Page 1 of 1
help set policy to deny access from outside
Posted: 08 Dec 2014 13:37
by phathienhung
How I set policy on OmniSwitch OS6900 to deny access from outside. For example, pc A can access to pc B but pc B not allowed access to pc A (include ping not allowed if can). Please give me some instruction in details. Thanks in advance.
Re: help set policy to deny access from outside
Posted: 08 Dec 2014 14:23
by cavagnaro
In order for a packet to work you need routes on both ways. I guess that task you want is more for a Firewall rather than a switch
Re: help set policy to deny access from outside
Posted: 08 Dec 2014 15:35
by devnull
Firewall is the way to go.
You can propably deny some traffic using QoS ACls but i doubt that PC A Access B but not the otherway round is beautiful to implement in QoS ACls.
Remember: ACLs in the Switch are just port Filter, no stateful firewall stuff.
You can try with something like that (untested, just out of head)
policy network group PC-A 10.10.10.10
policy network group PC-B 20.10.10.10
policy condition c1 source ip Any destination ip Any established
policy condition c2 source ip network group PC-B destination network group PC-A
policy action Deny disposition deny
policy action Permit
policy rule r1 precedence 100 condition c1 action Permit
policy rule r2 precedence 90 condition c2 action Deny
qos apply
This may (or may not) deny Traffic from B -> A while allowing A->B (or better all other traffic) and established (e.g. no syn flag) packets.
I would not try to deny all traffic apart from the ones you think of (at least not without a good lab setup and console access)
Use a Firewall!
Re: help set policy to deny access from outside
Posted: 12 Dec 2014 10:55
by phathienhung
@devnull : thanks for your reply, I tried your instructions but it still not working. both pc A & B not see each other.
I remember that switch cisco 3650 (L3 switch) do that, with access list it can deny pc B access to pc A while permit pc A access to pc B. Isn't that Alcatel Omni6900 not do that (also L3 switch) ?
Anybody help me ?
Re: help set policy to deny access from outside
Posted: 07 Jan 2015 02:45
by devnull
What is not working?
As you have only one deny rule you can add a log statement to see why this is blocking
or do a
show qos active policy rule to see which policy matches
do a
show policy classify [l2|l3] ip XXX.XXX.XXX destination ip YYY.YYY.YYY
The policys should work..
the aclman (cisco like acl manager) is not supported on 6900 and it is not possible to create acls on a vlan just on a port..
Re: help set policy to deny access from outside
Posted: 07 Oct 2024 05:50
by sokocul_123
bro i need help about this ! my case like this. my policy rule are not works