Comware

Hello,

I have a packetfilter (on cmw710-system-r2307) that allows some traffic and ends with a "deny ip logging". It is meant for a vlan contains printer that connect only to the print server or to the mailserver and not to any other devices in my internal network.

disp acl 3000
Advanced ACL  3000, named -none-, 3 rules,
ACL's step is 5
 rule 0 permit tcp destination 10.10.10.1 0 destination-port eq 9100
 rule 5 permit tcp destination 10.10.9.1 0 destination-port eq smtp
 rule 10 deny ip logging

I have bound this ACL to the interface as an inbound filter

interface Vlan-interface11
 ip address 172.22.11.26 255.255.255.0
 packet-filter 3000 inbound

Now I see that rul 10 is being hit. This means some printers are configured wrong or I have forgotten some hosts/ports that should be allowed I can wait until somebody comes complaining, but I rather have a look  wat traffic I'm dropping (it turned out some printers use special scanning modules that communicatie over different ports)

There doesn't seem te be any detailed logging to tell what is being blocked by rule 10.

What would be the right way to learn what is being blocked? Or should I use some other feature to block this traffic?

Regards,

Luukman

Hi Luukman,

If you deploy a packet-filter on a vlan interface not only routed traffic is filtered, but also inter vlan traffic. Maybe some other communication is going on in VLAN11 which will be blocked bij the ACL. If you don't want to block inter vlan traffic you need to configure:

interface Vlan-interface11

packet-filter filter route

To see which IP packets hit the deny rule you can make a packet trace. Latest code allow you to create a packet-capture on the switch. Debugging IP Packets with a ACL can also help. Create a specific acl for debugging with your source printer IP adresses to see  which IP packets pass.

Hopefully it helps.