Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
VLANs and Advanced ACLs -...

VLANs and Advanced ACLs - Restrict the inter-VLAN routing

Created: Oct 15, 2018 13:03:01Latest reply: Oct 18, 2018 05:10:15 2697 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
Hi there,

I have the following simple network:

VLANs and Advanced ACLs - Restrict the inter-VLAN routing-2778015-1


I'm trying to set-up some advanced ACL to control how the VLANs communicate with each other.

My objectives:

  • VLAN 10 can only comunicate with some specifics IPs and ports on VLAN 20;
  • VLAN 20 can NOT communicate with other VLANs;
  • VLAN 30 can communicate with all VLANs;

My ideia is to use advanced ACLs and use traffic policies matching outbound traffic. The problem is, this setup is not working correctly, and VLANs are communicating with each other.

Example config:

ACLs:
acl number 3001
  # This should allow VLAN 10 to communicate with some specifics hosts on VLAN 20  (20.0.0.0/24) and deny the rest.

  rule 5 permit tcp destination 20.0.0.2 0 destination-port eq 8000
  rule 10 permit tcp destination 20.0.0.3 0 destination-port eq 443
  rule 15 permit udp destination 20.0.0.10 0 destination-port eq 53
  rule 20 deny ip destination 20.0.0.0 0.0.0.255
  rule 25 deny ip destination 30.0.0.0 0.0.0.255

acl number 3002
  # This should restrict VLAN 20

  rule 5 deny ip destination 10.0.0.0 0.0.0.255
  rule 10 deny ip destination 30.0.0.0 0.0.0.255
#

Traffic Classifiers:

traffic classifier c_users
  if-match acl 3001
traffic classifier c_servers
  if-match acl 3002
#

Traffic Behavior:

traffic behavior b_permit
permit
#

Traffic Policies:

traffic policy p_users
  classifier c_users behavior b_permit
traffic policy p_servers
  classifier c_servers behavior b_permit
#

VLANs

vlan 10
  name Users
  traffic-policy p_users outbound
vlan 20
  name Servers
  traffic-policy p_servers outbound
vlan 30
  name Management
#

What am I doing wrong?

Thanks!!!


Attachment: You need to log in to download or view. No account? Register

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Router configurartions don't load after reopening the project
Next: PPPOE configration through PON interface on AR2220
Featured Answers

Recommended answer

(1) (0)
chenhui
Admin Created Oct 17, 2018 08:02:20

Hello!

You are using the traffic policy under VLAN with the wrong direction. Change outbound to inbound.

Alternatively, you can use the traffic policy with outbound, but you should swap the source and destination address in ACL. Try this.
View more
  • x
  • convention:
All Answers
(1) (0)
2#
Sergio93
Sergio93 Created Oct 15, 2018 13:11:15

Hi,

Try to aply the traffic policy in inbound direction. Please check this example, it's exactly like yours:
http://support.huawei.com/hedex/hdx.do?docid=EDOC1000177841&id=dc_cfg_vlan_1057&text=Example%252520for%252520Configuring%252520a%252520Traffic%252520Policy%252520to%252520Implement%252520Inter-VLAN%252520Layer%2525203%252520Isolation&lang=en
View more
  • x
  • convention:
(0) (0)
3#
Torrent
Torrent Created Oct 17, 2018 06:59:58

hello, your request is contradictory, it is not doable.:)

it is fine, you apply the traffic outbound but not inbound, otherwise network will down.

VLAN 10 can only comunicate with some specifics IPs and ports on VLAN 20;
VLAN 20 can NOT communicate with other VLANs;
VLAN 30 can communicate with all VLANs;

VLAN20 cannot communicate with other VLANS, but your first request and third request both need VLAN 20 reply packets . how can it be archived?VLANs and Advanced ACLs - Restrict the inter-VLAN routing-2779135-1

maybe you have to double confirm your request.


View more
  • x
  • convention:
(1) (0)
4#
chenhui
chenhui Admin Created Oct 17, 2018 08:02:20

Hello!

You are using the traffic policy under VLAN with the wrong direction. Change outbound to inbound.

Alternatively, you can use the traffic policy with outbound, but you should swap the source and destination address in ACL. Try this.
View more
  • x
  • convention:
(0) (0)
5#
intertelecom
intertelecom Created Oct 17, 2018 13:09:38

This post was last edited by intertelecom at 2018-10-17 16:30.
Posted by Torrent at 2018-10-17 16:30 hello, your request is contradictory, it is not doable.it is fine, you apply the traffic outbound  ...

That's why I'm trying to set oubound-only rules, similar to the way that pfSense works.

VLAN 20 can't initiate a connection to VLAN 10 or 30, but can respond to connections initiated by other VLANs.

I guess I need a stateful ACL in order to accomplish that goal which, of course, is not in the feature scope of a switch.
View more
  • x
  • convention:
(0) (0)
6#
Torrent
Torrent Created Oct 18, 2018 03:17:31

Posted by intertelecom at 2018-10-17 13:09 Posted by Torrent at 2018-10-17 13:09 hello, your request is contradictory, it is not doable.it is f ...
yes, you are right! If you want a so details control for your network accessVLANs and Advanced ACLs - Restrict the inter-VLAN routing-2779795-1, suggest to use a stateful device such as firewall
View more
  • x
  • convention:
(0) (0)
7#
faysalji
faysalji Author Created Oct 18, 2018 05:10:15

Posted by Torrent at 2018-10-17 03:59 hello, your request is contradictory, it is not doable.it is fine, you apply the traffic outbound ...
Thanks for raising red flag, Please suggest then what to do and how to do
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.