No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

S7700 and S9700 V200R011C10

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.

In this example, an advanced ACL is configured so that the device can filter the packets sent from external hosts to internal servers and thus restrict access of external hosts to internal servers.

Networking Requirements

As shown in Figure 10-122, the departments of an enterprise are connected through the Switch. The R&D and marketing departments cannot access the salary query server at 10.164.9.9/24 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.

Figure 10-122  Using advanced ACLs to control access to the specified server in the specified time range

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:
  1. Configure VLANs and configure IP addresses for VLANIF interfaces.
  2. Configure a time range and advanced ACLs.
  3. Apply the ACLs so that the device can filter packets sent from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
    1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
    2. Click Create. The Create VLAN dialog box is displayed.

      • Enter 10 in the VLAN ID text box.
      • Select Create VLANIF, enter 10.164.1.1 in the IPv4 address address box, and set Mask to 24.
      • Click Add Interface and then Select Interface, select GigabitEthernet1/0/1, and click OK.

      Click OK, as shown in Figure 10-123.

      Figure 10-123  Configuring VLAN 10

    3. Configure VLANs 20, 30, and 100 in the same way based on Table 10-6.

      Table 10-6  VLAN list

      VLAN ID

      IP Address

      Subnet Mask

      Interface Name

      20

      10.164.2.1

      255.255.255.0

      GigabitEthernet1/0/2

      30

      10.164.3.1

      255.255.255.0

      GigabitEthernet1/0/3

      100

      10.164.9.1

      255.255.255.0

      GigabitEthernet2/0/1

  2. Configure a time range.
    1. Choose Configuration > Security Services > ACL Config > Validity Time Range to access the validity time range configuration page.
    2. Click Create. The Create Time Range dialog box is displayed.

      • Set Time range name.
      • Deselect Time Range.
      • Select Validity Time, set Validity time, Start time, and End time, and click .

      Click OK, as shown in Figure 10-124.

      Figure 10-124  Configuring a time range

  3. Configure ACLs.
    1. Choose Configuration > Security Services > ACL Config to access the ACL configuration page.
    2. Click Create. In the Create ACL dialog box, set ACL number to 3002 and click OK, as shown in Figure 10-125.

      Figure 10-125  Creating ACL 3002

    3. Click Add Rule on the right of ACL 3002. In the Add Rule dialog box, set Action, Protocol type, Source IP, Destination IP, Wildcard, and Time range, and click OK, as shown in Figure 10-126.

      Figure 10-126  Configuring ACL 3002

    4. Create and configure ACL 3003 in the same way based on Figure 10-127.

      Figure 10-127  Configuring ACL 3003

  4. Apply the ACLs.
    1. Choose Configuration > Security Services > ACL Reference > Interface ACL.
    2. Set Interface name. Click New next to Inbound interface ACL number, and select ACLs, as shown in Figure 10-128 and Figure 10-129. Click Apply to apply the ACLs.

      NOTE:
      The inbound interface of traffic from the marketing department to the server is GE0/0/2 of Switch. The inbound interface of traffic from the R&D department to the server is GE0/0/3 of Switch. Therefore, apply ACLs on the two inbound interfaces, respectively.

      Figure 10-128  Applying ACL 3002

      Figure 10-129  Applying ACL 3003

Result

  1. Choose Configuration > Security Services > ACL Config to view ACL information, as shown in Figure 10-130 and Figure 10-131.
    Figure 10-130  ACL 3002 configuration

    Figure 10-131  ACL 3003 configuration

  2. Choose Configuration > Security Services > ACL Reference > Interface ACL. Click GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to view the ALCs applied on these interfaces, as shown in Figure 10-128 and Figure 10-129.
  3. The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).

Translation
Download
Updated: 2019-10-17

Document ID: EDOC1000178323

Views: 84230

Downloads: 112

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next