAN, it doesn't work. There's two BAGG between our FlexFabric and a Fortigate 101F. The VLAN which allow communication between them is the VLAN 100 (10.120.100.248/29 - GTW 10.120.100.254 which is also the interface of the Fortigate). the interface of the FlexFabric is 10.120.100.249.

I've tried a lot of rules but i can't get it to work.

I create an ACL named ACL_INTERNET in which tried this (implicit deny o nthe packet-filter):


rule 0 permit udp source 10.120.120.10 0 source-port eq dns
rule 5 permit icmp
rule 10 permit ip source 10.14.5.0 0.0.0.255 destination 10.120.100.248 0.0.0.7
rule 15 permit ip source 10.120.100.248 0.0.0.7 destination 10.14.5.0 0.0.0.255
or

ule 0 permit ip source 10.120.120.10 0
rule 5 permit tcp source 10.120.100.248 0.0.0.7 destination-port eq 443
rule 10 permit tcp source 10.120.100.248 0.0.0.7 destination-port eq www
rule 15 permit udp source 10.120.100.248 0.0.0.7 destination-port eq dns
rule 20 permit ip source 10.120.100.254 0

 

And many other options.

In almost every case, the DNS works, i can ping IP on my LAN and on the web, logs fro mthe Fortigate shows that my request in "allow" but there's some missing " packets or KB.

On my Interface VLAN 1705 is rule is set like this:
ip address 10.14.5.254 255.255.255.0
packet-filter name ACL_INTERNET outbound

it looks to me that the communication with "Internet" only works one way: i can send requests but they don't come back.

Do i need another incoming ACL? Could you give me advices ?

Regards,

David

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.