Typical ACL Configuration
- Example for Using an ACL to Restrict FTP Access Rights
- Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
- Example for Using an ACL to Block Network Access of the Specified Users
- Example for Using Reflective ACL to Implement Unidirectional Access Control
- Example for Allowing Certain Users to Access the Internet in the Specified Time Range
- Example for Using ACLs to Restrict Mutual Access Between Network Segments
- Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
- Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
- Example for Applying ACLs to SNMP to Filter NMSs
Example for Using an ACL to Restrict FTP Access Rights
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the specified clients to access the FTP server, improving FTP server security.
Configuration Notes
In this example, the local user password is in irreversible-cipher mode, indicating that the password is encrypted using the irreversible algorithm. Unauthorized users cannot obtain the password through decryption. Therefore, this algorithm is secure. This password mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, the local user passwords can only be in cipher mode, indicating that the passwords are encrypted using the reversible algorithm. Unauthorized users can obtain the passwords through decryption. This algorithm is less secure.
- This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-235, the Switch functions as an FTP server. The requirements are as follows:
- All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
- All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
- Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the Switch to limit user access to the FTP server.
Procedure
- Configure a time range.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an absolute time range for an ACL. [Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time range for an ACL. The time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time ranges.
- Configure a basic ACL.
[Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //Allow users on network segment 172.16.105.0/24 to access the FTP server anytime. [Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access //Allow users on network segment 172.16.107.0/24 to access the FTP server only in the ftp-access time range. [Switch-acl-basic-2001] rule deny source any //Prevent other users from accessing the FTP server. [Switch-acl-basic-2001] quit
- Configure basic FTP functions.
[Switch] ftp server enable //Enable the FTP server to allow users to log in to the device through FTP. [Switch] ftp server-source -i Vlanif 10 //Configure the source interface of the server as the interface corresponding to 172.16.104.110. Assume that the interface is Vlanif 10. [Switch] aaa [Switch-aaa] local-user huawei password irreversible-cipher SetUserPassword@123 //Configure the FTP user name and password. The password in irreversible-cipher mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, only the passwords in cipher mode can be used. [Switch-aaa] local-user huawei privilege level 15 //Set the FTP user level. [Switch-aaa] local-user huawei service-type ftp //Set the FTP user service type. [Switch-aaa] local-user huawei ftp-directory cfcard:/ //Configure the FTP working directory, which must be configured as flash:/ on a fixed switch. [Switch-aaa] quit
- Configure access permissions on the FTP server.
[Switch] ftp acl 2001 //Apply an ACL to the FTP module.
- Verify the configuration.
Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on a Saturday in 2014. PC2 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the FTP server.
Configuration Files
Configuration file of the Switch
# sysname Switch # FTP server enable FTP server-source -i Vlanif 10 FTP acl 2001 # time-range ftp-access 14:00 to 18:00 off-day time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31 # acl number 2001 rule 5 permit source 172.16.105.0 0.0.0.255 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access rule 15 deny # aaa local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!R7M_d^!o{*@N9g'e0baw#%^%# local-user huawei privilege level 15 local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # return
Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can filter the packets sent from users to the specified server and thus restrict access to the specified server during a time range.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-236, the departments of an enterprise are connected through the Switch. The R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.
Configuration Roadmap
- Configure the time range, advanced ACL, and ACL-based traffic classifier to filter packets from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure the time range.
# Configure the time range as 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day //Configure a periodic time range for an ACL.
- Configure ACLs.
# Configure an ACL for the marketing department accessing the salary query server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the marketing department from accessing the salary query server in the time range satime. [Switch-acl-adv-3002] quit
# Configure an ACL for the R&D department accessing the salary query server.
[Switch] acl 3003 [Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the R&D department from accessing the salary query server in the time range satime. [Switch-acl-adv-3003] quit
- Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Switch] traffic classifier c_market //Create a traffic classifier. [Switch-classifier-c_market] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier. [Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic classifier. [Switch-classifier-c_rd] quit
- Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market //Create a traffic behavior. [Switch-behavior-b_market] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.
[Switch] traffic behavior b_rd //Create a traffic behavior. [Switch-behavior-b_rd] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_rd] quit
- Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market //Create a traffic policy. [Switch-trafficpolicy-p_market] classifier c_market behavior b_market //Associate the traffic classifier c_market with the traffic behavior b_market. [Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy. [Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the traffic classifier c_rd with the traffic behavior b_rd. [Switch-trafficpolicy-p_rd] quit
- Apply the traffic policy.
# Packets from the marketing department to the server are received by GE1/0/2; therefore, apply the traffic policy p_market to the inbound direction of GE1/0/2.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] traffic-policy p_market inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/2] quit
# Packets from the R&D department to the server are received by GE1/0/3; therefore, apply the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/3] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003 Total classifier number is 2
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: OR Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: OR Behavior: b_rd Deny Total policy number is 2
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_market Policy Index: 0 Classifier:c_market Behavior:b_market ------------------------------------------------- *interface GigabitEthernet1/0/2 traffic-policy p_market inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. # ------------------------------------------------- Policy Name: p_rd Policy Index: 1 Classifier:c_rd Behavior:b_rd ------------------------------------------------- *interface GigabitEthernet1/0/3 traffic-policy p_rd inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. #
# The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or precedence 5 if-match acl 3002 traffic classifier c_rd operator or precedence 10 if-match acl 3003 # traffic behavior b_market deny traffic behavior b_rd deny # traffic policy p_market match-order config classifier c_market behavior b_market traffic policy p_rd match-order config classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p_market inbound # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 traffic-policy p_rd inbound # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 # return
Example for Using an ACL to Block Network Access of the Specified Users
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter packets based on Layer 2 information. For example, if you want to filter packets based on MAC addresses and VLANs, configure a Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the device can filter the packets sent from users with certain MAC addresses to the Internet and thus prevent these users from accessing the Internet.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-237, the Switch that functions as the gateway is connected to PCs, and there are reachable routes to all subnets on Switch. The administrator wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101) is an unauthorized user.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC addressxxxx-xxxx-xxx1 (preventing the user with this MAC address from accessing the network).
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 4000 [Switch-acl-L2-4000] rule deny source-macxxxx-xxxx-xxx1 ffff-ffff-ffff //Reject the packets from source MAC addressxxxx-xxxx-xxx1. [Switch-acl-L2-4000] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 4000 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy.
# Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the traffic policy tp1 to the inbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 deny source-macxxxx-xxxx-xxx1
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 4000 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: tp1 Policy Index: 0 Classifier:tc1 Behavior:tb1 ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy tp1 inbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The user with MAC addressxxxx-xxxx-xxx1 cannot access the Internet.
Configuration Files
Configuration file of the Switch
# sysname Switch # acl number 4000 rule 5 deny source-macxxxx-xxxx-xxx1 # traffic classifier tc1 operator or precedence 5 if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface GigabitEthernet2/0/1 traffic-policy tp1 inbound # return
Example for Using Reflective ACL to Implement Unidirectional Access Control
Reflective ACL Overview
Reflective ACL is a type of dynamic ACL. The device creates a reflective ACL by swapping the source/destination IP addresses and source/destination port numbers of an ACL. A reflective ACL has an aging time. If packets passing the interface match the reflective ACL within the aging time, this reflective ACL is kept in the next aging time interval. If no packet passing the interface matches the reflective ACL within the aging time, the reflective ACL is deleted. This mechanism improves device security.
Reflective ACL implements unidirectional access control. An external host can access an internal host only after the internal host accesses the external host. Therefore, reflective ACL protects enterprises' internal networks against attacks initiated by external users.
In this example, an advanced reflective ACL is used to prevent the servers on the Internet from actively establishing UDP connections with internal hosts before the internal hosts connect to the external servers. Reflective ACL implements unidirectional access control between internal and external networks.
Configuration Notes
This example applies to all versions of modular switches, but does not apply to fixed switches.
Networking Requirements
As shown in Figure 3-238, Switch functions as the gateway to connect PCs to the Internet. There are reachable routes among the devices. To ensure internal network security, the administrator allows servers on the Internet to establish UDP connections with internal PCs only after the internal PCs have established UDP connections with the external servers.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure an advanced ACL based on which the device will generate a reflective ACL.
- Configure the reflective ACL function to allow internal PC1 to establish a UDP connection with a server on the Internet and prevent the external server from actively establishing a UDP connection with internal hosts.
Procedure
- Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 3000 [Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass. [Switch-acl-adv-3000] quit
- Configure the reflective ACL function.
# Packets from the Internet are received by GE2/0/1; therefore, configure the reflective ACL function in the outbound direction of GE2/0/1 so that the Switch can generate reflective ACL for UDP packets.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 //Apply the reflective ACL to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
Run the display traffic-reflect command to check reflective ACL information.
[Switch] display traffic-reflect outbound acl 3000 Proto SP DP DIP SIP Count Timeout Interface ------------------------------------------------------------------------------ UDP 2 80 192.168.1.2 10.1.1.2 9 300(s) GigabitEthernet2/0/1 ------------------------------------------------------------------------------ * Total <1> flows accord with condition, <1> items was displayed. ------------------------------------------------------------------------------ * Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff, * SP=Source port,DP=Destination port,Count=Packets count(data).
The preceding information will be displayed only after internal hosts have established UDP connections with external servers. The preceding information shows that a reflective ACL has been generated on GE2/0/1 for the UDP packets between PC1 and server (192.168.1.2), and provides packet statistics.
Example for Allowing Certain Users to Access the Internet in the Specified Time Range
ACL Time Range Overview
An ACL defines many matching conditions to filter most packets transmitted on a network; however, it cannot filter packets in the specified time range.
You can configure a time range and associate the time range with an ACL rule to filter packets based on time. This specifies different policies for users in different time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic policy module so that the device can filter packets sent from internal users to the Internet in the specified time range. As a result, users can access the Internet only in the specified time range.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-239, the departments of an enterprise are connected through the Switch. The enterprise allows all employees to access the Internet on work days (Monday to Friday), and only the managers to access the Internet on weekends (Saturday and Sunday).
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure the time range, basic ACL, and ACL-based traffic classifier to filter packets sent from internal users to the Internet and thus allow only certain users to access the Internet in the specified time range.
- Configure a traffic behavior to permit the packets that match the ACL permit rule.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20 [Switch-GigabitEthernet2/0/1] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure a time range.
# Configure the periodic time range from Saturday to Sunday.
[Switch] time-range rest-time 0:00 to 23:59 off-day //Configure a periodic time range for an ACL.
- Configure an ACL.
# Create basic ACL 2001 and configure rules to allow the R&D and marketing managers (10.1.1.11 and 10.1.2.12) to access the Internet anytime and prevent other employees from accessing the Internet on Saturday and Sunday. That is, only the managers of R&D and marketing departments can access the Internet on Saturday and Sunday.
[Switch] acl 2001 [Switch-acl-basic-2001] rule permit source 10.1.1.11 0 //Allow the manager of the R&D department to access the Internet anytime. [Switch-acl-basic-2001] rule permit source 10.1.2.12 0 //Allow the manager of the marketing department to access the Internet anytime. [Switch-acl-basic-2001] rule deny time-range rest-time //Prevent other users from accessing the Internet On Saturday and Sunday. [Switch-acl-basic-2001] quit
- Configure the basic ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 2001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure traffic behaviors.
# Configure the traffic behavior tb1 and set the action to permit (default value).
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy tp1 to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 2001 Basic ACL 2001, 3 rules Acl's step is 5 rule 5 permit source 10.1.1.11 0 (match-counter 0) rule 10 permit source 10.1.2.12 0 (match-counter 0) rule 15 deny time-range rest-time(match-counter 0) (Inactive)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 2001 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Permit Total policy number is 1
# All employees can access the Internet on work days. Only the managers (10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access the Internet on weekends.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # time-range rest-time 00:00 to 23:59 off-day # acl number 2001 rule 5 permit source 10.1.1.11 0 rule 10 permit source 10.1.2.12 0 rule 15 deny time-range rest-time # traffic classifier tc1 operator or precedence 5 if-match acl 2001 # traffic behavior tb1 permit # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 20 traffic-policy tp1 outbound # return
Example for Using ACLs to Restrict Mutual Access Between Network Segments
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can filter the packets between different network segments and thus restrict mutual access between network segments.
Configuration Notes
This example applies to all versions and models.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-240, the departments of an enterprise are connected through the Switch. To facilitate network management, the administrator allocates the IP addresses on two network segments to the R&D and marketing departments respectively. The two departments belong to different VLANs. The mutual access between two network segments must be controlled to ensure information security.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure an advanced ACL and an ACL-based traffic classifier to filter the packets exchanged between R&D and marketing departments.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure ACLs.
# Create the advanced ACL 3001, and block packets from one department to another department. In this example, configure rules for the ACL to block the packets from the R&D department to the marketing department.
[Switch] acl 3001 [Switch-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //Prevent the R&D department from accessing the marketing department. [Switch-acl-adv-3001] quit
- Configure the advanced ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 3001.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 3001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# Packets from the R&D department are received by GE1/0/1. Therefore, apply the traffic policy to the inbound direction of GE1/0/1.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3001 Advanced ACL 3001, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-counter 0)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 3001 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# The network segments where the R&D and marketing departments reside cannot access each other, but they can access the network segments of other departments.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # acl number 3001 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # traffic classifier tc1 operator or precedence 5 if-match acl 3001 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-policy tp1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # return
Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the traffic policy module so that the device can filter the packets from internal hosts to the Internet and thus prevent internal hosts from accessing the Internet.
Configuration Notes
This example applies to all versions and models.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-241, the departments of an enterprise are connected through the Switch. The Switch needs to prevent some hosts of the R&D and marketing departments from accessing the Internet to protect information security of the enterprise.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a basic ACL and ACL-based traffic classifier to filter packets from the specified hosts of the R&D and marketing departments.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20 [Switch-GigabitEthernet2/0/1] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure an ACL.
# Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.
[Switch] acl 2001 [Switch-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent the host with IP address 10.1.1.11 from accessing the Internet. [Switch-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent the host with IP address 10.1.2.12 from accessing the Internet. [Switch-acl-basic-2001] quit
- Configure the basic ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 2001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 2001 Basic ACL 2001, 2 rules Acl's step is 5 rule 5 deny source 10.1.1.11 0 (match-counter 0) rule 10 deny source 10.1.2.12 0 (match-counter 0)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 2001 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts can access the Internet.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # acl number 2001 rule 5 deny source 10.1.1.11 0 rule 10 deny source 10.1.2.12 0 # traffic classifier tc1 operator or precedence 5 if-match acl 2001 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 20 traffic-policy tp1 outbound # return
Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, an advanced ACL is applied to the traffic policy module so that the device can filter the packets sent from external hosts to internal servers and thus restrict access of external hosts to internal servers.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-242, the departments of an enterprise are connected through the Switch. The enterprise allows only internal hosts to access the finance server, preventing external hosts from accessing the server.
Configuration Roadmap
- Configure an advanced ACL and ACL-based traffic classifier to filter the packets from external hosts to the finance server and thus prevent external hosts from accessing this server.
- Configure a traffic behavior to permit the packets that match the ACL permit rule.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure an ACL.
# Create advanced ACL 3002 and configure rules to allow the packets from the president's office, R&D department, and marketing department to reach the finance server and block the packets sent from external hosts to the finance server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the president's office to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the marketing department to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the R&D department to access the finance server. [Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent other users from accessing the finance server. [Switch-acl-adv-3002] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier c_network to classify the packets that match ACL 3002.
[Switch] traffic classifier c_network //Create a traffic classifier. [Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_network] quit
- Configure a traffic behavior.
# Configure the traffic behavior b_network and keep the action set to permit (default value).
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior b_network //Create a traffic behavior. [Switch-behavior-b_network] quit
- Configure the traffic policy.
# Configure the traffic policy p_network and associate the traffic classifier c_network and the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy. [Switch-trafficpolicy-p_network] classifier c_network behavior b_network //Associate the traffic classifier c_network with the traffic behavior b_network. [Switch-trafficpolicy-p_network] quit
- Apply the traffic policy.
# Packets from internal and external hosts are forwarded to the finance server through GE2/0/1; therefore, apply the traffic policy p_network to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3002 Advanced ACL 3002, 4 rules Acl's step is 5 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 20 deny ip destination 10.164.4.4 0 (match-counter 0)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_network Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_network Classifier: c_network Operator: OR Behavior: b_network Permit Total policy number is 1
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_network Policy Index: 0 Classifier:c_network Behavior:b_network ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy p_network outbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The president's office, marketing department, and R&D department can access the finance server, but external hosts cannot.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # acl number 3002 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 rule 20 deny ip destination 10.164.4.4 0 # traffic classifier c_network operator or precedence 5 if-match acl 3002 # traffic behavior b_network permit # traffic policy p_network match-order config classifier c_network behavior b_network # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.4.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 traffic-policy p_network outbound # return
Example for Applying ACLs to SNMP to Filter NMSs
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the SNMP module so that only the specified NMS can access the switch. This improves switch security.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-243, a new switch on the same network segment as the NMS is added to an enterprise's network, and uses SNMPv3 to communicate with the NMS. To improve switch security, the switch can only be managed by the existing NMS on the network.
Configuration Roadmap
The configuration roadmap is as follows:
Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage the switch.
Configure access control so that only the NMS with the specified IP address can perform read/write operations on the specified MIB objects of the switch.
Configure a user group and user based on which the switch permits access of the NMS.
Configure a trap host and enable the switch to automatically send traps to the NMS.
Add the switch to the NMS. The user group and user configured on the switch must be the same as those used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
- Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage the switch.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] snmp-agent sys-info version v3 //By default, SNMPv3 is supported. If SNMPv3 is not disabled, skip this command.
- Configure the interface on the switch to receive and respond to NMS request packets. This step must be performed in V200R020 and later versions. Otherwise, the switch cannot connect to the NMS.
[Switch] snmp-agent protocol source-interface vlanif 10
- Configure access control so that only the NMS with the specified IP address can perform read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001 [Switch-acl-basic-2001] rule permit source 10.1.1.1 0 [Switch-acl-basic-2001] rule deny [Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Configure the MIB view isoview to access the iso subtree.
- Configure a user group and user based on which the switch permits access of the NMS.
# Configure the user group group001, set the security level to privacy, and configure access control to restrict the access of NMS to the switch.
[Switch] snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view isoview acl 2001
# Configure an SNMPv3 user named user001 and add the user to group001.
[Switch] snmp-agent usm-user v3 user001 group group001
# Set the user authentication algorithm to sha (indicating HMAC-SHA-96), authentication password to Authe@1234.
[Switch] snmp-agent usm-user v3 user001 authentication-mode sha Please configure the authentication password (8-64) Enter Password: //Enter the authentication password. Confirm Password: //Confirm the password.
In versions earlier than V200R003C00, the user name is configured using snmp-agent usm-user v3 user001 group001 authentication-mode sha Authe@1234 privacy-mode des56 Priva@1234.
In V200R019C00, the system software does not support the sha parameter. To use the sha parameter, you need to install the V200R019SPH007 patch or the SHA1 plug-in. For higher security purposes, you are advised to specify the sha2-256 parameter, which indicates the more secure HMAC-SHA2-256-192 algorithm.
You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
# Set the user encryption algorithm to aes256 (indicating AES-256), and encryption password to Priva@1234.
[Switch] snmp-agent usm-user v3 user001 privacy-mode aes128 Please configure the privacy password (8-64) Enter Password: //Enter the encryption password. Confirm Password: //Confirm the password.
- Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //Enable all trap functions on the switch. By default, only some trap functions are enabled. You can run the display snmp-agent trap all command to check trap status. [Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3 privacy //Configure a trap host. By default, traps are sent by UDP port 162. The security name must be the same as the user name; otherwise, the NMS cannot manage the device.
- Add the switch to the NMS.
# Log in to eSight and choose Table 3-145 and click OK. A switch is added to and can be managed by eSight. The switch will proactively send trap messages to eSight.
. Set SNMP parameters based onTable 3-145 SNMP parametersParameter
Setting
Select discovery protocol
SNMP
IP address
10.1.1.2
SNMP
Edit SNMP parameters
Version
V3
Security name
user001
Port
161
Authentication protocol
HMAC_SHA
Authentication password
Authe@1234
Privacy protocol
AES_128
Encryption password
Priva@1234
The parameter settings on the NMS and switch must be the same; otherwise, the switch cannot be added to the NMS.
If authentication is required for remote logins to the switch, Telnet parameters need to be set so that the NMS can manage the switch. In this example, administrators can remotely log in to the switch using Telnet, password authentication is used, and the password is YsHsjx_202206.
Configuration Files
Configuration file of the switch
# sysname Switch # acl number 2001 rule 5 permit source 10.1.1.1 0 rule 10 deny # snmp-agent snmp-agent local-engineid 800007DB03360102101100 snmp-agent sys-info version v3 snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view isoview acl 2001 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3 privacy snmp-agent mib-view included isoview iso snmp-agent usm-user v3 user001 snmp-agent usm-user v3 user001 group group001 snmp-agent usm-user v3 user001 authentication-mode sha cipher %^%#*2C%=4LZn1L>ni9xaybHdbXFW&[c_Wv0m!0MpTj!%^%# snmp-agent usm-user v3 user001 privacy-mode aes128 cipher %^%#i\Fv-cC(u)+x26S2'rEX<.;V+e~nP)*.J$Ulr($/%^%# snmp-agent trap enable snmp-agent protocol source-interface Vlanif10 # return
- Example for Using an ACL to Restrict FTP Access Rights
- Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
- Example for Using an ACL to Block Network Access of the Specified Users
- Example for Using Reflective ACL to Implement Unidirectional Access Control
- Example for Allowing Certain Users to Access the Internet in the Specified Time Range
- Example for Using ACLs to Restrict Mutual Access Between Network Segments
- Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
- Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
- Example for Applying ACLs to SNMP to Filter NMSs