Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
ACL for denying host from...

ACL for denying host from different subnet to access router

Created: Jun 18, 2021 13:58:05Latest reply: Aug 14, 2021 16:23:14 316 10 1 0 0
  Rewarded HiCoins: 2 (problem resolved)
View the author 1#

I have 2 router as shown in figure .A host (10.1.1.20) connected on R1 should not able to access R2. For this, im configuring ACL on R2 to deny traffic from host 10.1.1.20 but the host still able to ping the R2. when i config ACL on R1 to deny traffic from 10.1.1.20 to 10.1.3.2, its working fine. 


nw


Like (1) Dislike (0) Favorite(0) Share Report
Previous: DHCP relay to multiple DHCP servers
Next: DHCP / Switch Port
Featured Answers

Recommended answer

(0) (0)
Popeye_Wang
Admin Created Jun 21, 2021 01:18:58

Posted by Popeye_Wang at 2021-06-18 13:58 Hello,Can you share the policy configuration on R2?  Please note the source or destination  addres ...

I think your configuration is correct, so I tested it with eNSP, and the results are right as follows:

1

2

3


[AR2]dis cu

[V200R003C00]

#

 sysname AR2

#

acl number 3001  

 rule 5 deny ip source 10.1.1.20 0 destination 10.1.3.2 0 

#

traffic classifier denyip operator or

 if-match acl 3001

#

traffic behavior denyip

#

traffic policy denyip

 classifier denyip behavior denyip

#

interface GigabitEthernet0/0/0

 ip address 10.1.3.2 255.255.255.0 

 traffic-policy denyip inbound

 ospf enable 1 area 0.0.0.0

#

ospf 1 

 area 0.0.0.0 

#


So I suspect that the cause of the problem may be something else, such as the device model does not support this feature or some other configuration is wrong.

Please feel free to comment back to us if there is any progress.

View more
  • x
  • convention:
All Answers
(0) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Jun 18, 2021 13:58:15

Hello,

Can you share the policy configuration on R2?  Please note the source or destination  address in the acl and the direction of the traffic policy.

View more
  • x
  • convention:

amol342
amol342 Created Jun 19, 2021 12:16:02 (0) (0)
Please see below config done on R2-

acl number 3001
rule 5 deny ip source 10.1.1.20 0 destination 10.1.3.2 0
#
traffic classifier denyip operator or
if-match acl 3001
#
traffic behavior denyip
#
traffic policy denyip
classifier denyip behavior denyip
#
interface Ethernet0/0/1
ip address 10.1.3.2 255.255.255.0
traffic-policy denyip inbound  
(0) (0)
3#
sachandio
sachandio Created Jun 18, 2021 15:17:08

Hi,
Please check whether ACL has applied on interface on R1 in the inbound direction

Hope it will helpful
View more
  • x
  • convention:

amol342
amol342 Created Jun 19, 2021 12:17:29 (0) (0)
cant I config ACL on R2 only to do this ? I don't want to do any changes on R1.  
(0) (0)
4#
BAZ
BAZ MVE Author Created Jun 18, 2021 16:35:00

It is always suggeste to apply ACL as close as possible to host interface
While you can share configuration script for better guidance.
View more
  • x
  • convention:

amol342
amol342 Created Jun 19, 2021 12:17:53 (0) (0)
Please see below config done on R2-

acl number 3001
rule 5 deny ip source 10.1.1.20 0 destination 10.1.3.2 0
#
traffic classifier denyip operator or
if-match acl 3001
#
traffic behavior denyip
#
traffic policy denyip
classifier denyip behavior denyip
#
interface Ethernet0/0/1
ip address 10.1.3.2 255.255.255.0
traffic-policy denyip inbound  
(0) (0)
5#
EL.BODO
EL.BODO Created Jun 18, 2021 18:08:06

Look apply the ACL both the interfaces of router 1.
View more
  • x
  • convention:
(0) (0)
6#
BAZ
BAZ MVE Author Created Jun 19, 2021 12:31:40

First you should apply ACL on R1 (Near to host, suggested one) and should be Outband


It will solve your issue. @amol342  

#
# Create basic ACL 2001 and configure rules to reject the packets from hosts 
#
acl number 2001
rule 5 deny ip source 10.1.1.20 0 destination 10.1.3.2 0
#
# Configure the traffic classifier to classify packets that match ACL 2001.
#
traffic classifier denyip operator or precedence 5
if-match acl 2001
#
# Configure the traffic behavior to reject packets.
#
traffic behavior denyip
deny
#
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
#
traffic policy denyip
classifier denyip behavior denyip
#
# Apply the traffic policy to an interface, ackets from internal hosts are forwarded
interface Ethernetx/x/x
ip address 10.1.3.1 255.255.255.0
traffic-policy denyip outbound  
#


# Verify the configuration.
# Check the configuration of ACL rules.
display acl 2001
display traffic classifier user-defined
display traffic policy user-defined denyip


View more
  • x
  • convention:
(0) (0)
7#
Popeye_Wang
Popeye_Wang Admin Created Jun 21, 2021 01:18:58

Posted by Popeye_Wang at 2021-06-18 13:58 Hello,Can you share the policy configuration on R2?  Please note the source or destination  addres ...

I think your configuration is correct, so I tested it with eNSP, and the results are right as follows:

1

2

3


[AR2]dis cu

[V200R003C00]

#

 sysname AR2

#

acl number 3001  

 rule 5 deny ip source 10.1.1.20 0 destination 10.1.3.2 0 

#

traffic classifier denyip operator or

 if-match acl 3001

#

traffic behavior denyip

#

traffic policy denyip

 classifier denyip behavior denyip

#

interface GigabitEthernet0/0/0

 ip address 10.1.3.2 255.255.255.0 

 traffic-policy denyip inbound

 ospf enable 1 area 0.0.0.0

#

ospf 1 

 area 0.0.0.0 

#


So I suspect that the cause of the problem may be something else, such as the device model does not support this feature or some other configuration is wrong.

Please feel free to comment back to us if there is any progress.

View more
  • x
  • convention:
(0) (0)
8#
andersoncf1
andersoncf1 MVE Author Created Aug 14, 2021 16:23:14

Good answer! Congrats ACL for denying host from different subnet to access router-4086335-1
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.