Comware

Can't get ACL to work.   I have a simple setup with vlans 60-63 and each vlan represents vlan interface below

interface vlan 60

ip address 10.1.60.1 24

interface vlan 61

ip address 10.1.61.1 24

interface vlan 62

ip address 10.1.62.1 24

interface vlan 63

ip address 10.1.63.1 24

All I want to do is to block traffic from VLANs 61-63 to reach VLAN 60.  See the config below

acl number 3000
rule deny ip source 10.1.61.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.62.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.63.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

rule deny ip source 10.1.64.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

interface vlan 60

ip address 10.1.60.1 24

packet-filter 3000 outbound

I put a workstation on VLAN 63 and able to ping the vlan interface 60's ip address 10.1.60.1

Please advise!

Thanks,

What if you put the rule "inbound" on the VLAN 63 interface instead?

What about other IP addresses on VLAN 60, aside from the router address?

Hi,

agree with Vince, the test address is not valid, since it belongs to the switch itself (this traffic is not going 'out' on the vlan interface, but handled by the software of the switch).

So I would suggest to try to reach a real host on the remote vlans,

Best regards,Peter.

Thanks Vince and Peter,

I will put a host and test instead of pinging the interface itself.

BTW, is it possible to block the interface as well from pinging?

Thanks,

For your BTW, an outbound ACL looking for the opposite traffic on VLAN 60 should block it, I guess.