No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Reflective ACL Function

Example for Configuring the Reflective ACL Function

Networking Requirements

As shown in Figure 2-2, GE1/0/1 of the Switch is connected to users on the internal network, and GE2/0/1 is connected to the Internet. It is required that the reflective ACL function be configured on GE 2/0/1 of the Switch to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts have accessed the server. In addition, the aging time of a reflective ACL needs to be set globally and on GE2/0/1 so that the reflective ACL entries can be aged out automatically.

Figure 2-2  Typical networking of configuring the reflective ACL function

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an advanced ACL.
  2. Enable the reflective ACL function and set the aging time of the reflective ACL on GE2/0/1.
  3. Set the global aging time of the reflective ACL.

Procedure

  1. Configure an advanced ACL that permits UDP packets to pass through.

    <Quidway> system-view
    [Quidway] sysname Switch
    [Switch] acl 3000
    [Switch-acl-adv-3000] rule permit udp
    [Switch-acl-adv-3000] quit
    

  2. Configure the reflective ACL function in the outbound direction on GE2/0/1 and set the aging time of the reflective ACL on the interface so that inbound UDP packets can be sent to the internal network from the Internet.

    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600
    [Switch-GigabitEthernet2/0/1] quit

  3. Set the global aging time of the reflective ACL.

    [Switch] traffic-reflect timeout 900
    
    NOTE:

    If the aging time of a reflective ACL is set in the interface view, the setting in the interface view takes effect. Otherwise, the aging time set in the system view takes effect.

  4. Verify the configuration.

    Run the display traffic-reflect command in the system view, and you can view information about the reflective ACL.

    [Switch] display traffic-reflect outbound acl 3000
    Proto  SP   DP   DIP             SIP             Count   Timeout  Interface
    ------------------------------------------------------------------------------
    UDP    2    80   10.2.1.10       10.1.1.10       9       600(s)   GigabitEthernet2/0/1
    ------------------------------------------------------------------------------
    * Total <1> flows accord with condition, <1> items was displayed.
    ------------------------------------------------------------------------------
    * Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff,
    * SP=Source port,DP=Destination port,Count=Packets count(data).

    The preceding information shows that the reflective ACL is applied to UDP packets on GE2/0/1 and the UDP packets matching the reflective ACL are counted.

Configuration Files

Switch configuration file

#
sysname Switch
#
acl number 3000
 rule 5 permit udp
#
interface GigabitEthernet2/0/1
 traffic-reflect outbound acl 3000 timeout 600
#
traffic-reflect timeout 900
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125511

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next