Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Block a H3C VLAN in S5500

Posted on 2014-04-29
4
Medium Priority
?
729 Views
Last Modified: 2014-05-16
Any idea how to block a IP for a particular IP address on H3C ?

Tks
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 2

Expert Comment

by:Anton Nikitin
ID: 40034579
Hello AXISHK,

I'm not sure I'm reading your question correctly. Are you trying to block traffic from an IP to another specific IP?

Then you'll need to set up an advanced access list.
Let's say you want to block all traffic from host 192.168.1.1 (connected to interface Gi1/0/1) on your network to 8.8.8.8 and allow everything else:

system-view
acl number 10
 rule deny ip source 192.168.1.1 0.0.0.0 destination 8.8.8.8 0.0.0.0

traffic classifier BLOCK_HOST_CLASS operator and
 if-match acl 10

traffic behavior BLOCK_HOST_BEHAV
 filter deny

qos policy BLOCK_HOST
 classifier BLOCK_HOST_CLASS behavior BLOCK_HOST_BEHAV

interface GigabitEthernet1/0/1
 qos apply policy BLOCK_HOST inbound


So these are the steps:
1. Create ACL describing the interesting traffic.
2. Define classifier that uses the ACL.
3. Define behavior to deny.
4. Create a policy to use the classifier (ACL) and act (behavior = deny).
5. Apply the policy to the interface.

You can find more information about access lists on "Configuring an Advanced IPv4 ACL" section in H3C's documentation.

Let me know if you need further assistance,
Anton.
0
 

Author Comment

by:AXISHK
ID: 40036508
Some typo mistake, I want to block a IP in a particular VLAN.

Is there any example on configuring it through the GUI ?

Tks
0
 
LVL 2

Accepted Solution

by:
Anton Nikitin earned 2000 total points
ID: 40037073
Hello AXISHK,

this configuration would work on an H3C S3600, not sure if applicable for S5500, you may want to give it a try. In the worst case scenario the device just won't accept the commands.

To deny all traffic from 192.168.1.1 that connected to VLAN 10:

acl number 20
 rule 1 deny ip source 192.168.1.1 0
packet-filter vlan 10 inbound ip-group 20


I don't think it's possible to configure via web interface.

Let me know if there is further clarification needed,
Anton.
0
 

Author Closing Comment

by:AXISHK
ID: 40071627
Tks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question