Got it

ACL Configuration Not Working

Created: Nov 27, 2018 22:29:32Latest reply: Nov 30, 2018 08:24:26 1045 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
This post was last edited by vin7 at 2018-11-28 03:41.   Hi

I'm looking to allow only my own IPs into the router to manage it remotely but this configuration doesn't seem to be working.
When I apply an inbound ACL, the first one blocks all the outgoing traffic and second one doesn't block anything at all.

1) The deny rule (rule 3) blocks all outgoing & incoming traffic

acl name InboundFilterBasic 2995
 description "filter incoming IPs only"
 rule 1 permit source 22.22.22.22 0
 rule 2 permit source 33.33.33.33 0
 rule 3 deny source any


2) The deny rule (rule 3) does not block any traffic at all.

acl name InboundFilterBasic 2995
 description "filter incoming IPs only"
 rule 1 permit source 22.22.22.22 0
 rule 2 permit source 33.33.33.33 0
 rule 3 deny source 0.0.0.0 0


How I apply this:

interface GigabitEthernet0/0/0
 ip address 23.45.67.89 255.255.255.252
 nat outbound 2000
 nat static enable
 traffic-filter inbound acl name InboundFilterBasic


 What could be missing here?
  • x
  • convention:

Featured Answers
No.9527
Created Nov 30, 2018 01:43:15

as per rule 3 deny source 0.0.0.0 0, the "0.0.0.0 0" means a host with ip address 0.0.0.0, that means you only deny the 0.0.0.0 host and permit others.
so "rule 3 deny source any" is correct, just configure it like this then be ok
View more
  • x
  • convention:

All Answers
rociot
rociot Created Nov 27, 2018 23:20:36

Hi Friend, I think that you need to review your commands.

This is an example and you need to declare acl into interface just with acl number.
You can try it.

<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] traffic-filter inbound acl 3000

You can review following link:

http://support.huawei.com/hedex/hdx.do?lib=EDOC1100021773AEH05261&docid=EDOC1100021773&lang=en&v=01&tocLib=EDOC1100021773AEH05261&tocV=01&id=traffic-filter_interface_view.xml&tocURL=resources%2fdc%2ftraffic%2dfilter%5finterface%5fview%2ehtml&p=t&fe=1&ui=3&keyword=filter&keyword=inbound&keyword=acl&keyword=traffic&text=%25253Cb%25253Etraffic%25253C%25252Fb%25253E-%25253Cb%25253Efilter%25253C%25252Fb%25253E%252B%252528interface%252Bview%252529

Let me know if it works. :)
View more
  • x
  • convention:

vin7
vin7 Created Nov 27, 2018 23:41:00

Hello Rociot,

I used this line under the interface:
traffic-filter inbound acl 2995

It didn't work.
View more
  • x
  • convention:

chenhui
chenhui Admin Created Nov 28, 2018 00:47:11

@vin7 hello sir, rule 3 deny 0.0.0.0 0 in the second ACL means block specific host with source IP address 0.0.0.0, I don't think you have a host with that IP address. I'm not sure what you want to block through rule 3 in the second ACL.
View more
  • x
  • convention:

vin7
vin7 Created Nov 28, 2018 00:54:39

Hi @cWX611640

What I am looking for is to allow only my own 2 IPs to manage my router remotely. All other IPs should be blocked from getting to the router. Have you got a working example for me if I have done it wrong?
View more
  • x
  • convention:

No.9527
No.9527 Created Nov 30, 2018 01:43:15

as per rule 3 deny source 0.0.0.0 0, the "0.0.0.0 0" means a host with ip address 0.0.0.0, that means you only deny the 0.0.0.0 host and permit others.
so "rule 3 deny source any" is correct, just configure it like this then be ok
View more
  • x
  • convention:

chenhui
chenhui Admin Created Nov 30, 2018 08:24:26

@vin7  from your description and configuration, it seems fine. If it doesn't work yet, please provide more information about your topology, more related information will help resolving problems. ACL Configuration Not Working-2812127-1
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.