There is a tricky “new” behavior in Comware7 Layer3 VLAN ACL processing: the applied ACL does not only filter the inter-vlan routed traffic (as would be expected), but it is applied to intra-vlan switched traffic as well by default. This behavior can now be controlled, so the admin can revert it to the “expected” behavior:
On the routed context, e.g. the Vlan Interface, there is now an option to control whether the admin wants the ACL to be applied to routed traffic only or routed+switched traffic.
# Enter Layer3 Vlan Interface [HP] interface vlan 10 # Apply some advanced ACL on the interface [HP-Vlan-interface10] packet-filter 3001 inbound # Configure packet filter for routed traffic only [HP-Vlan-interface10] packet-filter filter route # Packet filter for routed+switched traffic in the vlan # WARNING: this is the default ! [HP-Vlan-interface10] packet-filter filter all
This is not a comware 7-only ‘feature’. In recent comware 5 versions (eg 5820 R1809P02) this also applies!
Thanks, I was not aware of this change on comware5. Does it have the filter configuration option as well?
The filter option is available as well.
packet-filter filter [ route | all ]
Is this option for comware 5? I don’t see it:
[H3C-Vlan-interfaceXX]packet-filter ?
INTEGER Apply basic acl
INTEGER Apply advanced acl
INTEGER Apply ethernet frame header acl
INTEGER Number of user-defined acl
ipv6 IPv6 ACL
name Specify a named acl
Check your firmware, you may need to update it (if you want it). If you don’t see the option, the ACL does not apply to Layer2 switched traffic.
Pingback: Comware 7: Alterando a ACL para o modo L3 em uma Interface VLAN. | Comutadores
Oh man I have been putting my head through a wall on this issue for the last 2 weeks. I would really like to thank the Developers for changing basic behaviors.