Comware

Hi, have any body succesfully configured ACLs on V1910 family swich? From what I understand to make ACL's work on this switches, you need to configure:

1. ACL rules

2. QoS Classifier

3. QoS Behavior

4. QoS Policy Using both Classifier and Behavior

5. Apply QoS Policy to a Port?

    

   What I have is:

1. Vlan 1: switches management vlan (All Trunk Ports, Gateway=192.168.2.250), Switch ports: 13 to 28

2. Vlan 101: Servers Vlan (Gateway 192.168.0.210), Switch ports: 1 to 12

3. Vlan 102: staff vlan (Gateway 172.16.200.1), No ports on this switch because the ports for this vlan will be configures on access switches connected to this switch via trunk ports

4. Vlan 103 students vlan (Gateway 172.16.0.1), No ports on this switch because the ports for this vlan will be configures on access switches connected to this switch via trunk ports

    

   What I need is:

1. Prevent access from staff (102) to students (103) vlans and viceversa.

2. Give access from staff (102) and students (103) to servers vlan (101)

3. Prevent access from staff (102) and students (103) vlan to switches management vlan (1)

4. Prevent access from students (103) to some specific servers (192.168.0.2, 192.168.0.12, 192.168.0.16)

5. DHCP helper or something like that, because IPs from Vlans 102 and 103 are assigned via DHCP Server (192.168.0.1)

    

   What I have configured so far:

1. All Vlans are aleady created, each vlan with an IP so I can route between each other (192.168.2.250, 192.168.0.210, 172.16.200.1, 192.168.2.1)

2. Swicth gateway 0.0.0.0 to 192.168.0.6, so all traffic next hop is the firewall

3. ACL's:

   1. ACL Number: 3001, Type: Advanced, Number of Rules: 3

Rule ID   Operation               Description

10                deny                     ip source 172.16.200.0 0.0.7.255
                                                    destination 172.16.0.0 0.0.15.255

20                deny                     ip source 172.16.200.0 0.0.7.255
                                                    destination 192.168.2.0 0.0.0.255

30              permit                   ip source 172.16.200.0 0.0.7.255
                                                    destination 192.168.0.0 0.0.1.255

 

1. ACL Number: 3002, Type Advanced, Number of Rules: 6

Rule ID    Operation              Description

10                deny                     ip source 172.16.0.0 0.0.15.255
                                                    destination 172.16.200.0 0.0.7.255

20                deny                     ip source 172.16.0.0 0.0.15.255
                                                    destination 192.168.2.0 0.0.0.255

30                deny                     ip source 172.16.0.0 0.0.15.255
                                                    destination 192.168.0.2 0

40                deny                     ip source 172.16.0.0 0.0.15.255
                                                    destination 192.168.0.12 0

50                deny                     ip source 172.16.0.0 0.0.15.255
                                                    destination 192.168.0.16 0

60               permit                  ip source 172.16.0.0 0.0.15.255
                                                    destination 192.168.0.0 0.0.1.255 fragment

 

What it’s working with the current configuration:

1. Routing between vlans is working by default with the configuration of every vlan ip address and the default gateway of the switch, so I don’t really know why I have to configure the permit rules. So right know I have complete access from any vlan to any vlan, that’s why I created the ACL’s,

What is not working:

1. ACL’s are not working because apparently they do not work If I don’t create what I mentioned above: Classifiers, Behaviors, Policies

Can anybody help me with an straight forward step by step on how to achieve this? I am not an expert on this topics, but I do understand that on most layer 3 switches the ACL’s work directly without any further configuration but on this specific model you have to make this extra steps

 

 

P.S. This thread has been moved from LAN Routing to Web and Unmanaged. -HP Forum Moderator

#ACLs

Howdy,
Can you not just use the
# int gig 1/0
# packet-filter 3003 inbound
type syntax on these relatively simple ones?

 

I thought that using the QoS config method was for VACL's?

 

Loads of ACL examples in the comware v5 examples Guide for 10500 (Comware Cookbook)

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03911087-1.pdf

 

HTH

Ian

Hi Ian, thank you for reply, but as I said I am not an expert on this topic, your answer only gave me more questions haha sorry.

# int gig 1/0
# packet-filter 3003 inbound
What are this commands for?

I also found on the documentation you suggested and there is something like:
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] packet-filter 3000 inbound
Is this the same you are suggesting?

What are VACL's

Howdy,

re: VACL have a look at the link below

VACL - filters traffic within the VLAN rather than traffic passing through the L3 interface

 

The packet filter is a simple (ish) mechanism for applying access control lists to vlan / l3 interfaces

 

1) Create your acl

2) add some rules to it

3) check the permt / deny logic

4) apply to the appropriate interface - closest to the source usually best - inbound or outbound

 

Yes those examples in the comware doc should translate to what you trying to achieve

HTH

Ian

Thank you Ian, so, in my current setup where the first twelve ports of the switch are being used for one vlan and the other twelve + 4 fiber are trunk ports so other switches can connect to them an the actual cliens in the other two vlans are going to be connected to other switches I should add the command you sugested for each port of my switch? SOmething like this?:

interface GigabitEthernet1/0/1
packet-filter 3000 inbound
interface GigabitEthernet1/0/2
packet-filter 3000 inbound
interface GigabitEthernet1/0/3
packet-filter 3000 inbound

And so on for all my switch ports?

Also, if the above should work, would womething like this work? Instead of applying to every single port apply to the complete Vlan

interface Vlan-interface1
packet-filter 3000 inbound

interface Vlan-interface101
packet-filter 3000 inbound

interface Vlan-interface102
packet-filter 3000 inbound

And so on..

Thank you again for you time!! :)

Ian, well I tried this sollution and it partially worked, you are a genius!!, I am copying here my configuration file:

 

#
 version 5.20, Release 1513P85
#
 sysname Core
#
 super password level 3 cipher $c$3$f9AQHbywXlr5KliCcLUWZ1V33ReEJc7Myfb/SQ==
#
 domain default enable system
#
 ip ttl-expires enable
#
 password-recovery enable
#
acl number 3001
 rule 10 deny ip source 172.16.200.0 0.0.7.255 destination 172.16.0.0 0.0.15.255
 rule 20 deny ip source 172.16.200.0 0.0.7.255 destination 192.168.2.0 0.0.0.255
 rule 30 permit ip source 172.16.200.0 0.0.7.255 destination 192.168.0.0 0.0.1.255
acl number 3002
 rule 10 deny ip source 172.16.0.0 0.0.15.255 destination 172.16.200.0 0.0.7.255
 rule 20 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.2.0 0.0.0.255
 rule 30 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.2 0
 rule 40 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.12 0
 rule 50 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.16 0
 rule 60 permit ip source 172.16.0.0 0.0.15.255 destination 192.168.0.0 0.0.1.255 fragment
#
vlan 1
#
vlan 101
 description Servidores
#
vlan 102
 description Administrativos
#
vlan 103
 description Estudiantes
#
radius scheme system
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
#
local-user admin
 password cipher $c$3$d2uEAn/pkEAkdG+Pk/GvBbhkxr5VV4qcbElbfg==
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type web
#
 stp mode rstp
 stp enable
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.2.250 255.255.255.0
#
interface Vlan-interface101
 ip address 192.168.0.210 255.255.255.0
#
interface Vlan-interface102
 ip address 172.16.200.1 255.255.248.0
#
interface Vlan-interface103
 ip address 172.16.0.1 255.255.240.0
#
interface GigabitEthernet1/0/1
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/2
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/3
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/4
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/5
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/6
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/7
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/8
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/9
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/10
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/11
 port access vlan 101
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/12
 port access vlan 102
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/13
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/14
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/15
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/16
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/17
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/18
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/19
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/20
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/21
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/22
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/23
 port access vlan 103
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/24
 port link-type trunk
 port trunk permit vlan 1 101 to 103
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/25
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/26
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/27
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
interface GigabitEthernet1/0/28
 port link-type hybrid
 port hybrid vlan 101 to 103 tagged
 port hybrid vlan 1 untagged
 stp edged-port enable
 packet-filter 3001 inbound
 packet-filter 3002 inbound
#
 ip route-static 0.0.0.0 0.0.0.0 192.168.0.6 preference 10
#
 snmp-agent
 snmp-agent local-engineid 8000000B0344319203C7EA
 snmp-agent sys-info contact Gustavo Puente
 snmp-agent sys-info location Data Center
 snmp-agent sys-info version v3
#
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme
#
return

 

 

I added filter 3001 inbound" andfilter 3002 inbound"  lines to every port on the switch and apparently it is working : ) meaning that:

From vlan1 you can ping vlans101, 102, 103

Vlan102 cant ping vlan1 nor vlan103

Vlan103 cant ping vlan1 nor vlan102

Vlan102 and 103 can ping vlan101

 

What I am not achieving is that from vlan 103 I shouldn't be able to ping specific ip addresses on vlan 101 (192.168.0.2, 192.168.0.16, 192.168.0.12) that are also defined on my ACL's

 

Could you please take a look at it and tell me if I am missing something?

Does the order of the Permits and Denys in the ACL's matter, or I am not defining it correctly?

 

Thanks a lot and sorry for the trouble