Solved

Block a H3C VLAN in S5500

Posted on 2014-04-29
4
718 Views
Last Modified: 2014-05-16
Any idea how to block a IP for a particular IP address on H3C ?

Tks
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 2

Expert Comment

by:Anton Nikitin
ID: 40034579
Hello AXISHK,

I'm not sure I'm reading your question correctly. Are you trying to block traffic from an IP to another specific IP?

Then you'll need to set up an advanced access list.
Let's say you want to block all traffic from host 192.168.1.1 (connected to interface Gi1/0/1) on your network to 8.8.8.8 and allow everything else:

system-view
acl number 10
 rule deny ip source 192.168.1.1 0.0.0.0 destination 8.8.8.8 0.0.0.0

traffic classifier BLOCK_HOST_CLASS operator and
 if-match acl 10

traffic behavior BLOCK_HOST_BEHAV
 filter deny

qos policy BLOCK_HOST
 classifier BLOCK_HOST_CLASS behavior BLOCK_HOST_BEHAV

interface GigabitEthernet1/0/1
 qos apply policy BLOCK_HOST inbound


So these are the steps:
1. Create ACL describing the interesting traffic.
2. Define classifier that uses the ACL.
3. Define behavior to deny.
4. Create a policy to use the classifier (ACL) and act (behavior = deny).
5. Apply the policy to the interface.

You can find more information about access lists on "Configuring an Advanced IPv4 ACL" section in H3C's documentation.

Let me know if you need further assistance,
Anton.
0
 

Author Comment

by:AXISHK
ID: 40036508
Some typo mistake, I want to block a IP in a particular VLAN.

Is there any example on configuring it through the GUI ?

Tks
0
 
LVL 2

Accepted Solution

by:
Anton Nikitin earned 500 total points
ID: 40037073
Hello AXISHK,

this configuration would work on an H3C S3600, not sure if applicable for S5500, you may want to give it a try. In the worst case scenario the device just won't accept the commands.

To deny all traffic from 192.168.1.1 that connected to VLAN 10:

acl number 20
 rule 1 deny ip source 192.168.1.1 0
packet-filter vlan 10 inbound ip-group 20


I don't think it's possible to configure via web interface.

Let me know if there is further clarification needed,
Anton.
0
 

Author Closing Comment

by:AXISHK
ID: 40071627
Tks
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question