Comware

Hi all,

Recently I've been attempting to control traffic between certain VLANs by using advanced ACLs.

However, I have noticed that when applying the ACLs to the VLAN interface, they only seem to work when I apply them in the opposite direction to that which I am used to.

Example:

system-view
acl number 3000 name BLOCK_INTO_VLAN
rule deny ip source 10.201.64.0 0.0.0.255 destination any

rule permit ip source any destination any

interface vlan-interface 104
packet-filter name BLOCK_INTO_VLAN inbound
quit

 The above command does not block traffic from source addresses in the 10.201.64.0/24 range trying to get into that VLAN.

However, when I apply the packet-filter in the outbound direction it does block the traffic!

Am I just misunderstanding the syntax of HP switch ACLs?

Cheers,

Graham 

I understand that the HP5830 supports QoS, and that by using QoS you can get the same functionality. Are you saying that the only way to apply ACLs is by creating a QoS policy and applying that, rather than simply applying the ACL using packet filter? From the documentation I have read I should be able to apply ACLs the way I have in my first post....

Has anyone else seen any similar issues with ACLs on VLAN interfaces? 

acl number 3000 name BLOCK_INTO_VLAN
rule 1 deny ip source 10.201.64.0 0.0.0.255 destination any

rule 2 permit ip source any destination any

Don't you need to rule_id in to have separate rules?

Hello Michael,

What is the IP on you VLAN 104 interface? Because it sounds like you have the right idea and it should be working.

Regarding the Rule_ID, it doesn't matter, the system will just put one in if you don't. You can manually use rule_ids in case you want to put in more rules in the middle later. Example: start out with Rule 1 and your permit all as  rule 10. That way you can put in an extra 8 rules before having to redo rule 10.

-RK

The VLAN interface is 10.201.32.1 255.255.255.0

Have you tested application of ACLs to VLAN interfaces? 

Cheers, Graham

Check your application direction. Packet filter on a VLAN interface filters only Layer 3 traffic. If the incoming traffic on the VLAN interface is sourced from A, it is impossible for the same VLAN interface to send traffic sourced from A in the outbound direction.

To filter traffic sourced from 1.1.1.0, you have two ways: 1. apply the ACL to the inbound direction of VLAN-interface 10, or apply the ACL to the outbound direction of VLAN 20.

Hello!

The direction of the traffic to which the ACL filtering is applied is relative to the VLAN interface on the device, not the VLAN (outside of the device):

inbound: Filters packets received by the interface (sent from the VLAN)
outbound: Filters packets forwarded from the interface (sent to VLAN)

Hope this helps!