Configuration Examples
This section provides several ACL examples, including the networking requirements, configuration roadmap, and procedures.
Example for Configuring a Basic ACL to Limit Access to the FTP Server
Networking Requirements
As shown in Figure 12-23, the Switch Module functions as an FTP server (172.16.104.110/24). The requirements are as follows:
- All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server at any time.
- All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at the specified period of time.
- Other users are not allowed to access the FTP server.
The routes between the Switch Module and subnets are reachable. You need to configure the Switch Module to limit user access to the FTP server.
Configuration Roadmap
The configuration roadmap is as follows:
- Create a basic ACL on the Switch Module and configure rules in the basic ACL.
- Configure basic FTP functions on the Switch Module.
- Apply a basic ACL to the Switch Module to limit user access.
Procedure
- Configure a time range.
<HUAWEI> system-view [~HUAWEI] sysname Switch Module [*HUAWEI] commit [~Switch Module] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31 [*Switch Module] time-range ftp-access 14:00 to 18:00 off-day
- Configure a basic ACL.
[*Switch Module] acl number 2001 [*Switch Module-acl4-basic-2001] rule permit source 172.16.105.0 0.0.0.255 [*Switch Module-acl4-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access [*Switch Module-acl4-basic-2001] rule deny source any [*Switch Module-acl4-basic-2001] commit [~Switch Module-acl4-basic-2001] quit
- Configure basic FTP functions.
[~Switch Module] ftp server enable [*Switch Module] aaa [*Switch Module-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123 [*Switch Module-aaa] local-user huawei level 15 [*Switch Module-aaa] local-user huawei service-type ftp [*Switch Module-aaa] local-user huawei ftp-directory flash: [*Switch Module-aaa] commit [~Switch Module-aaa] quit
- Configure access permissions on the FTP server.
[~Switch Module] ftp server acl 2001 [*Switch Module] commit
- Verify the configuration.
Run the ftp 172.16.104.110 command on Server A (172.16.105.111/24) in subnet 1. Server A can connect to the FTP server.
Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 on Monday in 2010. Server B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. Server B can connect to the FTP server.
Run the ftp 172.16.104.110 command on Server C (10.10.10.1/24). Server C cannot connect to the FTP server.
Configuration Files
# Configuration file of the Switch Module
#
sysname Switch Module
#
FTP server enable
FTP server acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31
#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
aaa
local-user huawei password irreversible-cipher $1a$}q!z!mY8wW$9[DRVu2%q69RD*I'TT:;SF}!;jC)`RjB[$;SgSq8$
local-user huawei service-type ftp
local-user huawei level 15
local-user huawei ftp-directory flash:
#
return
Example for Configuring a Basic ACL6 to Limit Access to the FTP Server
Networking Requirements
As shown in Figure 12-24, the Switch Module functions as an FTP server (3001::2/64). The requirements are as follows:
- All the users on subnet 1 (3002::1/64) are allowed to access the FTP server at any time.
- All the users on subnet 2 (3002::2/64) are allowed to access the FTP server only at the specified period of time.
- Other users are not allowed to access the FTP server.
The routes between the Switch Module and subnets are reachable. You need to configure the Switch Module to limit user access to the FTP server.
Configuration Roadmap
The configuration roadmap is as follows:
- Create a basic ACL6 on the Switch Module and configure rules in the basic ACL6.
- Configure basic FTP functions on the Switch Module.
- Apply a basic ACL6 to the Switch Module to limit user access.
Procedure
- Configure a time range.
<HUAWEI> system-view[~HUAWEI] sysname Switch Module
[*HUAWEI] commit
[~Switch Module] time-range ftp-access from 0:0 2013/1/1 to 23:59 2013/12/31
[*Switch Module] time-range ftp-access 14:00 to 18:00 off-day
- Configure a basic ACL6.
[*Switch Module] acl ipv6 number 2001
[*Switch Module-acl6-basic-2001] rule permit source 3002::1/64
[*Switch Module-acl6-basic-2001] rule permit source 3002::2/64 time-range ftp-access
[*Switch Module-acl6-basic-2001] rule deny source any
[*Switch Module-acl6-basic-2001] commit
[~Switch Module-acl6-basic-2001] quit
- Configure basic FTP functions.
[~Switch Module] ftp server enable [*Switch Module] aaa [*Switch Module-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123 [*Switch Module-aaa] local-user huawei service-type ftp [*Switch Module-aaa] local-user huawei level 15 [*Switch Module-aaa] local-user huawei ftp-directory flash: [*Switch Module-aaa] commit [~Switch Module-aaa] quit
- Configure access permissions on the FTP server.
[~Switch Module] ftp ipv6 server acl 2001
[*Switch Module] commit
- Verify the configuration.
Run the ftp 3001::2 command on PC A (3002::1/64) in subnet 1. PC A can connect to the FTP server.
Run the ftp 3001::2 command on PC B (3002::2/64) in subnet 2 on Monday in 2013. PC B cannot connect to the FTP server. Run the ftp 3001::2 command on PC B (3002::2/64) in subnet 2 at 15:00 on Saturday in 2013. PC B can connect to the FTP server.
Run the ftp 3001::2 command on PC C (3002::3/64). PC C cannot connect to the FTP server.
Configuration Files
# Configuration file of the Switch Module
# sysname Switch Module # FTP server enable FTP ipv6 server acl 2001 # time-range ftp-access 14:00 to 18:00 off-day time-range ftp-access from 00:00 2013/1/1 to 23:59 2013/12/31 # acl ipv6 number 2001 rule 5 permit source 3002::/64 rule 10 permit source 3002::/64 time-range ftp-access rule 15 deny # aaa local-user huawei password irreversible-cipher $1a$^Vo:RJMngR${}0z:!z7|-(xKk4A-yG5_q<)/;zEV)3"{60\C:y+$ local-user huawei service-type ftp local-user huawei level 15 local-user huawei ftp-directory flash: # return
Example for Using an Advanced ACL to Configure Traffic Classifiers
Networking Requirements
As shown in Figure 12-25, the departments of the company are connected through the Switch Module. An IPv4 ACL needs to be configured to prevent the R&D department and marketing department from accessing the salary query server from 8:00 to 17:30 and allow the president's office to access the salary query server at any time.
Configuration Roadmap
The configuration roadmap is as follows:
- Assign IP addresses to interfaces.
- Configure the time range.
- Configure ACLs.
- Configure traffic classifiers.
- Configure traffic behaviors.
- Configure traffic policies.
- Apply traffic policies to interfaces.
Procedure
- Add interfaces to VLANs and assign IP addresses to the
VLANIF interfaces.
# Add 10GE 1/17/1, 10GE 1/17/2, and 10GE 1/17/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add 10GE 1/17/4 to VLAN 100. The first IP address of a network segment is taken as the address of the VLANIF interface of the same network segment. The configurations on 10GE 1/17/1 and VLANIF 10 are used as an example here. The configurations of 10GE1/17/2, 10GE1/17/3, 10GE1/17/4 are similar to the configuration on 10GE 1/17/1, and the configurations of VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configuration on VLANIF 10, and are not mentioned here.
<HUAWEI> system-view [~HUAWEI] sysname Switch Module [*HUAWEI] commit [~Switch Module] vlan batch 10 20 30 100 [*Switch Module] interface 10ge 1/17/1 [*Switch Module-10GE1/17/1] port link-type access [*Switch Module-10GE1/17/1] port default vlan 10 [*Switch Module-10GE1/17/1] commit [~Switch Module-10GE1/17/1] quit [~Switch Module] interface vlanif 10 [*Switch Module-Vlanif10] ip address 10.164.1.1 255.255.255.0 [*Switch Module-Vlanif10] quit
- Configure the time range.
# Configure the time range from 8:00 to 17:30.
[*Switch Module] time-range satime 8:00 to 17:30 working-day
- Configure ACLs.
# Configure the ACL for the marketing department to access the salary query server.
[*Switch Module] acl 3002 [*Switch Module-acl4-advance-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [*Switch Module-acl4-advance-3002] commit [~Switch Module-acl4-advance-3002] quit
# Configure the ACL for the R&D department to access the salary query server.
[~Switch Module] acl 3003 [*Switch Module-acl4-advance-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [*Switch Module-acl4-advance-3003] commit [~Switch Module-acl4-advance-3003] quit
- Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[~Switch Module] traffic classifier c_market [*Switch Module-classifier-c_market] if-match acl 3002 [*Switch Module-classifier-c_market] commit [~Switch Module-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[~Switch Module] traffic classifier c_rd [*Switch Module-classifier-c_rd] if-match acl 3003 [*Switch Module-classifier-c_rd] commit [~Switch Module-classifier-c_rd] quit
- Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.
[~Switch Module] traffic behavior b_market [*Switch Module-behavior-b_market] deny [*Switch Module-behavior-b_market] commit [~Switch Module-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.
[~Switch Module] traffic behavior b_rd [*Switch Module-behavior-b_rd] deny [*Switch Module-behavior-b_rd] commit [~Switch Module-behavior-b_rd] quit
- Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[~Switch Module] traffic policy p_market [*Switch Module-trafficpolicy-p_market] classifier c_market behavior b_market [*Switch Module-trafficpolicy-p_market] commit [~Switch Module-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[~Switch Module] traffic policy p_rd [*Switch Module-trafficpolicy-p_rd] classifier c_rd behavior b_rd [*Switch Module-trafficpolicy-p_rd] commit [~Switch Module-trafficpolicy-p_rd] quit
- Apply the traffic policy.
# Apply the traffic policy p_market to 10GE 1/17/2.
[~Switch Module] interface 10ge 1/17/2 [~Switch Module-10GE1/17/2] traffic-policy p_market inbound [*Switch Module-10GE1/17/2] commit [~Switch Module-10GE1/17/2] quit
# Apply the traffic policy p_rd to 10GE 1/17/3.
[~Switch Module] interface 10ge 1/17/3 [~Switch Module-10GE1/17/3] traffic-policy p_rd inbound [*Switch Module-10GE1/17/3] commit [~Switch Module-10GE1/17/3] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[~Switch Module] display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule ACL's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched) Advanced ACL 3003, 1 rule ACL's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)
# Check the configuration of the traffic classifier.
[~Switch Module] display traffic classifier Traffic Classifier Information: Classifier: c_market Type: OR Rule(s): if-match acl 3002 Classifier: c_rd Type: OR Rule(s): if-match acl 3003 Total classifier number is 2
# Check the configuration of the traffic policy.
[~Switch Module] display traffic policy Traffic Policy Information: Policy: p_market Classifier: c_market Type: OR Behavior: b_market Deny Policy: p_rd Classifier: c_rd Type: OR Behavior: b_rd Deny Total policy number is 2
[~Switch Module] display traffic-policy applied-record Total records : 2 ------------------------------------------------------------------------------- Policy Name Apply Parameter Slot State ------------------------------------------------------------------------------- p_market 10GE1/17/2 inbound 1 success ------------------------------------------------------------------------------- p_rd 10GE1/17/3 inbound 1 success -------------------------------------------------------------------------------
Configuration Files
# Configuration file of the Switch Module
# sysname Switch Module # vlan batch 10 20 30 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market type or if-match acl 3002 # traffic classifier c_rd type or if-match acl 3003 # traffic behavior b_market deny # traffic behavior b_rd deny # traffic policy p_market classifier c_market behavior b_market precedence 5 # traffic policy p_rd classifier c_rd behavior b_rd precedence 5 # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface 10GE1/17/1 port default vlan 10 # interface 10GE1/17/2 port default vlan 20 traffic-policy p_market inbound # interface 10GE1/17/3 port default vlan 30 traffic-policy p_rd inbound # interface 10GE1/17/4 port default vlan 100 # return
Example for Using a Layer 2 ACL to Configure a Traffic Classifier
Networking Requirements
As shown in Figure 12-26, the Switch Module that functions as the gateway is connected to the server leased by the tenement. ACL needs to be configured to prevent the packets with the source MAC address 00e0-f201-0101 and the destination MAC address 0260-e207-0002 from passing through.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure an ACL.
- Configure a traffic classifier.
- Configure a traffic behavior.
- Configure a traffic policy.
- Apply the traffic policy to an interface.
Procedure
- Configure an ACL.
# Configure a Layer 2 ACL.
<HUAWEI> system-view [~HUAWEI] sysname Switch Module [*HUAWEI] commit [~Switch Module] acl 4000 [*Switch Module-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff destination-mac 0260-e207-0002 ffff-ffff-ffff [*Switch Module-acl-L2-4000] quit
- Configure the traffic classifier that is based on the ACL.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[*Switch Module] traffic classifier tc1 [*Switch Module-classifier-tc1] if-match acl 4000 [*Switch Module-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[*Switch Module] traffic behavior tb1 [*Switch Module-behavior-tb1] deny [*Switch Module-behavior-tb1] quit
- Configure the traffic policy.
# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[*Switch Module] traffic policy tp1 [*Switch Module-trafficpolicy-tp1] classifier tc1 behavior tb1 [*Switch Module-trafficpolicy-tp1] quit
- Apply the traffic policy.
# Apply the traffic policy tp1 to 10GE 1/17/2.
[*Switch Module] interface 10ge 1/17/2 [*Switch Module-10GE1/17/2] traffic-policy tp1 inbound [*Switch Module-10GE1/17/2] commit [~Switch Module-10GE1/17/2] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[~Switch Module] display acl 4000 L2 ACL 4000, 1 rule ACL's step is 5 rule 5 deny source-mac 00e0-f201-0101 destination-mac 0260-e207-0002 (0 times matched)
# Check the configuration of the traffic classifier.
[~Switch Module] display traffic classifier tc1 Traffic Classifier Information: Classifier: tc1 Type: OR Rule(s): if-match acl 4000
# Check the configuration of the traffic policy.
[~Switch Module] display traffic policy tp1 Traffic Policy Information: Policy: tp1 Classifier: tc1 Type: OR Behavior: tb1 Deny
[~Switch Module] display traffic-policy applied-record Total records : 1 ------------------------------------------------------------------------------- Policy Name Apply Parameter Slot State ------------------------------------------------------------------------------- tp1 10GE1/17/2 inbound 1 success -------------------------------------------------------------------------------
Configuration Files
# Configuration file of the Switch Module
# sysname Switch Module # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 destination-mac 0260-e207-0002 # traffic classifier tc1 type or if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 precedence 5 # interface 10GE1/17/2 traffic-policy tp1 inbound # return
Previous
