No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet

Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

In this example, a basic ACL is applied to the traffic policy module so that the device can filter the packets from internal hosts to the Internet and thus prevent internal hosts from accessing the Internet.

Configuration Notes

This example applies to all versions and models.

NOTE:

The following commands and output information are obtained from S7712 running V200R007C00.

Networking Requirements

As shown in Figure 15-7, the departments of an enterprise are connected through the Switch. The Switch needs to prevent some hosts of the R&D and marketing departments from accessing the Internet to protect information security of the enterprise.

Figure 15-7  Using an ACL to prevent internal hosts from accessing the Internet

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure a basic ACL and ACL-based traffic classifier to filter packets from the specified hosts of the R&D and marketing departments.
  2. Configure a traffic behavior to discard the packets matching the ACL.
  3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

  1. Configure VLANs and IP addresses for interfaces.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10 20
    

    # Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type trunk
    [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] port link-type trunk
    [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
    [Switch-GigabitEthernet1/0/2] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
    [Switch-GigabitEthernet2/0/1] quit

    # Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.

    [Switch] interface vlanif 10
    [Switch-Vlanif10] ip address 10.1.1.1 24
    [Switch-Vlanif10] quit
    [Switch] interface vlanif 20
    [Switch-Vlanif20] ip address 10.1.2.1 24
    [Switch-Vlanif20] quit
    

  2. Configure an ACL.

    # Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.

    [Switch] acl 2001
    [Switch-acl-basic-2001] rule deny source 10.1.1.11 0  //Prevent the host with IP address 10.1.1.11 from accessing the Internet.
    [Switch-acl-basic-2001] rule deny source 10.1.2.12 0  //Prevent the host with IP address 10.1.2.12 from accessing the Internet.
    [Switch-acl-basic-2001] quit

  3. Configure the basic ACL-based traffic classifier.

    # Configure the traffic classifier tc1 to classify packets that match ACL 2001.

    [Switch] traffic classifier tc1  //Create a traffic classifier.
    [Switch-classifier-tc1] if-match acl 2001  //Associate an ACL with the traffic classifier.
    [Switch-classifier-tc1] quit

  4. Configure the traffic behavior.

    # Configure the traffic behavior tb1 to reject packets.

    [Switch] traffic behavior tb1  //Create a traffic behavior.
    [Switch-behavior-tb1] deny  //Set the action of the traffic behavior to deny.
    [Switch-behavior-tb1] quit

  5. Configure the traffic policy.

    # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.

    [Switch] traffic policy tp1  //Create a traffic policy.
    [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1  //Associate the traffic classifier tc1 with the traffic behavior tb1.
    [Switch-trafficpolicy-tp1] quit

  6. Apply the traffic policy to an interface.

    # Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy to the outbound direction of GE2/0/1.

    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound  //Apply the traffic policy to the outbound direction of an interface.
    [Switch-GigabitEthernet2/0/1] quit
    

  7. Verify the configuration.

    # Check the configuration of ACL rules.

    [Switch] display acl 2001
    Basic ACL 2001, 2 rules                                                         
    Acl's step is 5                                                                 
     rule 5 deny source 10.1.1.11 0 (match-counter 0)                               
     rule 10 deny source 10.1.2.12 0 (match-counter 0)  

    # Check the configuration of the traffic classifier.

    [Switch] display traffic classifier user-defined
      User Defined Classifier Information:
       Classifier: tc1
        Precedence: 5
        Operator: OR
        Rule(s) : if-match acl 2001                                                 
    
    Total classifier number is 1   

    # Check the configuration of the traffic policy.

    [Switch] display traffic policy user-defined tp1
      User Defined Traffic Policy Information:                                      
      Policy: tp1                                                                   
       Classifier: tc1                                                              
        Operator: OR                                                                
         Behavior: tb1                                                              
          Deny  

    # The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts can access the Internet.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 10 20 
#
acl number 2001                                                                 
 rule 5 deny source 10.1.1.11 0                                                 
 rule 10 deny source 10.1.2.12 0  
#
traffic classifier tc1 operator or precedence 5  
 if-match acl 2001                                                              
#
traffic behavior tb1
 deny
#
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 
#
interface GigabitEthernet1/0/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 20 
#
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 20 
 traffic-policy tp1 outbound
#
return 
Download
Updated: 2019-04-20

Document ID: EDOC1000069520

Views: 658187

Downloads: 29811

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next