No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Control Does Not Take Effect Due to Incorrect Direction of Traffic Policy

Access Control Does Not Take Effect Due to Incorrect Direction of Traffic Policy

Fault Description

As shown in Figure 2-23, the departments of an enterprise are connected through the Switch. GE0/0/4 of the Switch is connected to the salary query server. The enterprise allows only the president office to access the salary query server, but prevents other departments, such as R&D and marketing departments, from accessing the salary query server. Therefore, the administrator configures an ACL and a traffic policy that uses the ACL on the Switch, and applies the traffic policy to the inbound direction of GE0/0/4. The traffic policy is applied to a wrong direction, so access control does not take effect.

Figure 2-23  Applying the traffic policy to an interface

Procedure

  1. Run the display traffic policy interface [ interface-type interface-number ] command in any view to check traffic policy configuration on the interface.

    The traffic policy p1 has been applied to the inbound direction of GE0/0/4.

      Interface: GigabitEthernet0/0/4                                            
                                                                                    
      Direction: Inbound      
      Policy: p1  
      ......

  2. Run the display traffic-applied interface [ interface-type interface-number ] inbound verbose command in any view to check information about the ACL used by the traffic policy on the interface and the direction to which the traffic policy is applied.

    The traffic policy p1 uses ACL 3001 and the traffic policy is applied to the inbound direction of the interface.

    -----------------------------------------------------------                     
    Policy applied inbound interface GigabitEthernet0/0/4                           
                                                                                    
      Interface: GigabitEthernet0/0/4                                               
                                                                                    
      Direction: Inbound                                                            
                                                                                    
      Policy: p1                                                              
        Classifier: c1                                                        
          Operator: OR                                                              
          Rule(s) :                                                                 
            if-match acl 3001                                                       
        Behavior: b1                                                          
          Deny                                                                      
    ----------------------------------------------------------- 

  3. Run the display this command in the view of advanced ACL 3001 to check ACL rule configuration.

    ACL 3001 contains the following rules:

    acl number 3001                                                                 
     rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.9.9 0             //Allow the president office to access the server.                                                         
     rule 10 deny ip destination 10.164.9.9 0             //Prevent other departments from accessing the server.

    The source IP address is the network segment where the president office resides and the destination IP address is the salary query server's address. The ACL rules meet the packet filtering requirement, so the ACL configuration is correct.

  4. Check the direction to which the traffic policy is applied.

    As shown in Step 2, the traffic policy is applied to the inbound direction of the interface. However, packets from each department do not enter the Switch through GE0/0/4, but enter the Switch through other interfaces and are sent out through GE0/0/4. (The Switch searches for a route after receiving the packets, and sends packets out through GE0/0/4.)

    Therefore, when the traffic policy using the ACL is applied to the inbound direction of GE0/0/4, access control does not take effect. To make access control effective, apply the traffic policy to the outbound direction or apply the traffic policy globally, to the VLANs of the departments, or to the inbound direction of each interface connecting to each department.

  5. Change the direction to which the traffic policy is applied.

    Run the traffic-policy policy-name outbound command in the view of GE0/0/4 to apply the traffic policy to the outbound direction.

Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222391

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next