<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">El deny a nivel de la ACL dropea/niega/filtra siempre sin importar si es un behavior permit o deny. <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Para lo que querés usar, la "action" del behavior tiene que ser "permit" y la ACL esta bien planteada asi para el classifier.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i>To specify the packet filtering action for packets matching
an ACL rule that defines <strong>permit</strong>, the action taken for the packets
depends on <b><span class="gmail-cmdname">deny</span></b> or <b><span class="gmail-cmdname">permit</span></b> in the traffic behavior. If the ACL rule defines <strong>deny</strong>, the packets are discarded regardless of whether <b><span class="gmail-cmdname">deny</span></b> or <b><span class="gmail-cmdname">permit</span></b> is configured in the traffic behavior.</i></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i><br></i></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i><a href="http://support.huawei.com/enterprise/en/doc/EDOC1000088754?section=j00d">http://support.huawei.com/enterprise/en/doc/EDOC1000088754?section=j00d</a><br></i></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i><br></i></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Si el equipo te lo soporta, podes evitar crear toda una estructura de un policy para un simple filtro, usando traffic-filter a nivel interfaz y linkeando a la ACL:</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><pre class="gmail-screen"><b><span class="gmail-cmdname">interface xxxx<br>traffic-<strong><i>filter</i></strong></span></b><strong><span></span></strong><i><span class="gmail-varname"></span></i> <strong><span>inbound|outbound</span></strong> <strong><span>acl ....</span></strong></pre></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i><br></i></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)"><i><br></i></div></div></div><br><div class="gmail_quote"><div dir="ltr">El mié., 12 dic. 2018 a las 22:51, Fernando Soto (<<a href="mailto:frsoto@gmail.com">frsoto@gmail.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="ES-AR"><div class="gmail-m_-7779563770538286227WordSection1"><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif" lang="ES">Buenas gente, estoy necesitando ayuda con esto.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif" lang="ES">Estoy tratando de filtrar un puerto udp para que no llegue a mis abonados, salvo desde una red mia<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif">Entonces seria algo asi el acl:<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">rule 10 <span style="color:rgb(192,0,0)">permit</span> udp source 200.1.2.0 0.0.0.255 destination-port eq 1234<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">rule 15 <span style="color:rgb(192,0,0)">deny </span>udp destination-port eq 1234 source any<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif" lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif" lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:14pt;line-height:115%;font-family:"Calibri",sans-serif">Pero siguiendo el ejemplo del tutorial del Huawei no me queda claro como aplicarlo en un puerto<u></u><u></u></span></p><h2><a name="m_-7779563770538286227__Toc526945948"><span lang="EN-US">Using a Traffic Policy to Filter Packets</span></a><span></span><span style="font-size:16pt" lang="EN-US"><u></u><u></u></span></h2><h3><a name="m_-7779563770538286227__Toc526945949"><span lang="EN-US">Preventing a Specified Device from Accessing a Network</span></a><span lang="EN-US"><u></u><u></u></span></h3><p class="MsoNormal"><span lang="EN-US">Prevent the PC at 192.168.1.10 from accessing the network.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><HUAWEI> system-view<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI] acl 2000<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-acl-basic-2000] rule <span style="color:rgb(192,0,0)">deny</span> source 192.168.1.10 0.0.0.0<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-acl-basic-2000] quit<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><u></u> <u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI] traffic classifier c1<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-classifier-c1] if-match acl 2000<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-classifier-c1] quit<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><u></u> <u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI] traffic behavior b1<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola">[HUAWEI-behavior-b1] deny <span style="color:rgb(192,0,0)">ACA Q PASA SI PONEMOS PERMIT? SI EL ACL YA DICE DENY. ES COMO Q EL DENY ESTA DOS VECES….</span><u></u><u></u></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-behavior-b1] quit<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><u></u> <u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI] traffic policy p1<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-trafficpolicy-p1] quit<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><u></u> <u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI] interface gigabitethernet 1/0/1<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US">[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound<u></u><u></u></span></p><p class="gmail-m_-7779563770538286227Consola"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p></div></div>_______________________________________________<br>
Lista mailing list<br>
<a href="mailto:Lista@arnog.com.ar" target="_blank">Lista@arnog.com.ar</a><br>
<a href="http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista" rel="noreferrer" target="_blank">http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><b>Ivan Chapero<br><span style="color:rgb(102,102,102)">Área Técnica y Soporte</span></b><span style="color:rgb(102,102,102)"> </span><br style="color:rgb(102,102,102)"><span style="color:rgb(102,102,102)">Fijo: 03464-470280 (interno 535)</span> | <span style="color:rgb(102,102,102)">Móvil: 03464-155-20282</span> | <span style="color:rgb(102,102,102)">Skype ID: ivanchapero</span><div><span style="color:rgb(102,102,102)">--</span><br style="color:rgb(102,102,102)"><div style="text-align:center"><span style="color:rgb(102,102,102)">GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito - Santa Fe - Argentina</span></div><br><br><br><br><br><br><br></div></div></div>