Block Ports using ACL in Forward Chain to filter forwarding traffic via Huawei L3 Switch

Created: Mar 3, 2019 23:50:14Latest reply: Mar 11, 2019 01:38:26 268 5 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi, following is my network topology: ISP 1-> HUAWEI L3 (BGP)-> HUAWEI-L3 (DISTRIBUTION-SWITCH)->CUSTOMERS


I want to block all customers trying to access port 81 towards arbitary servers running in the Internet.


How do I do that? I have done the following:

---------

acl name ALLOW_PORT 3998

 rule 1 permit ip source 100.64.1.5 0

acl name BLOCK_PORT 3999

 rule 5 deny tcp source-port eq 81

#

traffic classifier tc1 operator and

 if-match acl BLOCK_PORT

traffic classifier tc2 operator and

 if-match acl ALLOW_PORT

#

traffic behavior tb1

 deny

traffic behavior tb2

 permit

#

traffic policy tp1 match-order config

 classifier tc2 behavior tb2

 classifier tc1 behavior tb1

-----------

interface GigabitEthernet0/0/2

 description "WAN-ISP1"

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 traffic-policy tp1 outbound



This is not working. What Im doing wrong? What is equivant of Forward chain in IPtables comparison to Huawei?



  • x
  • convention:

Featured Answers
chenhui
Admin Created Mar 5, 2019 01:39:17 Helpful(0) Helpful(0)

@curious.apprentice
please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather than SOURCE-PORT eq 81 if you want to block users to access the server with port 81.
  • x
  • convention:

All Answers
chenhui
chenhui Admin Created Mar 4, 2019 01:19:02 Helpful(0) Helpful(0)

  • x
  • convention:

chenhui
chenhui Admin Created Mar 4, 2019 02:41:35 Helpful(0) Helpful(0)

@curious.apprentice hi, 
the first rule in the traffic policy enables the source 100.64.1.5 to access the port 81.
which interface is the g0/0/2 in your topology?
  • x
  • convention:

chenhui
chenhui Admin Created Mar 5, 2019 01:39:17 Helpful(0) Helpful(0)

@curious.apprentice
please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather than SOURCE-PORT eq 81 if you want to block users to access the server with port 81.
  • x
  • convention:

curious.apprentice
curious.apprentice Created Mar 7, 2019 04:38:27 Helpful(0) Helpful(0)

Posted by chenhui at 2019-03-05 01:39 @curious.apprentice please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather tha ...
Thanks. Will do that. The source IP is the only IP from where the access to port 81 against any server should pass.
  • x
  • convention:

chenhui
chenhui Admin Created Mar 11, 2019 01:38:26 Helpful(0) Helpful(0)

Posted by curious.apprentice at 2019-03-07 04:38 Thanks. Will do that. The source IP is the only IP from where the access to port 81 against any se ...
hope it works
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login