Comware

We have VLAN 10 and several other  VLANs in an A5120 EI switch, and we want routing only from each of the other VLANs to VLAN 10 only, and no routing among the other VLANs.  Can this be done using ACL?

 

Example:

VLAN 3  can route to VLAN 10

VLAN 4 can route to VLAN 10

VLAN 5 can route to VLAN 10

VLAN 3 should not be able to connect to VLAN 4 nor 5.

VLAN 4 should not be able to connect to VLAN 3 nor 5

VLAN 5 should not be able to connect to VLAN 3 nor 4.

 

Thanks in advance.

 

Van

 

#ACLs
#VLAN

Hello,

 

It's not a possible like Cisco. on 3Com/H3C switch you can"t implement ACL to filter intervlan traffic.

One way is to implment port based ACL

regards

 

Can u give example for port based cus i also have same issue need to deny traffic from vlan 3 to 4 but need to permit traffic from 4 to 3 when we try to acheve this the packet reach to vlan 3 but return packet getting faild

Hi TJtheone:

 

In my case, we wanted traffic to route from vlan 3 to vlan 2, vlan 4 to vlan 2,  but not between vlan 3 and vlan 4.

Your case is different in that you want routing in one direction only in the same pair of vlan.

Sorry I do not know how this can be achieved.

 

Maybe someone in the community can help on this.

 

Thanks,

 

Van

 

who said you cannot apply ACL to interVLAN routing ??

 

check if the below command is available on the CLI please:

 

[device] packet-filter vlan ?

 

Yes but it wan't affect when i try but i didn't try this on 5120 but 3com 5500ei

It depends on how and where did you apply it (which direction), I know about the directions in the old ProCurve switches (E Series), In means the traffic coming IN to the VLAN from the client in that VLAN, out means traffic coming from OUTSIDE (from other vlans) into the vlan

 

think about the VLAN as normal interface, where in is coming from the client connected to the interface and out is going out to the client (from the switch out to that interface).

You actually can Implement an ACL to filter Intervlan Traffic. 

 

You can only implement it towards the inbound direction of the vlan interface. 

-by default when you create the vlans and add IP's to the vlan interfaces the hp switch 5120 will add default routes to every vlan that has an IP. So by default all vlan's will be able to comunicate with each other. 

 

Lets say you have 3 vlans and you want vlan 11 and 13 to not comunicate with each other and vlan 12 to comunicate with all of them. 

 

Vlan11 - 10.0.11.0/24

vlan 12 - 10.0.12.0/24

vlan 13 - 10.0.13.0/24

 

On the a5120 CLI

First create the vlan and assign ip address to the vlan interface.

 

system-view

vlan 11

quit

 

int vlan 11

ip add 10.0.11.1 255.255.255.0

quit

 

and so on for the other vlans - These ip addresses are going to be the default gateways of the vlans, so your clients will point to them as the default gateway. 

 

now lets say I want to restrict traffic from users on vlan 11 (10.0.11/0/24) to get to vlan 13 (10.0.13.0/24) and vice versa.

 

First lets create an advanced acl to deny vlan 11 to vlan 13 

 

acl number 3011 

description Inbound vlan 11 traffic

rule deny ip source 10.0.11.0 255.255.255.0 destination 10.0.13.0 255.255.255.0

rule permit ip source any

quit

 

 now go into vlan interface 11 and apply the acl

 

int vlan 11

packet-filter 3011 inbound 

quit

 

- this will prevent vlan 11 from accesing vlan 13

-this needs to be applied to the inbound interface of vlan 11 since all of vlan 11's traffic is being sent to 10.0.11.1 (which is the vlan's interface) as its gateway.

 

now to prevent vlan 13 traffic to vlan 11

 

acl number 3013

description Inbound Vlan 13 traffic

rule deny ip source 10.0.13.0 255.255.255.0 destination 10.0.11.0 255.255.255.0

rule permit ip source any

quit

 

int vlan 13

packet-filter 3013 inbound

quit

 

now vlan 11 and 13 can no longer ping or comunicate with each other.

Also advanced ACL's start in the 3000 range so I just add the vlan to the end of it. Ex. vlan 11 - 3011  

 

hope this helps

 

Jason Keubke

CCNA

HP AIS Network Infrastructure

 

 

 

 

Thank you for the post. What is you would like to allow Web traffic from VLAN 11 to VLAN 13? 

I tried to follow that example and it didnt work out.. i opened a case with HP and we got it working.

 

The main issue was that INVERSE mask needs to be used,  so 0.0.0.255   instead of 255.255.255.0

 

It should also be noted that HP puts an implicit PERMIT at the end of ACL's..  Cisco uses an implicit DENY.  

 

PG

 

 

 

Using this example, how I can block vlan 11 to traffic vlan 13 but permit vlan 13 to comunicate with vlan 11?

On vlan 11 I have made:
rule 10 deny ip source 10.0.11.0 0.0.0.255 destination 10.0.13.0 0.0.0.255
rule 20 permit ip source any destination any

This block both sides from ping.

And on the vlan 13 i have made:
rule 10 permit ip source any destination any.

I cant do vlan 13 to ping or comunicate with VLAN 11 and block VLAN 11 to ping or comunicate with vlan 13.

Thanks advice.

Wow, just happen to stumble back on this and I realized that I didn't put the inverse mask. Sorry for the mis-information here is how it should of been stated. 

 

now lets say I want to restrict traffic from users on vlan 11 (10.0.11/0/24) to get to vlan 13 (10.0.13.0/24) and vice versa.

 

First lets create an advanced acl to deny vlan 11 to vlan 13 

 

acl number 3011 

description Inbound vlan 11 traffic

rule deny ip source 10.0.11.0 0.0.0.255 destination 10.0.13.0 0.0.0.255

rule permit ip source any

quit

 

 now go into vlan interface 11 and apply the acl

 

int vlan 11

packet-filter 3011 inbound 

quit

 

- this will prevent vlan 11 from accesing vlan 13

-this needs to be applied to the inbound interface of vlan 11 since all of vlan 11's traffic is being sent to 10.0.11.1 (which is the vlan's interface) as its gateway.

 

now to prevent vlan 13 traffic to vlan 11

 

acl number 3013

description Inbound Vlan 13 traffic

rule deny ip source 10.0.13.0 0.0.0.255 destination 10.0.11.0 0.0.0.255

rule permit ip source any

quit

 

int vlan 13

packet-filter 3013 inbound

quit

 

now vlan 11 and 13 can no longer ping or comunicate with each other.

Also advanced ACL's start in the 3000 range so I just add the vlan to the end of it. Ex. vlan 11 - 3011  

 

hope this helps

It works so well that makes my smile!!

I just blocked the mobile vlan to communicate with the corporate vlan. :D

It is so great my friend.

Thank you.

@it_ejvnior @Jasoned32 @Van Cotoco @yakup akpınar @CesarMartinez @

Please note that the second rule wasn't necessary considering the fact that HPE Comware switches have an "Implicit permit" as the last ACE while CISCO, HPE Provision and Aruba OS switches have "Implicit deny".

So you may want to add a deny all rule explicitly.

 

Regards,

Hi,

 

I have one question: is your A5120 switch also a router for your network or do you have some other box to do that (routing)? If the second one than you should disable (filter) routing between vlan's on your router.

 

Regards,

V

Hi,

 

The box is supposed to do the routing. There is no other router.

As Sinibade put it, ACL cannot be used to restrict intervlan traffic.

So we are left with doing port-based ACL.

 

Thanks for your help.

 

Van

 

hello friend, yes it can be achieved, after reviewing several forums I made this configuration:

Example:

vlan1: 172.16.0.0 255.0.0.0 vlan20: 172.20.0.0 255.255.255.0

1) Start by making an extended ACL.
Here is an extended ACL called 3020 that will allow bidirectional traffic that starts from the VLAN 1.
acl number 3020
 description Entrance vlan 20 traffic
rule permit tcp source 172.20.0.0 0.0.0.255 destination any established
* The word "established" at the end of this ACL means that traffic initiated from anywhere outside of VLAN 20 is allowed and will allow VLAN 20 devices to communicate again with the initiator.

2) Next, allow the devices in VLAN 20 to respond to pings initiated from devices outside of your VLAN.
rule permit icmp source 172.20.0.0 0.0.0.255 destination any icmp-type echo-reply
* "Echo-reply" allows devices on VLAN 20 to respond to ping and other traffic requests ICMP.

3) Next, avoid traffic from VLAN 20 going to the other VLANs
rule deny ip source 172.20.0.0 0.0.0.255 destination 172.16.0.0 0.0.255.255

4) Next, allow VLAN 30 traffic to reach the Internet
rule permit ip source 172.20.0.0 0.0.0.255 destination any

5) Next, deny the rest of the traffic (for security)
rule deny ip source any destination any

Summary:

rule permit tcp source 172.20.0.0 0.0.0.255 destination any established
rule permit icmp source 172.20.0.0 0.0.0.255 destination any icmp-type echo-reply
rule deny ip source 172.20.0.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule permit ip source 172.20.0.0 0.0.0.255 destination any
rule deny ip source any destination any

6) Apply this incoming ACL on VLAN 20
interface Vlan-interface20
 packet-filter 3020 inbound

Hello,

Actualy I have a problem at this issue.
I have 3 vlan vlan1,vlan2,vlan3

vlan1 has server dns+dhcp. I want to deny vlan1 to vlan3 but When I create acl for deny rule,      Vlan 3 didnt receive ip from dhcp. How to can I permit dhcp and dns.

 My acl config here ;

acl number 3012
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 10.35.110.0 0.0.0.255
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
acl number 3013
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 10.35.110.0 0.0.0.255
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
acl number 3014
rule 0 deny ip source 10.35.110.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 5 deny ip source 10.35.110.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

Thanks for support.

Yakup.