No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

S7700 and S9700 V200R011C10

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Config

ACL Config

This section describes ACL configurations.

NOTE:

This node is only available in the NAC unified mode.

ACL Config

An ACL defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Procedure

  • Query an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Set the search criteria.
    3. Click to display all matching records.
  • Create an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Click Create to open the Create ACL page, as shown in Figure 5-127.

      Figure 5-127  Create ACL

      Table 5-65 describes the parameters on the page.

      Table 5-65  Create ACL

      Parameter

      Description

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The value is a string starting with a letter, without spaces.
      • Either an ACL number or an ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 3000 to 3999.
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • Either an ACL number or an ACL name is required to identify an ACL.

      ACL description

      Indicates the description of an ACL. It is optional.

    3. Click OK.
  • Modify an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Modify.

      NOTE:
      • Table 5-65 describes the parameters on the page.
      • The ACL name and number cannot be changed.

  • Delete an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
    3. Click OK. If the operation succeeds, the system returns to the ACL Config page; otherwise, an error message is displayed.
  • Add rules.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Add Rule.

      Figure 5-128 shows the Add Rule page.

      Figure 5-128  Add Rule

      Table 5-66 describes the parameters for adding rules.

      Table 5-66  Add Rule

      Parameter

      Description

      Action

      Indicates whether to permit or deny packets. The default action is permit.

      Protocol type

      Indicates the type of the protocol. It is mandatory. The protocol types include:
      • GRE(47)
      • ICMP(1)
      • IGMP(2)
      • IP
      • IPINIP(4)
      • OSPF(89)
      • TCP(6)
      • UDP(17)
      • Customized type
        NOTE:

        The text box is valid only when the protocol type is customized.

      Match IP

      Source IP/Wildcard

      Indicates the IP address and wildcard. By default, all source IP addresses are specified.

      Destination IP/Wildcard

      Indicates the IP address and wildcard. By default, all destination IP addresses are specified.

      Match Packet Priority

      IP precedence

      Indicates that the packets are filtered according to the precedence field.

      TOS

      Indicates that packets are filtered according to the Type of Service (ToS).

      DSCP

      Specifies the Differentiated Services Code Point (DSCP).

      NOTE:
      • If you set the IP precedence or TOS, the DSCP priority cannot be set.
      • If you set the DSCP priority, the IP precedence or TOS cannot be set.

      Matching Interface

      Source port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Dest port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Set Time

      Time range

      Indicates the time range when the ACL takes effect.
      NOTE:

      The time range name is displayed on the configuration result page.

    3. Click OK.
  • Modify a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to modify the rule. Table 5-66 describes the parameters on the page.

    NOTE:

    Click and to change the order of the rule, and click Apply to make the new order take effect.

  • Delete a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

ACLv6 Config

An ACL defines rules based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Procedure

  • Query an ACLv6.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Set the search criteria.
    3. Click to display all matching records.
  • Create an ACLv6.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Click Create to open the Create ACLv6 page, as shown in Figure 5-129.

      Figure 5-129  Create ACLv6

      Table 5-67 describes the parameters on the page.

      Table 5-67  Create ACLv6

      Parameter

      Description

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The value is a string starting with a letter, without spaces.
      • Either an ACL number or an ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 3000 to 3999.
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • Either an ACL number or an ACL name is required to identify an ACL.

    3. Click OK.
  • Delete an ACLv6.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
    3. Click OK. If the operation succeeds, the system returns to the ACLv6 Config page; otherwise, an error message is displayed.
  • Add rules.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Select an ACL and click Add Rule.

      Figure 5-130 shows the Add Rule page.

      Figure 5-130  Add Rule

      Table 5-68 describes the parameters for adding rules.

      Table 5-68  Add Rule

      Parameter

      Description

      Action

      Indicates whether to permit or deny packets. The default action is permit.

      Protocol type

      Indicates the type of the protocol. It is mandatory. The protocol types include:
      • GRE
      • ICMPv6
        NOTE:

        The following text boxes are valid only when the type is set to ICMPv6:

      • IPv6
      • OSPF
      • TCP
      • UDP
      • Customized type
        NOTE:

        The text box is valid only when the protocol type is customized.

      Match IP

      Source IPv6 address/prefix length

      Indicates the source IPv6 address length and prefix length.

      Destination IPv6 address/prefix length

      Indicates the destination IPv6 address length and prefix length.

      Matching Interface

      Source port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Dest port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Set Time

      Time range

      Indicates the time range when the ACL takes effect.
      NOTE:

      The time range name is displayed on the configuration result page.

    3. Click OK.
  • Modify a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to modify the rule. Table 5-68 describes the parameters on the page.

    NOTE:

    Click and to change the order of the rule, and click Apply to make the new order take effect.

  • Delete a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

UCL Config

A UCL matches packets based on source IP addresses or source UCL groups, destination IP addresses or destination UCL groups, IP protocol type, ICMP type, TCP source/destination ports, and UDP source/destination ports.

Procedure

  • Query ACLs.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Set the search criteria.
    3. Click to display all matching records.
  • Create an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Click Create to open the Create ACL page, as shown in Figure 5-131.

      Figure 5-131  Create ACL

      Table 5-69 describes the parameters on the page.

      Table 5-69  Create ACL

      Parameter

      Description

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The value is a string starting with a letter, without spaces.
      • Either an ACL number or an ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 6000 to 9999.
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • Either an ACL number or an ACL name is required to identify an ACL.

      ACL description

      Indicates the description of an ACL. It is optional.

    3. Click OK.
  • Modify an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click Modify.

      NOTE:
      • Table 5-69 describes the parameters on the page.
      • The ACL name and number cannot be changed.

  • Delete an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
    3. Click OK. If the operation succeeds, the system returns to the UCL Config page; otherwise, an error message is displayed.
  • Add a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Click Add Rule of an ACL.

      If the ACL is a UCL, the rule page is displayed as shown in Figure 5-132.

      Figure 5-132  Add Rule

      Table 5-70 describes the parameters for adding rules.

      Table 5-70  Add Rule

      Parameter

      Description

      Action

      Indicates whether to permit or deny packets. The default action is permit.

      Protocol type

      Indicates the type of the protocol. It is mandatory. The ACL types include:
      • GRE(47)
      • ICMP(1)
      • IGMP(2)
      • IP
      • IPINIP(4)
      • OSPF(89)
      • TCP(6)
      • UDP(17)
      • Customized type
        NOTE:

        The text box is valid only when the UCL type is customized.

      Source

      Source IP/Wildcard

      Indicates the IP address and wildcard. The source IP address and wildcard are in dotted decimal format.

      NOTE:

      If the source IP address and wildcard are not specified, any source IP address is matched.

      Source user group

      Indicates the source user group of packets. Select the following operations:
      • To specify the source UCL group, click .
      • To create a source UCL group, click .
      • To modify the source UCL group, click .
      • To delete the source UCL group, click .

      Destination

      Destination IP/Wildcard

      Indicates the destination IP address and wildcard in packets.

      The destination IP address and wildcard are in dotted decimal format.

      NOTE:

      If the destination IP address and wildcard are not specified, any destination IP address is matched.

      Dest user group

      Indicates the destination user group of packets. Select the following operations:
      • To specify the destination UCL group, click .
      • To create a destination UCL group, click .
      • To modify the destination UCL group, click .
      • To delete the destination UCL group, click .

      Matching Interface

      Source port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Destination port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Set Time

      Time range

      Indicates the time range when the ACL takes effect.
      NOTE:

      The time range name is displayed on the configuration result page.

    3. Click OK.
  • Modify a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to modify the rule. Table 5-70 describes the parameters on the page.

    NOTE:

    Click and to change the order of the rule, and click Apply to make the new order take effect.

  • Delete a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

Validity Time Range

By configuring the effective period, you can apply an ACL in a certain period of time.

Context

  • A time range specifies a period of time. In practice, users may want certain ACL rules to be valid during a certain period but be invalid out of the period. That is, the ACL rules are used to filter packets based on the time range. In this case, you can set one or multiple time ranges, and apply the time ranges to a created ACL. Then, packets can be filtered based on the set time ranges.
  • An effective period can contain periodic time ranges and valid period. A periodic time range takes effect on a certain day in a week. A validity period contains the start time and the end time.

Procedure

  • Create a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Click Create to open the Create Time Range page, as shown in Figure 5-133.

      Figure 5-133  Create Time Range

      Table 5-71 describes the parameters on the page.

      Table 5-71  Create Time Range

      Parameter

      Description

      Time range name

      Indicates the name of the created time range. It is mandatory.

      Time Range

      Indicates a validity period.

      A validity period contains the start time and the end time. You can configure multiple validity periods by clicking . To delete validity periods, select the records you want to delete and click .
      NOTE:

      If only one validity period is created, the validity period takes effect when the current time is within it.

      Validity Time

      Indicates the periodic time range.

      A periodic time range takes effect on a certain day in a week. You can configure multiple periodic time ranges by clicking . To delete time ranges, select the records you want to delete and click .
      NOTE:

      If only one periodic time range is created, the time range takes effect when the current time is within the periodic time range.

    3. Set the required parameters.

      NOTE:
      • If an effective period contains both time range and validity time, the effective period takes effect only when the current time is within the time range and validity time.
      • The start time and end time of the time range can be earlier than the current time.
      • Either the time range or validity time must be set.

    4. Click OK.
  • Modify a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Click a time range name to open the Modify Time Range page, as shown in Figure 5-134.

      Figure 5-134  Modify Time Range

      NOTE:
      • Table 5-71 describes the parameters on the page.
      • The time range name cannot be modified.
      • The time range and validity time can only be deleted, but cannot be modified.

    3. Set the required parameters.
    4. Click OK.
  • Delete a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.

Device Access Control

Context

When a switch functions as an HTTPS server, you can configure an ACL on the switch to allow only the specified clients to log in to the switch through HTTPS. This function improves system security.

When a switch functions as a Telnet server, you can configure an ACL on the switch to allow only the specified Telnet clients to log in to the switch through Telnet.

When you use a network management system (NMS) to manage the switch, configure SNMP ACL on the switch so that only the specified NMS can access the switch. This effectively improves switch security.

NOTE:
The ACL configured on this page must have pre-defined rules.

Procedure

  1. Choose Configuration > Security Services > ACL Config > Device Access Control to access the Device Access Control page, as shown in Figure 5-135.

    Figure 5-135  Access control page

    Table 5-72 describes parameters on the page.

    Table 5-72  Parameters on access control page

    Item

    Description

    HTTP ACL

    ACL

    Uses a specified ACL to control access to the HTTPS server.

    Telnet ACL

    ACL

    Uses a specified ACL to control access to the Telnet server.

    SNMP ACL

    ACL

    Uses a specified ACL to control SNMP access.

  2. Set the configuration options and click Apply. Click OK in the displayed dialog box to complete the configuration. To clear the configuration, click Clear Settings.
Translation
Download
Updated: 2019-10-17

Document ID: EDOC1000178323

Views: 85195

Downloads: 112

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next