Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Block Ports using ACL in ...

Block Ports using ACL in Forward Chain to filter forwarding traffic via Huawei L3 Switch

Created: Mar 3, 2019 23:50:14Latest reply: Mar 11, 2019 01:38:26 693 5 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi, following is my network topology: ISP 1-> HUAWEI L3 (BGP)-> HUAWEI-L3 (DISTRIBUTION-SWITCH)->CUSTOMERS


I want to block all customers trying to access port 81 towards arbitary servers running in the Internet.


How do I do that? I have done the following:

---------

acl name ALLOW_PORT 3998

 rule 1 permit ip source 100.64.1.5 0

acl name BLOCK_PORT 3999

 rule 5 deny tcp source-port eq 81

#

traffic classifier tc1 operator and

 if-match acl BLOCK_PORT

traffic classifier tc2 operator and

 if-match acl ALLOW_PORT

#

traffic behavior tb1

 deny

traffic behavior tb2

 permit

#

traffic policy tp1 match-order config

 classifier tc2 behavior tb2

 classifier tc1 behavior tb1

-----------

interface GigabitEthernet0/0/2

 description "WAN-ISP1"

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 traffic-policy tp1 outbound



This is not working. What Im doing wrong? What is equivant of Forward chain in IPtables comparison to Huawei?



ACLtraffic policyTraffic ClasiffierTraffic managementtraffic behavior

Like (0) Dislike (0) Favorite(0) Share Report
Previous: BGP Maximum load-balance
Next: Does eNSP V100R003 support only 6 CX600's?
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Mar 5, 2019 01:39:17

@curious.apprentice
please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather than SOURCE-PORT eq 81 if you want to block users to access the server with port 81.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
chenhui
chenhui Admin Created Mar 4, 2019 01:19:02

@curious.apprentice hi,
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Mar 4, 2019 02:41:35

@curious.apprentice hi, 
the first rule in the traffic policy enables the source 100.64.1.5 to access the port 81.
which interface is the g0/0/2 in your topology?
View more
  • x
  • convention:
(0) (0)
4#
chenhui
chenhui Admin Created Mar 5, 2019 01:39:17

@curious.apprentice
please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather than SOURCE-PORT eq 81 if you want to block users to access the server with port 81.
View more
  • x
  • convention:
(0) (0)
5#
curious.apprentice
curious.apprentice Created Mar 7, 2019 04:38:27

Posted by chenhui at 2019-03-05 01:39 @curious.apprentice please modify the acl BLOCK_PORT 3999 to deny DESTINATION-PORT eq 81, rather tha ...
Thanks. Will do that. The source IP is the only IP from where the access to port 81 against any server should pass.
View more
  • x
  • convention:
(0) (0)
6#
chenhui
chenhui Admin Created Mar 11, 2019 01:38:26

Posted by curious.apprentice at 2019-03-07 04:38 Thanks. Will do that. The source IP is the only IP from where the access to port 81 against any se ...
hope it works
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.