No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an ACL to Restrict FTP Access Rights

Example for Using an ACL to Restrict FTP Access Rights

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

In this example, a basic ACL is applied to the FTP module to allow only the specified clients to access the FTP server, improving FTP server security.

Configuration Notes

  • In this example, the local user password is in irreversible-cipher mode, indicating that the password is encrypted using the irreversible algorithm. Unauthorized users cannot obtain the password through decryption. Therefore, this algorithm has a higher security.

  • This example applies to all versions of the S12700.

Networking Requirements

As shown in Figure 15-1, the Switch functions as an FTP server. The requirements are as follows:

  • All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
  • All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
  • Other users are not allowed to access the FTP server.

Reachable routes exist between the Switch and subnets. You need to configure the Switch to limit user access to the FTP server.

Figure 15-1  Using basic ACLs to restrict FTP access rights

Procedure

  1. Configure a time range.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31  //Create an absolute time range for an ACL.
    [Switch] time-range ftp-access 14:00 to 18:00 off-day    //Create a periodic time range for an ACL. The time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time ranges.

  2. Configure a basic ACL.

    [Switch] acl number 2001
    [Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255  //Allow users on network segment 172.16.105.0/24 to access the FTP server anytime.
    [Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access  //Allow users on network segment 172.16.107.0/24 to access the FTP server only in the ftp-access time range.
    [Switch-acl-basic-2001] rule deny source any  //Prevent other users from accessing the FTP server.
    [Switch-acl-basic-2001] quit

  3. Configure basic FTP functions.

    [Switch] ftp server enable  //Enable the FTP server to allow users to log in to the device through FTP.
    [Switch] aaa            
    [Switch-aaa] local-user huawei password irreversible-cipher SetUserPassword@123  //Configure the FTP user name and password.
    [Switch-aaa] local-user huawei privilege level 15  //Set the FTP user level.
    [Switch-aaa] local-user huawei service-type ftp  //Set the FTP user service type.
    [Switch-aaa] local-user huawei ftp-directory flash:/  //Configure the FTP working directory.
    [Switch-aaa] quit
    

  4. Configure access permissions on the FTP server.

    [Switch] ftp acl 2001  //Apply an ACL to the FTP module.

  5. Verify the configuration.

    Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can connect to the FTP server.

    Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on a Saturday in 2014. PC2 can connect to the FTP server.

    Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the FTP server.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
FTP server enable
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
 rule 5 permit source 172.16.105.0 0.0.0.255
 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!R7M_d^!o{*@N9g'e0baw#%^%#
 local-user huawei privilege level 15
 local-user huawei ftp-directory flash:/
 local-user huawei service-type ftp
#
return
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 244510

Downloads: 1972

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next