Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Unidirectional access

Unidirectional access

Created: Apr 27, 2020 02:40:08Latest reply: Apr 27, 2020 03:07:37 349 2 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hey there,

How can I configure the AR to allow the NMS computer to ping or access computers of other departments but prevent computers of other departments from pinging or accessing the NMS computer? Thank you!

1


Like (0) Dislike (0) Favorite(0) Share Report
Previous: b2368-66 firmware
Next: ACL and IpPrefix
Featured Answers

Recommended answer

(1) (0)
Popeye_Wang
Admin Created Apr 27, 2020 02:42:31

Hello,

You can configure a traffic policy to implement unidirectional access for ICMP and TCP services. The ping process involves the exchange of ICMP Echo Request and Reply packets. Therefore, you can configure an ACL to match the Echo packets initiated from other network segments and destined to the O&M network segment, and define the deny action for matched packets in the ACL.Similarly, in the TCP three-way handshake, the initiator sends an SYN request packet. You can configure an ACL to match SYN packets sent from other network segments to the NMS network segment, and define the deny action for matched packets in the ACL.

Kindly refer to the below configuration:

#

acl number 3001

 rule 15 permit icmp source 10.10.0.0 0.0.255.255 destination 10.100.0.0 0.0.0.255 icmp-type echo

 rule 20 permit tcp source 10.10.0.0 0.0.255.255 destination 10.100.0.0 0.0.0.255 tcp-flag syn

#

traffic classifier c1

 if-match acl 3001

#

traffic behavior b1

 deny

#

traffic policy p1

 classifier b1 behavior c1

#

interface GigabitEthernet0/0/0

 traffic-policy c1 outbound         //  Apply the traffic policy to the interface connected to the NMS.

#

Refer to: https://support.huawei.com/enterprise/en/knowledge/EKB1100020242


Please let me know if this works.

View more
  • x
  • convention:
All Answers
(1) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Apr 27, 2020 02:42:31

Hello,

You can configure a traffic policy to implement unidirectional access for ICMP and TCP services. The ping process involves the exchange of ICMP Echo Request and Reply packets. Therefore, you can configure an ACL to match the Echo packets initiated from other network segments and destined to the O&M network segment, and define the deny action for matched packets in the ACL.Similarly, in the TCP three-way handshake, the initiator sends an SYN request packet. You can configure an ACL to match SYN packets sent from other network segments to the NMS network segment, and define the deny action for matched packets in the ACL.

Kindly refer to the below configuration:

#

acl number 3001

 rule 15 permit icmp source 10.10.0.0 0.0.255.255 destination 10.100.0.0 0.0.0.255 icmp-type echo

 rule 20 permit tcp source 10.10.0.0 0.0.255.255 destination 10.100.0.0 0.0.0.255 tcp-flag syn

#

traffic classifier c1

 if-match acl 3001

#

traffic behavior b1

 deny

#

traffic policy p1

 classifier b1 behavior c1

#

interface GigabitEthernet0/0/0

 traffic-policy c1 outbound         //  Apply the traffic policy to the interface connected to the NMS.

#

Refer to: https://support.huawei.com/enterprise/en/knowledge/EKB1100020242


Please let me know if this works.

View more
  • x
  • convention:
(0) (0)
3#
Unicef
Unicef MVE Created Apr 27, 2020 03:07:37

Procedure:
1. Check whether the SNMP configurations on the host are correct.
- If the SNMP configurations are correct, go to Step 2.
- If the SNMP configurations are incorrect, change the configuration based on the following configuration cases.
2. Run the display snmp-agent trap all command to check whether the trap function is enabled.
- If the trap function is not enabled, run the snmp-agent trap enable command to enable the host to send trap messages.
- If the trap function is enabled, go to Step 3.
3. Check whether the log message indicating that a specific trap is generated exists on the host.
- If the log message indicating that a specific trap is generated does not exist on the host, the trap is not generated. Go to Step 4.
- If the log message indicating that a specific trap is generated exists on the host, the trap has been generated, but the NMS fails to receive the trap message. Go to Step 4.
4. Collect the following information and contact technical support personnel:
- Results of the preceding troubleshooting procedure
- Configuration files, log files, and alarm files of the devices


NMS

https://support.huawei.com/enterprise/en/doc/EDOC1000079719/cde96f61/the-nms-fails-to-receive-trap-messages-from-the-host

View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.