Comware

 View Only

  • 1.  5400zl ACL question

    Posted Nov 14, 2010 03:41 PM
    I have 3 VLAN's (1, 11,12) setup with the following addresses below and I want to create a named ACL to block all internet access from VLAN12 but allow all traffic to the rest of my domain (10.0.0.0) only. What is the best way to do this.

    VLAN 1 | 10.40.0.0 255.255.0.0
    VLAN 11 | 10.41.0.0 255.255.0.0
    VLAN 12 | 10.42.0.0 255.255.0.0


    Thanks,
    Jeff


  • 2.  RE: 5400zl ACL question

    Posted Nov 14, 2010 07:41 PM
    Hi,

    That's fairly simple, assuming you are routing VLAN 12 on your 5400 you'd want something like this:

    ip access-list extended VLAN_12_ACL_IN
    permit ip 10.42.0.0 0.0.255.255 10.0.0.0 0.255.255.255

    vlan 12 ip access-group VLAN_12_ACL_IN in


  • 3.  RE: 5400zl ACL question

    Posted Nov 15, 2010 08:47 AM
    Thanks Mohammed,

    Yep I do have all 3 VLAN's routed. Will I have to also add another line for "permit ICMP" to allow ping for trouble shooting?


  • 4.  RE: 5400zl ACL question

    Posted Nov 15, 2010 01:40 PM
    Hi,

    No, you shouldn't need to add anything to allow hosts on VLAN 12 to ping other hosts on the 10.0.0.0/8 network (ICMP traffic is IP traffic).


Related Content