Got it

One-way Inter-VLAN traffic

Created: Feb 23, 2021 07:48:53Latest reply: Feb 23, 2021 19:55:57 153 7 0 0 1
  HiCoins as reward: 1 (problem unresolved)

We have two separate VLANs, namely 100 and 200, set up in a S5720 switch. We want to set up a path from VLAN 200 to VLAN 100, such that a computer client on VLAN 200 can access the server on VLAN 100 but not vice versa. How can we achieve this?


  • x
  • convention:

Featured Answers
DDSN
Admin Created Feb 23, 2021 08:56:22

Hi milanpwc,
You can try to perform TCP unidirectional access. You can perform the following configurations:
Users on the 192.168.1.0/24 network segment can proactively access users on the 192.168.2.0/24 network segment, but users on the 192.168.2.0/24 network segment cannot proactively access 192.168.1.0/24.
acl 3000
rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established
rule deny tcp source 192.168.2.0 0.0.0.255
traffic-filter vlan 10 inbound acl 3000 //Apply the traffic-filter vlan 10 inbound acl 3000 to a VLAN or an interface.
View more
  • x
  • convention:

milanpwc
milanpwc Created Feb 24, 2021 06:24:48 (0) (0)
For icmp and udp, do I need to create separate rules for each?  
DDSN
DDSN Reply milanpwc  Created Feb 25, 2021 12:09:47 (0) (0)
No. You only need to configure the preceding commands.  
All Answers
DDSN
DDSN Admin Created Feb 23, 2021 07:52:14

Hi milanpwc,
Please wait patiently. Our engineers are looking for answers to your questions.
View more
  • x
  • convention:

BAZ
BAZ MVE Author Created Feb 23, 2021 08:10:52


You need to bind the ACL to either port on the switch or to a VLAN interface. I would suggest binding it to the server VLAN.


Reflective ACL Configuration

https://support.huawei.com/enterprise/en/doc/EDOC1000069482?section=j005


@milanpwc

View more
  • x
  • convention:

milanpwc
milanpwc Created Feb 24, 2021 05:57:58 (0) (0)
Is reflective ACL supported in S5720? I cannot find the "traffic-reflect" command in system view. Using firmware version V200R010C00SPC600.  
DDSN
DDSN Admin Created Feb 23, 2021 08:56:22

Hi milanpwc,
You can try to perform TCP unidirectional access. You can perform the following configurations:
Users on the 192.168.1.0/24 network segment can proactively access users on the 192.168.2.0/24 network segment, but users on the 192.168.2.0/24 network segment cannot proactively access 192.168.1.0/24.
acl 3000
rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established
rule deny tcp source 192.168.2.0 0.0.0.255
traffic-filter vlan 10 inbound acl 3000 //Apply the traffic-filter vlan 10 inbound acl 3000 to a VLAN or an interface.
View more
  • x
  • convention:

milanpwc
milanpwc Created Feb 24, 2021 06:24:48 (0) (0)
For icmp and udp, do I need to create separate rules for each?  
DDSN
DDSN Reply milanpwc  Created Feb 25, 2021 12:09:47 (0) (0)
No. You only need to configure the preceding commands.  
Iyad
Iyad Created Feb 23, 2021 19:55:57

Hi milanpwc

You can create an ACL

S5700 V100R006C00 Configuration Guide


https://support.huawei.com/enterprise/en/doc/EDOC0100534394?section=j00d

View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.