• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1588
  • Last Modified:

3COM packet Filtering issue

I set up the following ACL on a switch

acl number 3005
 description DHCP traffic only
 rule 0 permit udp destination-port eq bootpc
 rule 1 permit udp destination-port eq bootps
 rule 2 deny ip

and applied it using

[switch]Packet-filter vlan 17 inbound ip-address 3005.

I expected this would prevent all incoming  traffic from VLAN 17 apart from DHCP/Boot to any other vlans.

However what actually happened was it stopped traffic in VLAN 1,2,3,4,5..... !!!!!!!!!!!!!!!!!

I read the command above as filter all traffic coming in from VLAN 17 aginst the access rule, so why did it shut down the whole network?
0
Aaron Street
Asked:
Aaron Street
  • 5
  • 3
1 Solution
 
RKinspCommented:
Hello devilWAH,

You are trying a Layer 2 ACL? Can you tell me what switch you are using?

regards,
RK
0
 
RKinspCommented:
The command should apply port bound ACL to all ports on VLAN 17, so in that sense you are correct....

Also I believe it is
Packet-filter vlan 17 inbound ip-group 3005
(not ip-address)


And depending on the switch, the rules are applied and stick to a port after they change vlans

(from a 3com 5500 manual)

Applying ACL Rules to Ports in a VLAN
By applying ACL rules to ports in a VLAN, you can add filtering of packets on all the ports
in the VLAN.
Note:
The ACL rules are only applied to ports that are in the VLAN at the time the packet-filter
vlan command is executed. In other words:
A port joining the VLAN later will not use the ACL rules for packet filtering.
A port leaving the VLAN later will keep using the ACL rules for packet filtering.
0
 
Aaron StreetInfrastructure ManagerAuthor Commented:
Is this something that has been changed in later versions of software or is it still such a odd way to apply an ACL to a vlan interface?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RKinspCommented:
Please note that this does not apply the packet filter to the logical vlan interface, but actually to the physical port that is in that vlan, so it catches all traffic in that vlan/port.

If you want to protect routed traffic between vlans, you have to apply the packet filter inside the interface vlan context. If you do this, layer 2 traffic (from vlan 17 to vlan 17) will not be filtered.

Sincerely,
RK
0
 
Aaron StreetInfrastructure ManagerAuthor Commented:
I can't see a way to apply a filter with in the vlan interface, this is what surprised me first of all.

I am use to going in to the vlan interface and applying the ACL here, jsut as you would any other port. But the 5500's I have don't let you do this?
0
 
RKinspCommented:
my bad, I think this is only supported on their newer firmware (version 5 and up). Check if your switch supports this firmware.

You would apply it same way as you would a physical interface.

system-view
interface vlan 1
packet-filter ......
0
 
Aaron StreetInfrastructure ManagerAuthor Commented:
yep exactly, I have HP telling me they are the leaders in the field, But Cisco have had this basic feature for donkeys years now.

So far I am finding even with there version 5 code they are a poor second when it comes to there OS and CLI.

I can't say I am impressed with them yet, so far the only thing I find HP has over Cisco is they are cheap.
0
 
RKinspCommented:
True true...

however, you should probably note that the 5500 in End-of-sale, and their new stuff (5500EI) should support this as well as other functions.

I guess whenever you are picking networking hardware you have to see:

can it do what you need it to do? (regardless of method, you can still block traffic between networks by defining IP addresses)

is it simple to configure?

how much does it cost?

does it have maintenance issues/costs?

On a side note, for most stuff I prefer Cisco as well, in terms of added functionality, but I really like the "display this" command when configuring HP through CLI... don't have to run through "do show run" all the time... Either way, you have to get used to whatever CLI you are using.

my 2 cents,
RK
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now