No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Access Control on Web Users

Configuring Access Control on Web Users

Context

To further enhance security, you can configure an HTTPS access control list to allow only specified web users to log in to the device. Commands can also be run to force idle users from occupying resources for too long.

ACL/ACL6 rules:
  • If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set up HTTPS connections with the local device.

  • If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up HTTPS connections with the local device.

  • If an ACL/ACL6 rule is configured but packets from a client do not match the rule, the client is not allowed to set up HTTPS connections with the local device.

  • If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS connections with the local device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure an ACL/ACL6 on the HTTPS server.

    • Configure an HTTPS IPv4 ACL as follows:
      1. Run acl [ number ] acl-number

        The ACL view is displayed.

        HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is configured, the value of acl-number ranges from 2000 to 2999. If an advanced ACL is configured, the value of acl-number ranges from 3000 to 3999.

      2. Configure an ACL.

        The commands for configuring basic and advanced ACLs are different.

        • Command for configuring a basic ACL:

          rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name ] *

        • Command for configuring an advanced ACL:

          rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name ] *

      3. Run .quit

        Return to the system view.

      4. Run http acl acl-number

        The HTTPS IPv4 ACL is configured.

        By default, no ACL is configured on the HTTPS IPv4 server, that is, all web clients can set up HTTPS IPv4 connections with the server.

    • Configure an HTTPS IPv6 ACL6 as follows:
      1. Run acl ipv6 [ number ] acl6-number

        The ACL6 view is displayed.

        HTTPS IPv6 supports basic and advanced ACL6s. If a basic ACL6 is configured, the value of acl6-number ranges from 2000 to 2999. If an advanced ACL6 is configured, the value of acl6-number ranges from 3000 to 3999.

      2. Configure an ACL6.

        The commands for configuring basic and advanced ACL6s are different.

        • Command for configuring a basic ACL6:

          rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name ] *

        • Command for configuring an advanced ACL6:

          rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name ] *

      3. Run quit

        Return to the system view.

      4. Run http ipv6 acl acl-number

        The HTTPS IPv6 ACL is configured.

        By default, no ACL6 is configured on the HTTPS IPv6 server, that is, all web clients can set up HTTPS IPv6 connections with the server.

  3. (Optional) Run free http user-id user-id

    The web user is forced to go offline.

    Currently, the device supports a maximum of five concurrent online web users. The value of user-id ranges from 89 to 93. If a user occupies the web channel resources but performs no operation in a long time, other users may fail to log in. To prevent this situation, run the command to force idle web users to go offline and release the occupied channel resources.

Verifying the Configuration

Run the display acl { acl-number | name acl-name | all } command to check the ACL configuration.

Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000178031

Views: 32877

Downloads: 8

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next