Comware

Hello All ,

I'm have configured two acl's on an h3c 5500 ie switch with QoS enabled. My filters and QoS seem to be wokring up to our firewall. But I still cannot get out of the interet. This is the configration on the switch.WE have permitted the traffic through the firewall. So I'm not too sure where else the issue could be.

Thanks.

Advanced ACL  3000, named -none-, 6 rules,
ACL's step is 5
 rule 0 permit ip source 10.X.X.X  0    destination 10.X.X.X   0
 rule 5 permit ip source 10.X.X.X  0   destination 130.X.X.X    0
 rule 10 permit ip source 10.X.X.X  0   destination 130.XX.X   0
 rule 15 permit ip source 10.X.X.X  0   destination 130.X.X.X   0
 rule 20 permit ip source 10.X.X.X  0    destination 130.X.X.X   0
 rule 25 permit ip source 10.X.X.X  0    destination 130.X.X.X   0

Advanced ACL  3001, named -none-, 2 rules,
ACL's step is 5
 rule 0 deny ip source 10.X.X.X  0
 rule 5 deny ip source 10.X.X.X  0 destination 130.X.X.X  0

 Interface: GigabitEthernet1/0/32

  Direction: Inbound

  Policy: test5
   Classifier: test1
     Operator: AND
     Rule(s) : If-match acl 3000
     Behavior: test3
      Filter Enable: permit
   Classifier: test2
     Operator: AND
     Rule(s) : If-match acl 3001
     Behavior: test4
      Filter Enable: deny

 Interface: GigabitEthernet1/0/32

  Direction: Outbound

  Policy: test5
   Classifier: test1
     Operator: AND
     Rule(s) : If-match acl 3000
     Behavior: test3
      Filter Enable: permit
   Classifier: test2
     Operator: AND
     Rule(s) : If-match acl 3001
     Behavior: test4
      Filter Enable: deny

 User Defined QoS Policy Information:

  Policy: test5
   Classifier: test1
     Behavior: test3
      Filter enable: permit
   Classifier: test2
     Behavior: test4
      Filter enable: deny

I am not sure I understand what you are trying to do here. Could you include a small diagram or text with which subnet should be allowed to which subnets and which should be blocked ?

Since you are not using any QOS specific features, but only the filter commands, I would not use the QOS policy for the packet filtering, but simply define 1 ACL with permit/deny rules, and use the "packet-filter" command on the interfaces.

Also note that in your example, you seem to be using acl 3001 to filter traffic. Now since this uses the qos classifier, you have to make sure the traffic is "selected" for the classifier, so in the ACL you must PERMIT the traffic (so it is matching the classifier), next the QOS policy will apply the FILTER DENY on the selected (permitted by the ACL) traffic.

In the current example, no traffic would "match" the acl 3001, so it would not get filtered ...

(I know this is confusing, this is why the packet-filter command is preferred, when available)

Hope this helps,Peter