No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can Unidirectional Access Control Be Implemented?

How Can Unidirectional Access Control Be Implemented?

You can use one of the following methods to implement unidirectional access control.

NOTE:

The following commands are only for you reference. You should comply with the command line syntax of the version running on your device.

  • Method 1: Reflective ACL

    1. Run the acl [ number ] acl-number [ match-order { auto | config } ] command in the system view to create an advanced ACL (3000-3999) and enter the advanced ACL view or run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.

    2. Run the rule command to configure rules for the advanced ACL.

    3. Run the traffic-reflect { inbound | outbound } acl { adv-acl-name | adv-acl-number } [ timeout time-value ] command in the interface view to configure the reflective ACL function.

  • Method 2: Traffic policy

    1. Configure an advanced ACL.

      Run the acl [ number ] acl-number [ match-order { auto | config } ] command in the system view to create an advanced ACL (3000-3999) and enter the advanced ACL view or run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.

    2. Configure rules for the advanced ACL.

      Run the rule command to configure a rule with the tcp-flag parameter specified.

      For example, it is required that users on network segment 192.168.1.0/24 can access network segment 192.168.2.0/24, but users on network segment 192.168.2.0/24 cannot access network segment 192.168.1.0/24.

      From TCP connection setup to teardown only the packets used for TCP connection establishment can have the ACK value of 1 and RST value of 1. According to the packet characteristics, configure the following rules to permit the packets used for establishing TCP connections and reject other TCP packets. In this way, you can block the TCP connection requests from network segment 192.168.2.0/24.

      • Rule 1: Configure an ACL rule with the ack and rst keywords specified.

        rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack  //Permit the TCP packets with the ACK value of 1.       
        rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst   //Permit the TCP packets with the RST value of 1.
        rule 15 deny tcp source 192.168.2.0 0.0.0.255  //Reject other TCP packets.
        
      • Rule 2: Configure an ACL rule with the established keyword specified.

        rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established  //established indicates that ACK is 1 or RST is 1. The packets exchanged during TCP connection established are permitted.
        rule deny tcp source 192.168.2.0 0.0.0.255     //Reject other TCP packets.
        
    3. Configure a traffic classifier.
      1. Run the traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ] command in the system view to enter the traffic classifier view.
      2. Run the if-match acl { acl-number | acl-name } command to apply an ACL to the traffic classifier.
    4. Configure a traffic behavior.

      Run the traffic behavior behavior-name command in the system view to create a traffic behavior and enter the traffic behavior view.

    5. Configure a traffic action.

      There are two actions for packet filtering: deny and permit. For other traffic actions, see Configuration Guide - QoS of the corresponding product version.

    6. Configure a traffic policy.

      1. Run the traffic policy policy-name [ match-order { auto | config } ] command in the system view to create a traffic policy and enter the traffic policy view.

      2. Run the classifier classifier-name behavior behavior-name command to configure a traffic behavior for the specified traffic classifier in the traffic policy. That is, bind the traffic behavior to the classifier.

    7. Apply the traffic policy.

      Run the traffic-policy policy-name { inbound | outbound } command in the interface view to apply the traffic policy.

      In this example, apply the traffic policy to the inbound direction of the interface connected to network segment 192.168.2.0/24.

  • Method 3: Simplified traffic policy

    1. Configure an advanced ACL and rules. The configurations are the same as those in traffic policy.

    2. Apply the simplified traffic policy.

      Run the traffic-filter { inbound | outbound } acl xxx command in the interface view to apply the simplified traffic policy (ACL-based packet filtering).

      In this example, apply the simplified traffic policy to the inbound direction of the interface connected to network segment 192.168.2.0/24.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 146378

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next