No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an ACL to Block Network Access of the Specified Users

Example for Using an ACL to Block Network Access of the Specified Users

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter packets based on Layer 2 information. For example, if you want to filter packets based on MAC addresses and VLANs, configure a Layer 2 ACL.

In this example, a Layer 2 ACL is applied to the traffic policy module so that the device can filter the packets sent from users with certain MAC addresses to the Internet and thus prevent these users from accessing the Internet.

Configuration Notes

This example applies to all versions of all S series switches.

NOTE:

The following commands and output information are obtained from S7712 running V200R007C00.

Networking Requirements

As shown in Figure 15-3, the Switch that functions as the gateway is connected to PCs, and there are reachable routes to all subnets on Switch. The administrator wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101) is an unauthorized user.

Figure 15-3  Using Layer 2 ACLs to block network access of the specified users

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC address 00e0-f201-0101 (preventing the user with this MAC address from accessing the network).
  2. Configure a traffic behavior to discard the packets matching the ACL.
  3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

  1. Configure an ACL.

    # Configure a Layer 2 ACL to meet the preceding requirement.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] acl 4000
    [Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff  //Reject the packets from source MAC address 00e0-f201-0101.
    [Switch-acl-L2-4000] quit

  2. Configure an ACL-based traffic classifier.

    # Configure the traffic classifier tc1 to classify packets that match ACL 4000.

    [Switch] traffic classifier tc1  //Create a traffic classifier.
    [Switch-classifier-tc1] if-match acl 4000  //Associate an ACL with the traffic classifier.
    [Switch-classifier-tc1] quit

  3. Configure the traffic behavior.

    # Configure the traffic behavior tb1 to reject packets.

    [Switch] traffic behavior tb1  //Create a traffic behavior.
    [Switch-behavior-tb1] deny  //Set the action of the traffic behavior to deny.
    [Switch-behavior-tb1] quit

  4. Configure the traffic policy.

    # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.

    [Switch] traffic policy tp1  //Create a traffic policy.
    [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1  //Associate the traffic classifier tc1 with the traffic behavior tb1.
    [Switch-trafficpolicy-tp1] quit

  5. Apply the traffic policy.

    # Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the traffic policy tp1 to the inbound direction of GE2/0/1.

    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound  //Apply the traffic policy to the inbound direction of an interface.
    [Switch-GigabitEthernet2/0/1] quit

  6. Verify the configuration.

    # Check the configuration of the ACL rule.

    [Switch] display acl 4000
    L2 ACL 4000, 1 rule                                                             
    Acl's step is 5                                                                 
     rule 5 deny source-mac 00e0-f201-0101 

    # Check the configuration of the traffic classifier.

    [Switch] display traffic classifier user-defined
      User Defined Classifier Information:
       Classifier: tc1
        Precedence: 5
        Operator: OR
        Rule(s) : if-match acl 4000  
                                                                                   
    Total classifier number is 1                                                    
    

    # Check the configuration of the traffic policy.

    [Switch] display traffic policy user-defined tp1
      User Defined Traffic Policy Information:                                      
      Policy: tp1                                                                   
       Classifier: tc1                                                              
        Operator: OR                                                                
         Behavior: tb1                                                              
          Deny  

    # Check the traffic policy application records.

    [Switch] display traffic-policy applied-record
    #                                                                                                                                   
    -------------------------------------------------                                                                                   
      Policy Name:   tp1                                                                                                                
      Policy Index:  0                                                                                                                  
         Classifier:tc1     Behavior:tb1                                                                                                
    -------------------------------------------------                                                                                   
     *interface GigabitEthernet2/0/1                                                                             
        traffic-policy tp1 inbound                                                                                                      
          slot 2    :  success                                                                                                          
    -------------------------------------------------                                                                                   
      Policy total applied times: 1.                                                                                                    
    # 

    # The user with MAC address 00e0-f201-0101 cannot access the Internet.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
acl number 4000
 rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or precedence 5
 if-match acl 4000
#
traffic behavior tb1
 deny
#
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
#
interface GigabitEthernet2/0/1
 traffic-policy tp1 inbound  
#
return 
Download
Updated: 2019-04-20

Document ID: EDOC1000069520

Views: 666311

Downloads: 29877

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next