Typical ACL Configuration
- Example for Using an ACL to Restrict FTP Access Rights
- Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
- Example for Using an ACL to Block Network Access of the Specified Users
- Example for Using Reflective ACL to Implement Unidirectional Access Control
- Example for Allowing Certain Users to Access the Internet in the Specified Time Range
- Example for Using ACLs to Restrict Mutual Access Between Network Segments
- Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
- Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
- Example for Applying ACLs to SNMP to Filter NMSs
Example for Using an ACL to Restrict FTP Access Rights
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the specified clients to access the FTP server, improving FTP server security.
Configuration Notes
In this example, the local user password is in irreversible-cipher mode, indicating that the password is encrypted using the irreversible algorithm. Unauthorized users cannot obtain the password through decryption. Therefore, this algorithm is secure. This password mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, the local user passwords can only be in cipher mode, indicating that the passwords are encrypted using the reversible algorithm. Unauthorized users can obtain the passwords through decryption. This algorithm is less secure.
- This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-229, the Switch functions as an FTP server. The requirements are as follows:
- All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
- All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
- Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the Switch to limit user access to the FTP server.
Procedure
- Configure a time range.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an absolute time range for an ACL. [Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time range for an ACL. The time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time ranges.
- Configure a basic ACL.
[Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //Allow users on network segment 172.16.105.0/24 to access the FTP server anytime. [Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access //Allow users on network segment 172.16.107.0/24 to access the FTP server only in the ftp-access time range. [Switch-acl-basic-2001] rule deny source any //Prevent other users from accessing the FTP server. [Switch-acl-basic-2001] quit
- Configure basic FTP functions.
[Switch] ftp server enable //Enable the FTP server to allow users to log in to the device through FTP. [Switch] aaa [Switch-aaa] local-user huawei password irreversible-cipher SetUserPassword@123 //Configure the FTP user name and password. The password in irreversible-cipher mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, only the passwords in cipher mode can be used. [Switch-aaa] local-user huawei privilege level 15 //Set the FTP user level. [Switch-aaa] local-user huawei service-type ftp //Set the FTP user service type. [Switch-aaa] local-user huawei ftp-directory cfcard:/ //Configure the FTP working directory, which must be configured as flash:/ on a fixed switch. [Switch-aaa] quit
- Configure access permissions on the FTP server.
[Switch] ftp acl 2001 //Apply an ACL to the FTP module.
- Verify the configuration.
Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on a Saturday in 2014. PC2 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the FTP server.
Configuration Files
Configuration file of the Switch
# sysname Switch # FTP server enable FTP acl 2001 # time-range ftp-access 14:00 to 18:00 off-day time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31 # acl number 2001 rule 5 permit source 172.16.105.0 0.0.0.255 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access rule 15 deny # aaa local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!R7M_d^!o{*@N9g'e0baw#%^%# local-user huawei privilege level 15 local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # return
Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can filter the packets sent from users to the specified server and thus restrict access to the specified server during a time range.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-230, the departments of an enterprise are connected through the Switch. The R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.
Configuration Roadmap
- Configure the time range, advanced ACL, and ACL-based traffic classifier to filter packets from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure the time range.
# Configure the time range as 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day //Configure a periodic time range for an ACL.
- Configure ACLs.
# Configure an ACL for the marketing department accessing the salary query server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the marketing department from accessing the salary query server in the time range satime. [Switch-acl-adv-3002] quit
# Configure an ACL for the R&D department accessing the salary query server.
[Switch] acl 3003 [Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the R&D department from accessing the salary query server in the time range satime. [Switch-acl-adv-3003] quit
- Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Switch] traffic classifier c_market //Create a traffic classifier. [Switch-classifier-c_market] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier. [Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic classifier. [Switch-classifier-c_rd] quit
- Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market //Create a traffic behavior. [Switch-behavior-b_market] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.
[Switch] traffic behavior b_rd //Create a traffic behavior. [Switch-behavior-b_rd] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_rd] quit
- Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market //Create a traffic policy. [Switch-trafficpolicy-p_market] classifier c_market behavior b_market //Associate the traffic classifier c_market with the traffic behavior b_market. [Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy. [Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the traffic classifier c_rd with the traffic behavior b_rd. [Switch-trafficpolicy-p_rd] quit
- Apply the traffic policy.
# Packets from the marketing department to the server are received by GE1/0/2; therefore, apply the traffic policy p_market to the inbound direction of GE1/0/2.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] traffic-policy p_market inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/2] quit
# Packets from the R&D department to the server are received by GE1/0/3; therefore, apply the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/3] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003 Total classifier number is 2
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: OR Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: OR Behavior: b_rd Deny Total policy number is 2
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_market Policy Index: 0 Classifier:c_market Behavior:b_market ------------------------------------------------- *interface GigabitEthernet1/0/2 traffic-policy p_market inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. # ------------------------------------------------- Policy Name: p_rd Policy Index: 1 Classifier:c_rd Behavior:b_rd ------------------------------------------------- *interface GigabitEthernet1/0/3 traffic-policy p_rd inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. #
# The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or precedence 5 if-match acl 3002 traffic classifier c_rd operator or precedence 10 if-match acl 3003 # traffic behavior b_market deny traffic behavior b_rd deny # traffic policy p_market match-order config classifier c_market behavior b_market traffic policy p_rd match-order config classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p_market inbound # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 traffic-policy p_rd inbound # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 # return
Example for Using an ACL to Block Network Access of the Specified Users
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter packets based on Layer 2 information. For example, if you want to filter packets based on MAC addresses and VLANs, configure a Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the device can filter the packets sent from users with certain MAC addresses to the Internet and thus prevent these users from accessing the Internet.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-231, the Switch that functions as the gateway is connected to PCs, and there are reachable routes to all subnets on Switch. The administrator wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101) is an unauthorized user.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC address 00e0-f201-0101 (preventing the user with this MAC address from accessing the network).
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 4000 [Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff //Reject the packets from source MAC address 00e0-f201-0101. [Switch-acl-L2-4000] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 4000 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy.
# Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the traffic policy tp1 to the inbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 deny source-mac 00e0-f201-0101# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 4000 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: tp1 Policy Index: 0 Classifier:tc1 Behavior:tb1 ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy tp1 inbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
Configuration Files
Configuration file of the Switch
# sysname Switch # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 # traffic classifier tc1 operator or precedence 5 if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface GigabitEthernet2/0/1 traffic-policy tp1 inbound # return
Example for Using Reflective ACL to Implement Unidirectional Access Control
Reflective ACL Overview
Reflective ACL is a type of dynamic ACL. The device creates a reflective ACL by swapping the source/destination IP addresses and source/destination port numbers of an ACL. A reflective ACL has an aging time. If packets passing the interface match the reflective ACL within the aging time, this reflective ACL is kept in the next aging time interval. If no packet passing the interface matches the reflective ACL within the aging time, the reflective ACL is deleted. This mechanism improves device security.
Reflective ACL implements unidirectional access control. An external host can access an internal host only after the internal host accesses the external host. Therefore, reflective ACL protects enterprises' internal networks against attacks initiated by external users.
In this example, an advanced reflective ACL is used to prevent the servers on the Internet from actively establishing UDP connections with internal hosts before the internal hosts connect to the external servers. Reflective ACL implements unidirectional access control between internal and external networks.
Configuration Notes
This example applies to all versions of modular switches, but does not apply to fixed switches.
Networking Requirements
As shown in Figure 3-232, Switch functions as the gateway to connect PCs to the Internet. There are reachable routes among the devices. To ensure internal network security, the administrator allows servers on the Internet to establish UDP connections with internal PCs only after the internal PCs have established UDP connections with the external servers.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure an advanced ACL based on which the device will generate a reflective ACL.
- Configure the reflective ACL function to allow internal PC1 to establish a UDP connection with a server on the Internet and prevent the external server from actively establishing a UDP connection with internal hosts.
Procedure
- Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 3000 [Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass. [Switch-acl-adv-3000] quit
- Configure the reflective ACL function.
# Packets from the Internet are received by GE2/0/1; therefore, configure the reflective ACL function in the outbound direction of GE2/0/1 so that the Switch can generate reflective ACL for UDP packets.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 //Apply the reflective ACL to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
Run the display traffic-reflect command to check reflective ACL information.
[Switch] display traffic-reflect outbound acl 3000 Proto SP DP DIP SIP Count Timeout Interface ------------------------------------------------------------------------------ UDP 2 80 192.168.1.2 10.1.1.2 9 300(s) GigabitEthernet2/0/1 ------------------------------------------------------------------------------ * Total <1> flows accord with condition, <1> items was displayed. ------------------------------------------------------------------------------ * Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff, * SP=Source port,DP=Destination port,Count=Packets count(data).
The preceding information will be displayed only after internal hosts have established UDP connections with external servers. The preceding information shows that a reflective ACL has been generated on GE2/0/1 for the UDP packets between PC1 and server (192.168.1.2), and provides packet statistics.
Example for Allowing Certain Users to Access the Internet in the Specified Time Range
ACL Time Range Overview
An ACL defines many matching conditions to filter most packets transmitted on a network; however, it cannot filter packets in the specified time range.
You can configure a time range and associate the time range with an ACL rule to filter packets based on time. This specifies different policies for users in different time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic policy module so that the device can filter packets sent from internal users to the Internet in the specified time range. As a result, users can access the Internet only in the specified time range.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-233, the departments of an enterprise are connected through the Switch. The enterprise allows all employees to access the Internet on work days (Monday to Friday), and only the managers to access the Internet on weekends (Saturday and Sunday).
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure the time range, basic ACL, and ACL-based traffic classifier to filter packets sent from internal users to the Internet and thus allow only certain users to access the Internet in the specified time range.
- Configure a traffic behavior to permit the packets that match the ACL permit rule.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20 [Switch-GigabitEthernet2/0/1] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure a time range.
# Configure the periodic time range from Saturday to Sunday.
[Switch] time-range rest-time 0:00 to 23:59 off-day //Configure a periodic time range for an ACL.
- Configure an ACL.
# Create basic ACL 2001 and configure rules to allow the R&D and marketing managers (10.1.1.11 and 10.1.2.12) to access the Internet anytime and prevent other employees from accessing the Internet on Saturday and Sunday. That is, only the managers of R&D and marketing departments can access the Internet on Saturday and Sunday.
[Switch] acl 2001 [Switch-acl-basic-2001] rule permit source 10.1.1.11 0 //Allow the manager of the R&D department to access the Internet anytime. [Switch-acl-basic-2001] rule permit source 10.1.2.12 0 //Allow the manager of the marketing department to access the Internet anytime. [Switch-acl-basic-2001] rule deny time-range rest-time //Prevent other users from accessing the Internet On Saturday and Sunday. [Switch-acl-basic-2001] quit
- Configure the basic ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 2001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure traffic behaviors.
# Configure the traffic behavior tb1 and set the action to permit (default value).
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy tp1 to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 2001 Basic ACL 2001, 3 rules Acl's step is 5 rule 5 permit source 10.1.1.11 0 (match-counter 0) rule 10 permit source 10.1.2.12 0 (match-counter 0) rule 15 deny time-range rest-time(match-counter 0) (Inactive)# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 2001 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Permit Total policy number is 1
# All employees can access the Internet on work days. Only the managers (10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access the Internet on weekends.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # time-range rest-time 00:00 to 23:59 off-day # acl number 2001 rule 5 permit source 10.1.1.11 0 rule 10 permit source 10.1.2.12 0 rule 15 deny time-range rest-time # traffic classifier tc1 operator or precedence 5 if-match acl 2001 # traffic behavior tb1 permit # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 20 traffic-policy tp1 outbound # return
Example for Using ACLs to Restrict Mutual Access Between Network Segments
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can filter the packets between different network segments and thus restrict mutual access between network segments.
Configuration Notes
This example applies to all versions and models.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-234, the departments of an enterprise are connected through the Switch. To facilitate network management, the administrator allocates the IP addresses on two network segments to the R&D and marketing departments respectively. The two departments belong to different VLANs. The mutual access between two network segments must be controlled to ensure information security.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure an advanced ACL and an ACL-based traffic classifier to filter the packets exchanged between R&D and marketing departments.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure ACLs.
# Create advanced ACL 3001 and configure rules for the ACL to block the packets from the R&D department to the marketing department.
[Switch] acl 3001 [Switch-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //Prevent the R&D department from accessing the marketing department. [Switch-acl-adv-3001] quit
# Create advanced ACL 3002 and configure rules for the ACL to block the packets from the marketing department to the R&D department.
[Switch] acl 3002 [Switch-acl-adv-3002] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 //Prevent the marketing department from accessing the R&D department. [Switch-acl-adv-3002] quit
- Configure the advanced ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 3001 and ACL 3002.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 3001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# The packets from the R&D and marketing departments are received by GE1/0/1 and GE1/0/2 respectively; therefore, apply the traffic policy to the inbound direction of GE1/0/1 and GE1/0/2.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/2] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3001 Advanced ACL 3001, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-counter 0)[Switch] display acl 3002 Advanced ACL 3002, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (match-counter 0)# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 3001 if-match acl 3002 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# The network segments where the R&D and marketing departments reside cannot access each other, but they can access the network segments of other departments.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # acl number 3001 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 acl number 3002 rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # traffic classifier tc1 operator or precedence 5 if-match acl 3001 if-match acl 3002 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-policy tp1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 traffic-policy tp1 inbound # return
Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the traffic policy module so that the device can filter the packets from internal hosts to the Internet and thus prevent internal hosts from accessing the Internet.
Configuration Notes
This example applies to all versions and models.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-235, the departments of an enterprise are connected through the Switch. The Switch needs to prevent some hosts of the R&D and marketing departments from accessing the Internet to protect information security of the enterprise.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a basic ACL and ACL-based traffic classifier to filter packets from the specified hosts of the R&D and marketing departments.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20 [Switch-GigabitEthernet2/0/1] quit
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.1.1 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.2.1 24 [Switch-Vlanif20] quit
- Configure an ACL.
# Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.
[Switch] acl 2001 [Switch-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent the host with IP address 10.1.1.11 from accessing the Internet. [Switch-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent the host with IP address 10.1.2.12 from accessing the Internet. [Switch-acl-basic-2001] quit
- Configure the basic ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 2001 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy to an interface.
# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 2001 Basic ACL 2001, 2 rules Acl's step is 5 rule 5 deny source 10.1.1.11 0 (match-counter 0) rule 10 deny source 10.1.2.12 0 (match-counter 0)# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 2001 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts can access the Internet.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # acl number 2001 rule 5 deny source 10.1.1.11 0 rule 10 deny source 10.1.2.12 0 # traffic classifier tc1 operator or precedence 5 if-match acl 2001 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 20 traffic-policy tp1 outbound # return
Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, an advanced ACL is applied to the traffic policy module so that the device can filter the packets sent from external hosts to internal servers and thus restrict access of external hosts to internal servers.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-236, the departments of an enterprise are connected through the Switch. The enterprise allows only internal hosts to access the finance server, preventing external hosts from accessing the server.
Configuration Roadmap
- Configure an advanced ACL and ACL-based traffic classifier to filter the packets from external hosts to the finance server and thus prevent external hosts from accessing this server.
- Configure a traffic behavior to permit the packets that match the ACL permit rule.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure an ACL.
# Create advanced ACL 3002 and configure rules to allow the packets from the president's office, R&D department, and marketing department to reach the finance server and block the packets sent from external hosts to the finance server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the president's office to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the marketing department to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the R&D department to access the finance server. [Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent other users from accessing the finance server. [Switch-acl-adv-3002] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier c_network to classify the packets that match ACL 3002.
[Switch] traffic classifier c_network //Create a traffic classifier. [Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_network] quit
- Configure a traffic behavior.
# Configure the traffic behavior b_network and keep the action set to permit (default value).
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior b_network //Create a traffic behavior. [Switch-behavior-b_network] quit
- Configure the traffic policy.
# Configure the traffic policy p_network and associate the traffic classifier c_network and the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy. [Switch-trafficpolicy-p_network] classifier c_network behavior b_network //Associate the traffic classifier c_network with the traffic behavior b_network. [Switch-trafficpolicy-p_network] quit
- Apply the traffic policy.
# Packets from internal and external hosts are forwarded to the finance server through GE2/0/1; therefore, apply the traffic policy p_network to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3002 Advanced ACL 3002, 4 rules Acl's step is 5 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 20 deny ip destination 10.164.4.4 0 (match-counter 0)# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_network Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_network Classifier: c_network Operator: OR Behavior: b_network Permit Total policy number is 1
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_network Policy Index: 0 Classifier:c_network Behavior:b_network ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy p_network outbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The president's office, marketing department, and R&D department can access the finance server, but external hosts cannot.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # acl number 3002 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 rule 20 deny ip destination 10.164.4.4 0 # traffic classifier c_network operator or precedence 5 if-match acl 3002 # traffic behavior b_network permit # traffic policy p_network match-order config classifier c_network behavior b_network # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.4.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 traffic-policy p_network outbound # return
Example for Applying ACLs to SNMP to Filter NMSs
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the SNMP module so that only the specified NMS can access the switch. This improves switch security.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 3-237, a new switch on the same network segment as the NMS is added to an enterprise's network, and uses SNMPv1 to communicate with the NMS. To improve switch security, the switch can only be managed by the existing NMS on the network.
Configuration Roadmap
The configuration roadmap is as follows:
Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the switch.
Configure access control so that only the NMS with the specified IP address can perform read/write operations on the specified MIB objects of the switch.
Configure a community name based on which the switch permits access of the NMS.
Configure a trap host and enable the switch to automatically send traps to the NMS.
Add the switch to the NMS. The community name configured on the switch must be the same as that used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
- Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the switch.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] snmp-agent sys-info version v1 //By default, SNMPv3 is supported.
- Configure access control so that only the NMS with the specified IP address can perform read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001 [Switch-acl-basic-2001] rule permit source 10.1.1.1 0 [Switch-acl-basic-2001] rule deny [Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview01 system //Configure the MIB view isoview01 to access the system subtree. [Switch] snmp-agent mib-view included isoview02 interfaces //Configure the MIB view isoview02 to access the interfaces subtree.
- Configure a community name based on which the switch permits access of the NMS, apply the ACL to make the access control function take effect.
[Switch] snmp-agent community read adminnms01 mib-view isoview01 acl 2001 //Grant adminnms01 the read-only permission on the system subtree. [Switch] snmp-agent community write adminnms02 mib-view isoview02 acl 2001 //Grant adminnms02 the read-write permission on the interface subtree.
- Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //Enable all trap functions on the switch. By default, only some trap functions are enabled. You can run the display snmp-agent trap all command to check trap status. [Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname adminnms01 v1 - Add the switch to the NMS.
# Log in to eSight and choose . Set SNMP parameters based on Table 3-202 and click OK. A switch is added to and can be managed by eSight. The switch will proactively send trap messages to eSight.
Table 3-202 SNMP parametersParameter
Setting
Select discovery protocol
SNMP
IP address
10.1.1.2
SNMP
Edit SNMP parameters
Version
V1
Read community
adminnms01
Write community
adminnms02
Port
161
The parameter settings on the NMS and switch must be the same; otherwise, the switch cannot be added to the NMS.
If authentication is required for remote logins to the switch, Telnet parameters need to be set so that the NMS can manage the switch. In this example, administrators can remotely log in to the switch using Telnet, password authentication is used, and the password is huawei2012.
Configuration Files
Configuration file of the switch
# sysname Switch # acl number 2001 rule 5 permit source 10.1.1.1 0 rule 10 deny # snmp-agent snmp-agent local-engineid 800007DB03360102101100 snmp-agent community read cipher %^%#Pqp'RXi))/y\KgEtwP9A3x2z5_FgxG1v'D/8>=G,D9<yMC^RAM_YB:F0BZlF="bHXg%lH*L"Jq'lea`S%^%# mib-view isoview01 acl 2001 snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view isoview02 acl 2001 snmp-agent sys-info version v1 v3 snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%# snmp-agent mib-view included isoview01 system snmp-agent mib-view included isoview02 interfaces snmp-agent trap enable # return
- Example for Using an ACL to Restrict FTP Access Rights
- Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
- Example for Using an ACL to Block Network Access of the Specified Users
- Example for Using Reflective ACL to Implement Unidirectional Access Control
- Example for Allowing Certain Users to Access the Internet in the Specified Time Range
- Example for Using ACLs to Restrict Mutual Access Between Network Segments
- Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet
- Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
- Example for Applying ACLs to SNMP to Filter NMSs
Previous
