Comware

 View Only

  • 1.  How to configure ACL for inbound/outbond on 3500yl?

    Posted Jun 10, 2009 09:08 AM
    I try to configure theses ACL on a 3500yl:

    vlan 1: 10.10.10.0 255.255.255.0 GW: 10.10.10.1
    vlan 2: 20.20.20.0 255.255.255.0 GW: 20.20.20.1
    vlan 3: 30.30.30.0 255.255.255.0 GW: 30.30.30.1

    host_1: 10.10.10.250
    host_2: 20.20.20.250
    host_3: 30.30.30.250

    all vlans are internet access by their gateway.

    the vlan 1's computers shouldn't access to other vlan but the 2 other vlan should access to vlan 1 but should access to host_3

    ip access-list extended "vlan_1"
    permit ip 10.10.10.0 0.0.0.255 30.30.30.250 0.0.0.0
    deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
    deny ip 10.10.10.0 0.0.0.255 30.30.30.0 0.0.0.255
    permit ip any any


    interface ethernet xx
    access-group "vlan_1" in


    vlan 3 should only access to host_2 on vlan 2.

    ip access-list extended "vlan_3"
    permit ip 30.30.30.0 0.0.0.255 20.20.20.250 0.0.0.0
    deny ip 30.30.30.0 0.0.0.255 20.20.20.0 0.0.0.255
    permit ip any any

    interface ethernet yy
    access-group "vlan_3" in


    vlan 2 should access to any vlan.

    ip access-list extended "vlan_2"
    permit ip any any

    interface ethernet zz
    access-group "vlan_2" in

    It's possible with 3500yl? I could read 3500yl doesn't do that because it doesn't do statfull like a firewall...

    Thanks for your help.

    Regards,

    francois.


  • 2.  RE: How to configure ACL for inbound/outbond on 3500yl?

    Posted Jun 11, 2009 01:45 AM
    ACLs are not stateful, in that case you use a stateful firewall like the ProCurve TMS zl module.

    according to my info you can configure what you are describing.

    more info on acls:
    http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf



  • 3.  RE: How to configure ACL for inbound/outbond on 3500yl?

    Posted Jun 17, 2009 06:29 PM
    Francois,

    I believe you are looking for an "established" parameter. The previous post pointed you to the correct manual...search it for information on the established parameter on an ACL. You'll need to create at least this ACL as a "permit tcp" instead of "permit ip" to allow the switch to check for the established flag in a tcp conversation.

    In brief, the ACL's you've set up will block replies from vlan 1. Vlan 2 may be permitted to send traffic to vlan 1, but vlan 1 is not allowed to reply by your ACLs. Adding an ACL on vlan 1 that permits established traffic (replies) to vlan 2 will mean, for example, that a host in vlan 2 to can initiate a telnet session to a host in vlan 1 and the established parameter will permit the reply to an already established TCP session. If a host in vlan 1 tries to initiate telnet to vlan 2, it is not an established session (reply), so it will be blocked.


Related Content