Comware

Hi,

I am trying to figure out a Vlan ACL. What I want is pretty simple I think. I have a HP 5308xl and I want to allow vlan 1 access to vlan 2 but no access from vlan 2 to vlan 1. Vlan 1 has the range 102.168.8.0 - 192.168.15.255 do I use an inbound or outbound statement, deny or permit? Also how do I handle the range do I use separate statements for each?

Thanks

Hi,

You want an inbound access list applied to VLAN 2 (the way to remember the direction is that it is always with respect to the switch not the hosts)
Basically your acl will say:

deny (vlan 2 range) any
permit any any

Take a look at the manual pages here on how to do wildcard for your vlan 2 range (if you get stuck just ask again :) )

http://ftp.hp.com/pub/networking/software/6400-5300-4200-3400-AdvTrafficMgmt-Oct2006-59906051-Chap09.pdf

hello, its easy to do that.
this configuration permit any communication from vlan 1 to 2, but visa versa is deny.

just copy these and paste it as it is.

ip access-list extended VLAN_2

Permit ip 192.168.8.0/21 any
Permit TCP any 192.168.8.0/21 established
Permit ICMP any 192.168.8.0/21 echo-reply
Deny ICMP any any echo
Deny TCP any any eq telnet
Permit ip any any

VLAN 2

ip access-group VLAN_2 VLAN
ip access-group VLAN_2 in


Regards,
A.S

Where I said "deny (vlan 2 range) any" I of course meant "deny (vlan 1 range) any".

Abdullah, I'm not sure how your ACL works, it's applied on VLAN 2 and the first line of the ACL :

"Permit ip 192.168.8.0/21 any" is allowing access from hosts with a source address of 192.168.8.0/21 to any address ?

Dear Moh, I added this line in order to use it if he adds new VLAN and want to add static route to his client from this new subnet. But in the above scenario itâ s not required. Therefore if he add or remove it, nothing will happen.