PAndreas
asked on
Binding ACL's to a VLAN
Hello Experts,
I am a little confused. I have got two 3Com 5500G-EI 24 Port Switches, stacked together, building my network backbone. Attached to them I have got a total of sixteen 3Com 4500 switches. On the 5500 I have created three VLANs, assigned IP addresses and add the ports I wanted. Now I will assign some ACL's to my VLAN (Not to the ports inside the VLAN). According to the manual very easy.
You go:
<5500>system-view
[5500]packet-filter inbound ip-group 3000
System View: return to User View with Ctrl+Z.
[5500] packet-filter vlan 10 inbound ip-group 3000
That's it! But my switch tells me ... Nope .... Unknown command!
Anybody an idea why or knows the rigth command for that?
Greetz
Patrick
I am a little confused. I have got two 3Com 5500G-EI 24 Port Switches, stacked together, building my network backbone. Attached to them I have got a total of sixteen 3Com 4500 switches. On the 5500 I have created three VLANs, assigned IP addresses and add the ports I wanted. Now I will assign some ACL's to my VLAN (Not to the ports inside the VLAN). According to the manual very easy.
You go:
<5500>system-view
[5500]packet-filter inbound ip-group 3000
System View: return to User View with Ctrl+Z.
[5500] packet-filter vlan 10 inbound ip-group 3000
That's it! But my switch tells me ... Nope .... Unknown command!
Anybody an idea why or knows the rigth command for that?
Greetz
Patrick
hmm, you have the 3Com 5500G-EI 24 so that includes the enhanced image, iassume you have at least version V3.02.04?
Here is an example of an acl, it's a little different then yours;
<3Com> system-view
# Define basic ACL 2000 to filter packets with the source IP address of 10.1.1.1.
[3Com] acl number 2000
[3Com-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test
[3Com-acl-basic-2000] quit
# Apply ACL 2000 to Ethernet 1/0/1.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] packet-filter inbound ip-group 2000
harbor235 ;}
Here is an example of an acl, it's a little different then yours;
<3Com> system-view
# Define basic ACL 2000 to filter packets with the source IP address of 10.1.1.1.
[3Com] acl number 2000
[3Com-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test
[3Com-acl-basic-2000] quit
# Apply ACL 2000 to Ethernet 1/0/1.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] packet-filter inbound ip-group 2000
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi there,
Ido have the firmware version V3.02.04 that's right and the problem I have is to set an ACL on a VLAN not on a single port. Setting an ACL on a single port works great.
I also contacted 3Com support already, they even don't know about that feature I want to use, but they going to check it.
Greetz
Patrick
Ido have the firmware version V3.02.04 that's right and the problem I have is to set an ACL on a VLAN not on a single port. Setting an ACL on a single port works great.
I also contacted 3Com support already, they even don't know about that feature I want to use, but they going to check it.
Greetz
Patrick
I had the same problem.
packet-filter vlan 222 inbound ip-group 3333
sets the rules of the acl to the physical ports which are on the vlan.
eg: Port 1: allowed vlans: 111,222
the packet-filter command writes the rules to port 1 and so they apply on vlan 111 and 222
(tested 5min ago with newest firmware on 3com 5500G-EI 24 Port)
Solution: One big ACL which separates on ip-basis
packet-filter vlan 222 inbound ip-group 3333
sets the rules of the acl to the physical ports which are on the vlan.
eg: Port 1: allowed vlans: 111,222
the packet-filter command writes the rules to port 1 and so they apply on vlan 111 and 222
(tested 5min ago with newest firmware on 3com 5500G-EI 24 Port)
Solution: One big ACL which separates on ip-basis
do you have the standard or enhanced image?
harbor235 ;}