Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
The ACL isolation policy ...

The ACL isolation policy configured for a VLAN does not take effect

Created: Apr 27, 2021 11:21:37Latest reply: Aug 14, 2021 18:41:03 239 3 1 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi, community!


acl number 3000

 rule 10 permit ip source 172.18.0.0 0.0.0.255 destination 172.16.21.0 0.0.0.255

 rule 20 deny ip

#

traffic classifier xx type or

 if-match acl 3000

#

traffic behavior xx

 deny

#

traffic policy xx

 classifier xx behavior xx precedence 5


interface Vlanif1870

 ip address 172.18.0.254 255.255.255.0

 traffic-policy xx inbound 

It is required to realize that only the 172.16.21.0/24 network segment can access the 172.18.0.0/24 network segment, but after configuration, other network segments can still access 172.18.0.254? How to solve.

Thanks!

ACL

Like (1) Dislike (0) Favorite(0) Share Report
Previous: ARP entry
Next: ARP Gateway Anti-Collision
Featured Answers

Recommended answer

(0) (0)
jason_hu
Admin Created Apr 27, 2021 11:24:33

Hello friend,

The ping 172.18.0.254 is sent to the CPU for processing, and the traffic policy controls the packets at the forwarding level, and the sending to the CPU cannot be controlled.

So it is normal to be able to ping 172.18.0.254. You can test it with other terminals on this network segment.

In addition, there is a problem with the configuration. According to your needs, the traffic behavior should be permit. If the traffic behavior is deny, whether the ACL is permit or deny, it will be deny in the end.

Hope to help you!

View more
  • x
  • convention:

user_3982663
user_3982663 Created Apr 27, 2021 11:26:47 (0) (0)
Hi Jason,
Thanks for your answer!  
All Answers
(0) (0)
2#
jason_hu
jason_hu Admin Created Apr 27, 2021 11:24:33

Hello friend,

The ping 172.18.0.254 is sent to the CPU for processing, and the traffic policy controls the packets at the forwarding level, and the sending to the CPU cannot be controlled.

So it is normal to be able to ping 172.18.0.254. You can test it with other terminals on this network segment.

In addition, there is a problem with the configuration. According to your needs, the traffic behavior should be permit. If the traffic behavior is deny, whether the ACL is permit or deny, it will be deny in the end.

Hope to help you!

View more
  • x
  • convention:

user_3982663
user_3982663 Created Apr 27, 2021 11:26:47 (0) (0)
Hi Jason,
Thanks for your answer!  
(0) (0)
3#
andersoncf1
andersoncf1 MVE Author Created Aug 14, 2021 18:41:03

Good answer! Congrats The ACL isolation policy configured for a VLAN does not take effect-4086485-1
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.