No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Access Control on Web Users

Configuring Access Control on Web Users

Context

To further enhance security, you can configure an HTTPS access control list to allow only specified web users to log in to the device. Commands can also be run to force idle users from occupying resources for too long.

ACL/ACL6 rules:
  • If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set up HTTPS connections with the local device.

  • If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up HTTPS connections with the local device.

  • If an ACL/ACL6 rule is configured but packets from a client do not match the rule, the client is not allowed to set up HTTPS connections with the local device.

  • If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS connections with the local device.

Procedure

  1. Run the system-view command to enter the system view.
  2. Configure an ACL/ACL6 on the HTTPS server.

    • Configure an HTTPS IPv4 ACL as follows:
      1. Run the acl [ number ] acl-number command to enter the ACL view.

        HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is configured, the value of acl-number ranges from 2000 to 2999. If an advanced ACL is configured, the value of acl-number ranges from 3000 to 3999.

      2. Configure an ACL.

        The commands for configuring basic and advanced ACLs are different.

        • Command for configuring a basic ACL:

          rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

        • Command for configuring an advanced ACL:

          rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

      3. Run the quit command to return to the system view.

      4. Run the http acl acl-number command to configure an HTTPS IPv4 ACL.

        By default, no ACL is configured on the HTTPS IPv4 server, that is, all web clients can set up HTTPS IPv4 connections with the server.

    • Configure an HTTPS IPv6 ACL6 as follows:
      1. Run the acl ipv6 [ number ] acl6-number command to enter the ACL6 view.

        HTTPS IPv6 supports basic and advanced ACL6s. If a basic ACL6 is configured, the value of acl6-number ranges from 2000 to 2999. If an advanced ACL6 is configured, the value of acl6-number ranges from 3000 to 3999.

      2. Configure an ACL6.

        The commands for configuring basic and advanced ACL6s are different.

        • Command for configuring a basic ACL6:

          rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

        • Command for configuring an advanced ACL6:

          rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

      3. Run the quit command to return to the system view.

      4. Run the http ipv6 acl acl-number command to configure an HTTPS IPv6 ACL.

        By default, no ACL6 is configured on the HTTPS IPv6 server, that is, all web clients can set up HTTPS IPv6 connections with the server.

  3. (Optional) Run the free http user-id user-id command to force a web user offline.

    Currently, the device supports a maximum of five concurrent online web users. The value of user-id ranges from 89 to 93. If a user occupies the web channel resources but performs no operation in a long time, other users may fail to log in. To prevent this situation, run the command to force idle web users to go offline and release the occupied channel resources.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141895

Views: 52018

Downloads: 210

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next