Comware

Hi,

We have 4 vlans configured in it.
vlan1:15.15.15.0/24
vlan2:20.20.20.0/24
vlan3:25.25.25.0/24

ip routing is enabled, now all the vlans can communicate with each other.i want to create access list so that it should allow all traffic form other vlans to vlan 3 and it should block vlan 3 traffic to other vlans mainly one way communication.

Please any provide commands to do the same?

Regards
Asha
#ACLs

Hi, you have to create ACL and apply it as routed ACL.

You can find complete explanation and configuration in Access Security Guide manual:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02814696/c02814696.pdf

Hi,

According my requirement i need to configure Routed ACL (RACL).. can you provide me the commands to do that with an example.

Regards
Asha

hi Asha example ACL config for you
vlan 4 reachable to vlan 3
but unreachable all other vlan



hostname "ProCurve Switch 3500-24"
ip access-list standard "10"
10 deny 10.0.12.0 0.0.0.255
20 permit 0.0.0.0 255.255.255.255
exit
ip access-list extended "100"
10 deny ip 10.0.11.0 0.0.0.255 10.0.12.0 0.0.0.255
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list standard "11"
10 deny 10.0.11.0 0.0.0.255
20 permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "12"
10 deny 10.0.10.0 0.0.0.255
20 deny 10.0.11.0 0.0.0.255
30 permit 0.0.0.0 255.255.255.255
exit
ip access-list standard "20"
10 permit 10.0.11.100 0.0.0.255
20 deny 0.0.0.0 255.255.255.255
exit
module 1 type J94ddA
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1,6-24
ip address dhcp-bootp
no untagged 2-5
exit
vlan 2
name "VLAN2"
untagged 2
ip address 10.0.10.200 255.255.255.0
exit
vlan 3
name "VLAN3"
untagged 3
ip address 10.0.11.200 255.255.255.0
exit
vlan 4
name "VLAN4"
untagged 4
ip address 10.0.12.200 255.255.255.0
ip access-group "20" out
exit
vlan 5
name "VLAN5"
untagged 5
ip address 10.0.13.200 255.255.255.0
exit

Asha - I'd add to cenk's reply only a tip that I've found works well for me.  That is, to maintain my ACL's in text files.  Each time I need to modify the ACL, I do so in the text file, then copy/paste that into the CLI of the 8212zl we have at our institution.  Here's an example ...

 

=========================================================

conf t
int vlan 91
no ip access-group "109" in  
exit

 

no ip access-list extended "109"

 

ip access-list extended "109" 
   10 permit ip 172.16.10.162 0.0.0.0 172.16.0.32 0.0.0.0
   20 permit ip 172.16.10.162 0.0.0.0 172.16.40.105 0.0.0.0
   30 permit ip 172.16.10.162 0.0.0.0 172.16.40.106 0.0.0.0
   40 permit ip 172.16.10.162 0.0.0.0 209.39.25.61 0.0.0.0
   ...
   240 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

 

int vlan 91
ip access-group "109" in  
exit 
exit
wr mem
 

hi I would like to create a vlan for guests, so what is the best way to create the acl for this kind of vlan?

 

Below is the configuration that I reckon.

 

ip access-list extend 101

 10 deny 10.1.1.0 0.0.0.255

 20 deny 10.1.2.0 0.0.0.255

 30 deny 10.1.3.0 0.0.0.255

 40 deny 10.1.4.0 0.0.0.255

 50 deny 10.1.5.0 0.0.0.255

 .

 .

 .

100 permit 0.0.0.0 255.255.255.255

 

Vlan 15

 access-group 101 in

wr m

logo

 

 

From 10-90 are our private VLANs, and 100 is to permit this vlan to go to internet.