Firewall ACL rules (allow only IP range)

Created: Jul 17, 2019 19:24:00Latest reply: Aug 1, 2019 01:13:21 356 21 2 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi,


I would like to know how do you guys create a firewall rule using ACL's on the Huawei routers NE05E series.

Goal: block all traffic to a specific subnet/interface and only allow incoming traffic from a specific IP subnet.


For example, my public IP is 1.1.1.1


I have an interface on router Vlanif 10 configured with

ip address 10.0.0.1 255.255.255.0


What i look for is an easy way of firewalling such subnet to only allow access from my ip 1.1.1.1 and block all other source traffic.


Thanks.


  • x
  • convention:

Featured Answers
Admin Created Jul 18, 2019 00:53:20 Helpful(0) Helpful(0)

@Oyster Hi,
please follow the steps below:

1. create ACL
acl 2000
rule 5 permit source 1.1.1.1 0
rule 10 deny

2. apply the traffic-filter to block the traffic
interface vlanif 10
traffic-filter inbound acl 2000


  • x
  • convention:

All Answers
wissal MVE Created Jul 17, 2019 20:08:35 Helpful(0) Helpful(0)

Hi,
To resolve your issue please find below the solution:

A filtering policy of a routing protocol is used to filter routes.

ip route-static 1.1.1.0 255.255.255.0 NULL0
ip route-static 192.168.2.0 255.255.255.0 NULL0  
ip route-static 192.168.2.100 255.255.255.255 NULL0 
bgp 1
 peer 10.1.1.2 as-number 1 
 ipv4-family unicast 
  undo synchronization 
  filter-policy 2001 export 
  import-route static  
peer 10.1.1.2 enable 
acl number 2001
 rule 5 permit source 192.168.2.100 0 
 rule 10 deny source 1.1.1.0 0.0.0.255 

Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered out, whereas the route 192.168.2.100 is permitted.

imgDownload?uuid=c92a9bda72d641d083effad NOTE:
  • Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the ACL rule that the routes match is deny.
  • Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By default, the device matches the routes with the last ACL rule. The action defined in the last ACL rule is deny, and therefore the routes are filtered out.
  • The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the route matches is permit and the action defined in the filtering policy is export.

Thanks
  • x
  • convention:

Telecommunications%20Engineer%2C%20currently%20senior%20project%20manager%20of%20the%20radio%20access%20network%20and%20partner%20of%20Huawei%20de%20Tunisia.
IbrYsf Created Jul 17, 2019 22:03:33 Helpful(0) Helpful(0)

after assuring connectivity


acl number 2001 #create a basic ACL
rule permit source 1.1.1.1 0
rule deny any
quit

int gig 0/1
acl 2001 inbound #apply on the interface that will receive 1.1.1.1 traffic



https://support.huawei.com/enterprise/en/doc/EDOC1000074926?currentPartNo=j00a&togo=content

check out 7.5.2  Configuring a Basic ACL
  • x
  • convention:

chenhui Admin Created Jul 18, 2019 00:53:20 Helpful(0) Helpful(0)

@Oyster Hi,
please follow the steps below:

1. create ACL
acl 2000
rule 5 permit source 1.1.1.1 0
rule 10 deny

2. apply the traffic-filter to block the traffic
interface vlanif 10
traffic-filter inbound acl 2000


  • x
  • convention:

Oyster Created Jul 18, 2019 07:36:55 Helpful(0) Helpful(0)

Thanks for replies but none of your suggestions are working.

@wissal, not looking for bgp filter policies, thanks anyway.

@chenhui and @IbrYsf :Unfortunately there is no acl or traffic-filter command for the interface view, there is a similar but complicated command called traffic-policy, and only under physical interfaces not for Vlanif.

Is this a version problem? Using version V300R003C10SPC500
  • x
  • convention:

Oyster Created Jul 18, 2019 08:35:07 Helpful(0) Helpful(0)

tested this config:

-------
#
acl number 2001
rule 5 permit source 1.1.1.1 0
rule 10 deny

#
traffic classifier admin-only operator and
if-match acl 2001
#
traffic behavior admin-only
deny
#
traffic policy admin-only
classifier admin-only behavior admin-only
#
interface GigabitEthernet0/2/23
portswitch
undo shutdown
port default vlan 11
port trunk allow-pass vlan 1 to 4094
undo dcn
traffic-policy admin-only inbound vlan 10
----------------

It doesn't work as expected, it blocks all traffic to vlan 10
  • x
  • convention:

chenhui Admin Created Jul 18, 2019 10:14:08 Helpful(1) Helpful(1)

Posted by Oyster at 2019-07-18 08:35 tested this config:-------#acl number 2001 rule 5 permit source 1.1.1.1 0 rule 10 deny#traffic class ...
Sorry for missing the router model.
NE05E doesn't support command traffic-filter, and the acl inbound command only supports under the user interface view.
And the traffic-policy cannot be configured on the vlanif interface.
You configured the traffic policy to block the traffic from host 1.1.1.1,
please modify the traffic policy as below

acl 2001
rule 5 per sour 1.1.1.1 0

traffic classifier admin-only
if-match acl 2001

traffic behavior admin-only
permit

traffic classifier block_other

traffic behavior block_other
deny

traffic policy admin-only
classifier admin-only behavior admin-only
classifier block_other behavior block_other
  • x
  • convention:

Oyster Created Jul 18, 2019 11:35:33 Helpful(0) Helpful(0)

Posted by chenhui at 2019-07-18 10:14 Sorry for missing the router model.NE05E doesn't support command traffic-filter, and the acl inbou ...
Unfortunately this doesn't work either.

Firewalling is too complicated with this router...
Not possible to apply firewall rule to vlanif?
  • x
  • convention:

chenhui Admin Created Jul 19, 2019 02:47:16 Helpful(0) Helpful(0)

Posted by Oyster at 2019-07-18 11:35 Unfortunately this doesn't work either.Firewalling is too complicated with this router...Not possi ...
sorry, I missed the deny rule under the acl 2001.
Please add a new rule in acl 2001
rule 10 deny

and make sure you apply this traffic policy with inbound direction.

And I confirmed with R&D yesterday, traffic policy only can be applied on the physical interface, and it cannot be configured through the port group.
  • x
  • convention:

Oyster Created Jul 23, 2019 11:50:57 Helpful(0) Helpful(0)

@chenhui

I'm unable to get it work despite testing a few different configurations.
This is my current config:

===

#
acl number 2001
rule 5 permit source X.X.X.X 0
rule 10 deny
#
acl name admin-only advance
rule 5 permit ip source X.X.X.X 0
rule 10 deny ip
#
traffic classifier admin_only operator or
if-match acl 2001
#
traffic classifier block_other operator or
#
traffic behavior admin_only
#
traffic behavior block_other
deny
#
traffic policy admin_only
classifier admin_only behavior admin_only
classifier block_other behavior block_other
#


#
interface GigabitEthernet0/2/10
portswitch
undo shutdown
port default vlan 10
port trunk allow-pass vlan 1 to 4094
undo dcn
traffic-policy admin_only inbound vlan 10


Using this config all traffic is blocked under that port vlan

Hope the R&D team can work out a better and simpler solution for this basic security...
  • x
  • convention:

123
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top