Comware

 View Only

  • 1.  RACL difficulties

    Posted Aug 23, 2011 06:45 AM

    I have a few VLANs across a pair of 8212s and a 5412.

    Specifically I have a LAN vlan, 23 and a server VLAN, 45 that I am trying to lock down to a few specific IPs

     

    So I can add a standard access list:

     

    ip access-list standard "45-out"
       10 permit 172.23.11.61 0.0.0.0
       11 permit 172.23.11.82 0.0.0.0

     

    and apply this to vlan 45 on the way out

    vlan 45 ip access-group 45-out out

     

    however with this applied, VLAN 45 cannot see anything other than those 2 hosts.

     

    What I would like is for VLAN 45 to be able to route anywhere, but only for some specific hosts to see machines on VLAN 45.

     

    What am I missing?

     

    Thanks for any help

     

    Tom



  • 2.  RE: RACL difficulties

    Posted Sep 04, 2011 08:34 AM

    Hi Tom,

    Let's see if i'm understanding your explanation right: I read your statement as saying that you want to allow all outbound access from VLAN 45, but only selected inbound access to VLAN 45.  What you need to achieve this is a stateful firewall with connection tracking.

    I haven't done this on my E5400s, but if my reading of the manual is correct, what you need to do is do filtering on the the way in to VLAN 45, and allow those two IP addresses AND any established connections (using an extended ACL with the "established" flag).  This means that connections that have already been initiated from VLAN 45 should pass.

    I don't know how sophisticated the ProCurve connection tracking is - hopefully it will understand UDP and ICMP exchanges as well as the documented support of TCP connections.

     

    Hope that helps.

     

    Regards,

    Paul

     



  • 3.  RE: RACL difficulties

    Posted Dec 29, 2011 05:06 AM
    established keyword only applies to TCP connections.


Related Content