Comware

hi,

i want to restrict the traffic between our guest-vlan and server-vlan. in the server-vlan are dhcp-, dns- and proxy-server.

guests: vlan 11 (192.168.11.0)
server: vlan 100 (192.168.100.0)
dns/dhcp: 192.168.100.111
proxy: 192.168.100.99:8080

i want to allow only dhcp/dns/proxy-traffic.

i've wrote a outbound acl for vlan 11...but it doesnt work properly.

any ideas or config examples?

thanks

Can you paste a copy of the ACL you tried using?

On the GuestVLAN interface, apply the inbound ACL like this:

ip access-group Guests_in in

Inbound ACL should be:

ip access-list extended Guests_in
remark *** To allow traffic to proxy:
permit tcp 192.168.11.0 0.0.0.255 host 192.168.100.99 eq 8080
remark *** To allow DNS querries:
permit udp 192.168.11.0 0.0.0.255 host 192.168.100.111 eq domain
remark *** To allow IP aquisition:
permit udp any any eq bootps

To the same GuestVLAN interface, apply the outbound ACL like this:

ip access-group Guests_out out

Outbound ACL should be:
ip access-list extended Guests_out
remark *** To allow traffic from proxy:
permit ip host 192.168.100.99 192.168.11.0 0.0.0.255
remark *** To allow DNS and DHCP responses:
permit ip host 192.168.100.111 any


Comments:
1. I use something like that on a Cisco device, but good routers should allow you something similar, probabilly with slightly different sintax
2. The inbound ACL is more granular, and therefore stricter than the looser outbound ACL.
3. The order of the statements in the ACLs take into account traffic quantities: proxy traffic will be biggest, then DNS querries/answers and some light DHPC requests/responses

@OLARU Dan

it looks good...i will try it next week.

i think my basically failure was to misunterstand the meaning of inbound/outbound. (i thougt that outbound traffic is traffic that leaves the vlan)

inbound/outbound is defined with respect to the router:

1. inbound: traffic that enters the router interface from the outside
2. outbound: traffic that gets out of the router interface