Got it

Traffic Filter on Cloud Engine 6881

Created: Apr 12, 2021 17:31:58Latest reply: Apr 15, 2021 17:17:31 247 15 1 0 0
  HiCoins as reward: 0 (problem unresolved)
Hi,

Can anyone assist or advise on the following please.

I need to block traffic directed at the IP of the device and trying to do it via, traffic-filter as well as traffic-policy without success.

Traffic filter configuration:
Created ACL blocking the required traffic and allowing everything else.
Apply traffic-filter inbound with created ACL to VLAN Interface or globally on switch

Traffic-policy Configuration:
Created ACL permitting traffic I want to block.
Created classifier matching the ACL
Created behaviour to drop the traffic
Create policy and link classifier and behaviour to it.
Apply traffic-policy inbound to Interface vlan or globally on switch.

In both scenarios, I do not see any hits on the acl as soon as its applied.

If I check the traffic-policy applied-record, it shows success for all them.

The ACL does not record any hits at all not even on the permit all.

Is the configuration process correct or am I missing something.

Any assistance/advise will be greatly appreciated and thanks in advance.
  • x
  • convention:

Featured Answers
DDSN
Admin Created Apr 13, 2021 06:30:21

Hi Jula,

When you run the display acl command to view ACL information, match-counter indicates the number of times the packets exchanged with the local device match ACL rules. For example, FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast packets exchanged with the local device are matched based on software ACL rules. You can run the display acl command to view the number of times the packets match ACL rules. Other forwarded packets are matched based on hardware ACL rules. You need to view the number of times that the packets match ACL rules in other ways. For example, to view the number of times packets match an ACL rule after a traffic policy is applied, run the statistic enable (traffic behavior view) command to enable traffic statistics collection in the traffic behavior, and then run the display traffic policy statistics command. Therefore, when you run the display acl command to view ACL information if the value of match-counter is 0, the rule is not matched or the configuration does not take effect. You need to perform traffic statistics on forwarding packets to check the matching status.
View more
  • x
  • convention:

All Answers
ariase88
ariase88 Admin Created Apr 12, 2021 17:37:48

Thanks for contacting the Huawei community!

We are checking your question and will provide an answer to you shortly...
View more
  • x
  • convention:

Jula
Jula Created Apr 12, 2021 20:40:01

Thank you. Look forward to the response/feedback.
View more
  • x
  • convention:

DDSN
DDSN Admin Created Apr 13, 2021 06:30:21

Hi Jula,

When you run the display acl command to view ACL information, match-counter indicates the number of times the packets exchanged with the local device match ACL rules. For example, FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast packets exchanged with the local device are matched based on software ACL rules. You can run the display acl command to view the number of times the packets match ACL rules. Other forwarded packets are matched based on hardware ACL rules. You need to view the number of times that the packets match ACL rules in other ways. For example, to view the number of times packets match an ACL rule after a traffic policy is applied, run the statistic enable (traffic behavior view) command to enable traffic statistics collection in the traffic behavior, and then run the display traffic policy statistics command. Therefore, when you run the display acl command to view ACL information if the value of match-counter is 0, the rule is not matched or the configuration does not take effect. You need to perform traffic statistics on forwarding packets to check the matching status.
View more
  • x
  • convention:

Abdussamed
Abdussamed MVE Created Apr 13, 2021 07:21:58

Traffic Filter on Cloud Engine 6881-3881087-1
View more
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I%26%23039%3Bm%20System%20Solutions%20Specialist.%20i%20have%20Certficated%20HCIP%20-Routing%20Switching%20and%20HCIP%20-%20Storage
Jula
Jula Created Apr 13, 2021 07:25:44

Thanks for the response. So my requirement is to deny icmp traffic directed at the device.

Example:
VLANIF1 in VRF1
IP address 1.1.1.1/30

ACL 3000:
Deny icmp to destination 1.1.1.1 0
Permit ip

Traffic-filter applied to VLANIF1:
Traffic-filter acl 3000 inbound

With this config applied, should all icmp traffic to 1.1.1.1 be blocked and will this show any hits when I “display acl 3000”?

Or what else am I missing because even with this config, I can still ping the IP and the ACL gets no hits, not even the “permit ip” rule. Also doesn’t seem to break anything so tells me traffic-filter is not in effect.

Thanks.
View more
  • x
  • convention:

DDSN
DDSN Admin Created Apr 13, 2021 09:14:59

Hi Jula,

I experimented on ensp. The ACL takes effect and counts. 

1

2

acl number 3000  

 rule 5 deny icmp destination 10.2.2.1 0 

interface Vlanif1

 ip address 10.2.2.1 255.255.255.252 

 traffic-filter inbound acl 3000

#

interface Ethernet4/0/0

 port link-type access

Please check your configuration.


View more
  • x
  • convention:

Jula
Jula Created Apr 13, 2021 09:47:23

What device did you use in Ensp?

I also tried in ENSP and get the config working with an AR device but the CE devices do not have Traffic-filter/traffic-policy commands under the interface so cannot test it.

In my production environment where I want to apply this I’m using CE8861 devices and configure it the same as the AR config in my ENSP lab but does not work.

See attached for the config applied to CE and yet I am still able to ping the device on the configured IP for VLANIF502.

So what is different on the Cloud Engine devices to get traffic filtering working.

Thanks.
View more
  • x
  • convention:

Jula
Jula Created Apr 13, 2021 09:57:58

Not sure if attachment uploaded first time round.Traffic Filter on Cloud Engine 6881-3881303-1
View more
  • x
  • convention:

DDSN
DDSN Admin Created Apr 13, 2021 11:21:28

Hi Jula,
Please try to use icmp echo-reply fast disable command to disables the fast ICMP reply function on the device.

View more
  • x
  • convention:

12
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.