No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides several ACL examples, including the networking requirements, configuration roadmap, and procedures.

Example for Configuring a Basic ACL to Limit Access to the FTP Server

Networking Requirements

As shown in Figure 12-23, the Switch Module functions as an FTP server (172.16.104.110/24). The requirements are as follows:

  • All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server at any time.
  • All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at the specified period of time.
  • Other users are not allowed to access the FTP server.

The routes between the Switch Module and subnets are reachable. You need to configure the Switch Module to limit user access to the FTP server.

Figure 12-23 Configuring a basic ACL to limit user access to the FTP server

Configuration Roadmap

The configuration roadmap is as follows:

  • Create a basic ACL on the Switch Module and configure rules in the basic ACL.
  • Configure basic FTP functions on the Switch Module.
  • Apply a basic ACL to the Switch Module to limit user access.

Procedure

  1. Configure a time range.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module
    [*HUAWEI] commit
    [~Switch Module] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
    [*Switch Module] time-range ftp-access 14:00 to 18:00 off-day

  2. Configure a basic ACL.

    [*Switch Module] acl number 2001
    [*Switch Module-acl4-basic-2001] rule permit source 172.16.105.0 0.0.0.255
    [*Switch Module-acl4-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access
    [*Switch Module-acl4-basic-2001] rule deny source any
    [*Switch Module-acl4-basic-2001] commit
    [~Switch Module-acl4-basic-2001] quit

  3. Configure basic FTP functions.

    [~Switch Module] ftp server enable
    [*Switch Module] aaa
    [*Switch Module-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123
    [*Switch Module-aaa] local-user huawei level 15
    [*Switch Module-aaa] local-user huawei service-type ftp
    [*Switch Module-aaa] local-user huawei ftp-directory flash:
    [*Switch Module-aaa] commit
    [~Switch Module-aaa] quit
    

  4. Configure access permissions on the FTP server.

    [~Switch Module] ftp server acl 2001
    [*Switch Module] commit

  5. Verify the configuration.

    Run the ftp 172.16.104.110 command on Server A (172.16.105.111/24) in subnet 1. Server A can connect to the FTP server.

    Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 on Monday in 2010. Server B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. Server B can connect to the FTP server.

    Run the ftp 172.16.104.110 command on Server C (10.10.10.1/24). Server C cannot connect to the FTP server.

Configuration Files

# Configuration file of the Switch Module

#
sysname Switch Module
#
FTP server enable
FTP server acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31
#
acl number 2001
 rule 5 permit source 172.16.105.0 0.0.0.255
 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher $1a$}q!z!mY8wW$9[DRVu2%q69RD*I'TT:;SF}!;jC)`RjB[$;SgSq8$
 local-user huawei service-type ftp
 local-user huawei level 15
 local-user huawei ftp-directory flash:
#
return

Example for Configuring a Basic ACL6 to Limit Access to the FTP Server

Networking Requirements

As shown in Figure 12-24, the Switch Module functions as an FTP server (3001::2/64). The requirements are as follows:

  • All the users on subnet 1 (3002::1/64) are allowed to access the FTP server at any time.
  • All the users on subnet 2 (3002::2/64) are allowed to access the FTP server only at the specified period of time.
  • Other users are not allowed to access the FTP server.

The routes between the Switch Module and subnets are reachable. You need to configure the Switch Module to limit user access to the FTP server.

Figure 12-24 Configuring a basic ACL6 to limit user access to the FTP server

Configuration Roadmap

The configuration roadmap is as follows:

  • Create a basic ACL6 on the Switch Module and configure rules in the basic ACL6.
  • Configure basic FTP functions on the Switch Module.
  • Apply a basic ACL6 to the Switch Module to limit user access.

Procedure

  1. Configure a time range.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module
    [*HUAWEI] commit
    [~Switch Module] time-range ftp-access from 0:0 2013/1/1 to 23:59 2013/12/31
    [*Switch Module] time-range ftp-access 14:00 to 18:00 off-day

  2. Configure a basic ACL6.

    [*Switch Module] acl ipv6 number 2001
    [*Switch Module-acl6-basic-2001] rule permit source 3002::1/64
    [*Switch Module-acl6-basic-2001] rule permit source 3002::2/64 time-range ftp-access
    [*Switch Module-acl6-basic-2001] rule deny source any
    [*Switch Module-acl6-basic-2001] commit
    [~Switch Module-acl6-basic-2001] quit

  3. Configure basic FTP functions.

    [~Switch Module] ftp server enable
    [*Switch Module] aaa
    [*Switch Module-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123
    [*Switch Module-aaa] local-user huawei service-type ftp
    [*Switch Module-aaa] local-user huawei level 15
    [*Switch Module-aaa] local-user huawei ftp-directory flash:
    [*Switch Module-aaa] commit
    [~Switch Module-aaa] quit
    

  4. Configure access permissions on the FTP server.

    [~Switch Module] ftp ipv6 server acl 2001
    [*Switch Module] commit

  5. Verify the configuration.

    Run the ftp 3001::2 command on PC A (3002::1/64) in subnet 1. PC A can connect to the FTP server.

    Run the ftp 3001::2 command on PC B (3002::2/64) in subnet 2 on Monday in 2013. PC B cannot connect to the FTP server. Run the ftp 3001::2 command on PC B (3002::2/64) in subnet 2 at 15:00 on Saturday in 2013. PC B can connect to the FTP server.

    Run the ftp 3001::2 command on PC C (3002::3/64). PC C cannot connect to the FTP server.

Configuration Files

# Configuration file of the Switch Module

#
sysname Switch Module
#
FTP server enable
FTP ipv6 server acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2013/1/1 to 23:59 2013/12/31
#
acl ipv6 number 2001
 rule 5 permit source 3002::/64
 rule 10 permit source 3002::/64 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher $1a$^Vo:RJMngR${}0z:!z7|-(xKk4A-yG5_q<)/;zEV)3"{60\C:y+$ 
 local-user huawei service-type ftp  
 local-user huawei level 15
 local-user huawei ftp-directory flash:
#
return

Example for Using an Advanced ACL to Configure Traffic Classifiers

Networking Requirements

As shown in Figure 12-25, the departments of the company are connected through the Switch Module. An IPv4 ACL needs to be configured to prevent the R&D department and marketing department from accessing the salary query server from 8:00 to 17:30 and allow the president's office to access the salary query server at any time.

Figure 12-25 Using an advanced ACL to configure traffic classifiers

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces.
  2. Configure the time range.
  3. Configure ACLs.
  4. Configure traffic classifiers.
  5. Configure traffic behaviors.
  6. Configure traffic policies.
  7. Apply traffic policies to interfaces.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.

    # Add 10GE 1/17/1, 10GE 1/17/2, and 10GE 1/17/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add 10GE 1/17/4 to VLAN 100. The first IP address of a network segment is taken as the address of the VLANIF interface of the same network segment. The configurations on 10GE 1/17/1 and VLANIF 10 are used as an example here. The configurations of 10GE1/17/2, 10GE1/17/3, 10GE1/17/4 are similar to the configuration on 10GE 1/17/1, and the configurations of VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configuration on VLANIF 10, and are not mentioned here.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module
    [*HUAWEI] commit
    [~Switch Module] vlan batch 10 20 30 100
    [*Switch Module] interface 10ge 1/17/1
    [*Switch Module-10GE1/17/1] port link-type access
    [*Switch Module-10GE1/17/1] port default vlan 10
    [*Switch Module-10GE1/17/1] commit
    [~Switch Module-10GE1/17/1] quit
    [~Switch Module] interface vlanif 10
    [*Switch Module-Vlanif10] ip address 10.164.1.1 255.255.255.0
    [*Switch Module-Vlanif10] quit
    

  2. Configure the time range.

    # Configure the time range from 8:00 to 17:30.

    [*Switch Module] time-range satime 8:00 to 17:30 working-day

  3. Configure ACLs.

    # Configure the ACL for the marketing department to access the salary query server.

    [*Switch Module] acl 3002
    [*Switch Module-acl4-advance-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [*Switch Module-acl4-advance-3002] commit
    [~Switch Module-acl4-advance-3002] quit

    # Configure the ACL for the R&D department to access the salary query server.

    [~Switch Module] acl 3003
    [*Switch Module-acl4-advance-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [*Switch Module-acl4-advance-3003] commit
    [~Switch Module-acl4-advance-3003] quit

  4. Configure ACL-based traffic classifiers.

    # Configure the traffic classifier c_market to classify the packets that match ACL 3002.

    [~Switch Module] traffic classifier c_market
    [*Switch Module-classifier-c_market] if-match acl 3002
    [*Switch Module-classifier-c_market] commit
    [~Switch Module-classifier-c_market] quit

    # Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

    [~Switch Module] traffic classifier c_rd
    [*Switch Module-classifier-c_rd] if-match acl 3003
    [*Switch Module-classifier-c_rd] commit
    [~Switch Module-classifier-c_rd] quit

  5. Configure traffic behaviors.

    # Configure the traffic behavior b_market to reject packets.

    [~Switch Module] traffic behavior b_market
    [*Switch Module-behavior-b_market] deny
    [*Switch Module-behavior-b_market] commit
    [~Switch Module-behavior-b_market] quit

    # Configure the traffic behavior b_rd to reject packets.

    [~Switch Module] traffic behavior b_rd
    [*Switch Module-behavior-b_rd] deny
    [*Switch Module-behavior-b_rd] commit
    [~Switch Module-behavior-b_rd] quit

  6. Configure traffic policies.

    # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.

    [~Switch Module] traffic policy p_market
    [*Switch Module-trafficpolicy-p_market] classifier c_market behavior b_market
    [*Switch Module-trafficpolicy-p_market] commit
    [~Switch Module-trafficpolicy-p_market] quit

    # Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.

    [~Switch Module] traffic policy p_rd
    [*Switch Module-trafficpolicy-p_rd] classifier c_rd behavior b_rd
    [*Switch Module-trafficpolicy-p_rd] commit
    [~Switch Module-trafficpolicy-p_rd] quit

  7. Apply the traffic policy.

    # Apply the traffic policy p_market to 10GE 1/17/2.

    [~Switch Module] interface 10ge 1/17/2
    [~Switch Module-10GE1/17/2] traffic-policy p_market inbound
    [*Switch Module-10GE1/17/2] commit
    [~Switch Module-10GE1/17/2] quit

    # Apply the traffic policy p_rd to 10GE 1/17/3.

    [~Switch Module] interface 10ge 1/17/3
    [~Switch Module-10GE1/17/3] traffic-policy p_rd inbound
    [*Switch Module-10GE1/17/3] commit
    [~Switch Module-10GE1/17/3] quit

  8. Verify the configuration.

    # Check the configuration of ACL rules.

    [~Switch Module] display acl all
     Total nonempty ACL number is 2                                                 
                                                                                    
    Advanced ACL 3002, 1 rule                                                       
    ACL's step is 5                                                                 
     rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)      
                                                                                    
    Advanced ACL 3003, 1 rule                                                       
    ACL's step is 5                                                                 
     rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)    

    # Check the configuration of the traffic classifier.

    [~Switch Module] display traffic classifier
      Traffic Classifier Information:
        Classifier: c_market                                                        
          Type: OR                                                              
          Rule(s):                                                                  
            if-match acl 3002                                                       
                                                                                    
        Classifier: c_rd                                                            
          Type: OR                                                              
          Rule(s):                                                                  
            if-match acl 3003                                                       
                                                                                    
    Total classifier number is 2                                                    

    # Check the configuration of the traffic policy.

    [~Switch Module] display traffic policy
       Traffic Policy Information:                                                  
        Policy: p_market                                                            
          Classifier: c_market                                                      
            Type: OR                                                            
          Behavior: b_market                                                        
            Deny                                                                    
                                                                                    
        Policy: p_rd                                                                
          Classifier: c_rd                                                          
            Type: OR                                                            
          Behavior: b_rd                                                            
            Deny                                                                    
                                                                                    
    Total policy number is 2                                                        
    [~Switch Module] display traffic-policy applied-record
    Total records : 2                                                                                                                   
    -------------------------------------------------------------------------------                                                     
    Policy Name                      Apply Parameter           Slot     State                                                           
    -------------------------------------------------------------------------------                                                     
    p_market                         10GE1/17/2 inbound            1     success                                                         
    -------------------------------------------------------------------------------                                                     
    p_rd                             10GE1/17/3 inbound            1     success                                                         
    -------------------------------------------------------------------------------     

Configuration Files

# Configuration file of the Switch Module

#
sysname Switch Module
#
vlan batch 10 20 30 100 
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
acl number 3003
 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market type or
 if-match acl 3002
#
traffic classifier c_rd type or
 if-match acl 3003
#
traffic behavior b_market
 deny
#
traffic behavior b_rd
 deny
#
traffic policy p_market
 classifier c_market behavior b_market precedence 5
#
traffic policy p_rd
 classifier c_rd behavior b_rd precedence 5
#
interface Vlanif10
 ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
 ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
 ip address 10.164.9.1 255.255.255.0  
#
interface 10GE1/17/1
 port default vlan 10
#
interface 10GE1/17/2
 port default vlan 20
 traffic-policy p_market inbound
#
interface 10GE1/17/3
 port default vlan 30
 traffic-policy p_rd inbound  
#
interface 10GE1/17/4
 port default vlan 100
#
return 

Example for Using a Layer 2 ACL to Configure a Traffic Classifier

Networking Requirements

As shown in Figure 12-26, the Switch Module that functions as the gateway is connected to the server leased by the tenement. ACL needs to be configured to prevent the packets with the source MAC address 00e0-f201-0101 and the destination MAC address 0260-e207-0002 from passing through.

Figure 12-26 Using a Layer 2 ACL to configure a traffic classifier

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an ACL.
  2. Configure a traffic classifier.
  3. Configure a traffic behavior.
  4. Configure a traffic policy.
  5. Apply the traffic policy to an interface.

Procedure

  1. Configure an ACL.

    # Configure a Layer 2 ACL.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module
    [*HUAWEI] commit
    [~Switch Module] acl 4000
    [*Switch Module-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff 
    [*Switch Module-acl-L2-4000] quit

  2. Configure the traffic classifier that is based on the ACL.

    # Configure the traffic classifier tc1 to classify packets that match ACL 4000.

    [*Switch Module] traffic classifier tc1
    [*Switch Module-classifier-tc1] if-match acl 4000
    [*Switch Module-classifier-tc1] quit

  3. Configure the traffic behavior.

    # Configure the traffic behavior tb1 to reject packets.

    [*Switch Module] traffic behavior tb1
    [*Switch Module-behavior-tb1] deny
    [*Switch Module-behavior-tb1] quit

  4. Configure the traffic policy.

    # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.

    [*Switch Module] traffic policy tp1
    [*Switch Module-trafficpolicy-tp1] classifier tc1 behavior tb1
    [*Switch Module-trafficpolicy-tp1] quit

  5. Apply the traffic policy.

    # Apply the traffic policy tp1 to 10GE 1/17/2.

    [*Switch Module] interface 10ge 1/17/2
    [*Switch Module-10GE1/17/2] traffic-policy tp1 inbound
    [*Switch Module-10GE1/17/2] commit
    [~Switch Module-10GE1/17/2] quit

  6. Verify the configuration.

    # Check the configuration of ACL rules.

    [~Switch Module] display acl 4000
    L2 ACL 4000, 1 rule                                                             
    ACL's step is 5                                                                 
     rule 5 deny source-mac 00e0-f201-0101 destination-mac 0260-e207-0002 (0 times matched)                                                                         

    # Check the configuration of the traffic classifier.

    [~Switch Module] display traffic classifier tc1
      Traffic Classifier Information:                                               
        Classifier: tc1                                                             
          Type: OR                                                              
          Rule(s):                                                                  
            if-match acl 4000                                                       
                                                                                    

    # Check the configuration of the traffic policy.

    [~Switch Module] display traffic policy tp1
      Traffic Policy Information:                                                   
        Policy: tp1                                                                 
          Classifier: tc1                                                           
            Type: OR                                                            
          Behavior: tb1                                                             
            Deny                                                                    
                                                                                    
    [~Switch Module] display traffic-policy applied-record
    Total records : 1                                                                                                                   
    -------------------------------------------------------------------------------                                                     
    Policy Name                      Apply Parameter           Slot     State                                                           
    -------------------------------------------------------------------------------                                                     
    tp1                              10GE1/17/2 inbound            1     success                                                         
    -------------------------------------------------------------------------------  

Configuration Files

# Configuration file of the Switch Module

#
sysname Switch Module
#
acl number 4000
 rule 5 deny source-mac 00e0-f201-0101 destination-mac 0260-e207-0002           
#
traffic classifier tc1 type or
 if-match acl 4000
#
traffic behavior tb1
 deny
#
traffic policy tp1
 classifier tc1 behavior tb1 precedence 5
#
interface 10GE1/17/2
 traffic-policy tp1 inbound  
#
return 
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59574

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next