Issue Description
Q:
How does MA5200F or MA5200G limit some kind of users (such as cyber users) offline at ruled time?
Handling Process
A:
1. For MA5200F:
[MA5200F] time-range night 00:01 to 8:00 working-day //define time-range table [MA5200F] acl number 100 match-order auto
[MA5200F-acl-adv-100] rule user-net deny ip source 10 destination any time-range night //index time-range table at ACL
[MA5200F] access-group 100 //use acl 100 at the site
Configures data above, if users ucl-group is 10, they cannot access network between 00:01 and 8:00 (from Monday to Friday).
2. For MA5200G VRP3.30-2215 and versions after it, configure with time-range domain-block command:
Designate relevant time-range:
[Quidway] time-range abc 00:00 to 08:00 working-day
Open block under corresponding user domain:
[Quidway-aaa-domain-huawei] time-range domain-block enable
Configure corresponding time-range, it can be defined:
[Quidway-aaa-domain-huawei] time-range domain-block abc
Only within time-range, the domain will be block and cannot connect new users. Online users are forced to cut off under the domain.
3. MA5200G can realize the same as MA5200F.
MA5200G VRP3.30-22xx version:
Designate one ucl group: user-group ucl-group xxx
Designated group belongs to one ucl group. Use ucl-group command under domain. The domain belongs to ucl-group.
If it is Radius authentication users, they can flood ucl-group number at radius server.
rule-map 123 ip user-group xxx any //designate a rule and IP address at ucl-group and network
time-control yyy //designate time-range within one day
eacl global 123 deny time-control yyy //when the rule is at yyy, the network cannot be accessed.
Use access-group with eacl.
MA5200G VRP3.30-23xx version:
[Quidway]user-group 1 //create user-group
[Quidway-aaa-domain-123]user-group 1 //add user in user domain and belongs to this group
[Quidway]time-range abc 00:00 to 08:00 working-day //Designate time-range when userscannot be permitted to access network
[Quidway]acl 10001 mat auto // Configure acl
[Quidway-acl-simple-10001]rule ip source user 1 des any time-range abc // set relation between user-group and public network
[Quidway]traffic classifier d1 //Configure classifier
[Quidway-classifier-d1]if-match acl 10001 //Refer to acl in classifier
[Quidway]traffic behavior d1 //designate behavior
[Quidway-behavior-d1]deny // behavior is deny
[Quidway]traffic policy d1 auto // designate traffic policy
[Quidway-trafficpolicy-d1] classifier d1 behavior in d1 // bind classifier and behavior
[Quidway]traffic-policy d1 // apply traffic policy and can be used the site, main interface, sub-interface and trunk port.
