Block udp and tcp ports NE20

Created: Aug 16, 2019 18:27:19Latest reply: Aug 19, 2019 23:51:02 397 6 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hello Everyone!


Is it possible block tcp and udp ports on NE20?


I use NE20 as BRAS PPPoe, i want block that our users can't be used for recursive dns. For this i need block port 53 udp and tcp, with destination to our users.



  • x
  • convention:

Featured Answers
LuizPuppin
MVE Created Aug 16, 2019 18:42:33 Helpful(1) Helpful(1)


acl port-pool bloqueios_pppoe_in
eq 0
eq 22
eq 23
eq 25
eq 53
eq 80
eq 111
eq 123
eq 445
eq 1900
range 135 139

acl port-pool bloqueios_pppoe_out
eq 0
eq 19
eq 60
eq 111
eq 123
eq 369
eq 445
eq 1900
eq 8082
eq 9944
range 135 139
#

acl name bloqueios-pppoe-in advance
rule 5 permit tcp destination-port-pool bloqueios_pppoe_in
rule 10 permit udp destination-port-pool bloqueios_pppoe_in
#
acl name bloqueios-pppoe-out advance
rule 5 permit tcp destination-port-pool bloqueios_pppoe_out
rule 10 permit udp destination-port-pool bloqueios_pppoe_out
#

traffic classifier bloqueios-pppoe-in operator or
if-match acl name bloqueios-pppoe-in
#
traffic classifier bloqueios-pppoe-out operator or
if-match acl name bloqueios-pppoe-out
#
traffic behavior permit
#
traffic behavior deny
deny
#

traffic policy PPPOE-IN
share-mode
statistics enable
classifier bloqueios-pppoe-in behavior deny precedence 1
classifier restante behavior permit precedence 2
#
traffic policy PPPOE-OUT
share-mode
statistics enable
classifier bloqueios-pppoe-out behavior deny precedence 1
classifier restante behavior permit precedence 2
#
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%0AI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mounths.
All Answers
LuizPuppin
LuizPuppin MVE Created Aug 16, 2019 18:42:33 Helpful(1) Helpful(1)


acl port-pool bloqueios_pppoe_in
eq 0
eq 22
eq 23
eq 25
eq 53
eq 80
eq 111
eq 123
eq 445
eq 1900
range 135 139

acl port-pool bloqueios_pppoe_out
eq 0
eq 19
eq 60
eq 111
eq 123
eq 369
eq 445
eq 1900
eq 8082
eq 9944
range 135 139
#

acl name bloqueios-pppoe-in advance
rule 5 permit tcp destination-port-pool bloqueios_pppoe_in
rule 10 permit udp destination-port-pool bloqueios_pppoe_in
#
acl name bloqueios-pppoe-out advance
rule 5 permit tcp destination-port-pool bloqueios_pppoe_out
rule 10 permit udp destination-port-pool bloqueios_pppoe_out
#

traffic classifier bloqueios-pppoe-in operator or
if-match acl name bloqueios-pppoe-in
#
traffic classifier bloqueios-pppoe-out operator or
if-match acl name bloqueios-pppoe-out
#
traffic behavior permit
#
traffic behavior deny
deny
#

traffic policy PPPOE-IN
share-mode
statistics enable
classifier bloqueios-pppoe-in behavior deny precedence 1
classifier restante behavior permit precedence 2
#
traffic policy PPPOE-OUT
share-mode
statistics enable
classifier bloqueios-pppoe-out behavior deny precedence 1
classifier restante behavior permit precedence 2
#
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%0AI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mounths.
LuizPuppin
LuizPuppin MVE Created Aug 16, 2019 18:44:09 Helpful(1) Helpful(1)

After you need to apply on UPLINK interface.

interface Eth-Trunk1.84
vlan-type dot1q 84
description UPLINK Internet
ipv6 enable
ip address 177.xxx.xxx.85 255.255.255.252
ipv6 address auto link-local
statistic enable
traffic-policy PPPOE-IN inbound
traffic-policy PPPOE-OUT outbound
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%0AI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mounths.
gilberto_milhomem
gilberto_milhomem Created Aug 16, 2019 18:47:41 Helpful(0) Helpful(0)

Thanks @LuizPuppin

These rules will it impact the NE20 Cpu?
  • x
  • convention:

LuizPuppin
LuizPuppin MVE Created Aug 16, 2019 18:54:53 Helpful(1) Helpful(1)

Posted by gilberto_milhomem at 2019-08-16 07:47 Thanks @LuizPuppin These rules will it impact the NE20 Cpu?
No, you don't observe any increase in cpu-usage.
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%0AI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mounths.
gilberto_milhomem
gilberto_milhomem Created Aug 19, 2019 13:27:15 Helpful(0) Helpful(0)

@LuizPuppin

Today i added these rules on NE20, it worked perfectly.
When i was adding these rules the system display an error

[*BRAS-JABO-trafficpolicy-PPPOE-OUT]classifier restante behavior permit precedence 2
Error: Traffic classifier restante has not been configured.


Another question, is it possible add an exception?
For example, allow one client pppoe be a web server using port 80
  • x
  • convention:

LuizPuppin
LuizPuppin MVE Created Aug 19, 2019 23:51:02 Helpful(0) Helpful(0)

To add an exeption you need to configure a new ACL, create other traffic classifier, and include on the respective traffic policy with a lower precedence.
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%0AI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mounths.

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login