No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can Unidirectional Access Control Be Implemented?

How Can Unidirectional Access Control Be Implemented?

You can use one of the following methods to implement unidirectional access control.

NOTE:

The following commands are only for you reference. You should comply with the command line syntax of the version running on your device.

  • Method 1: Traffic policy

    1. Configure an advanced ACL.

      Run the acl [ number ] acl-number [ match-order { auto | config } ] command in the system view to create an advanced ACL (3000-3999) and enter the advanced ACL view or run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.

    2. Configure rules for the advanced ACL.

      Run the rule command to configure a rule with the tcp-flag parameter specified.

      For example, it is required that users on network segment 192.168.1.0/24 can access network segment 192.168.2.0/24, but users on network segment 192.168.2.0/24 cannot access network segment 192.168.1.0/24.

      From TCP connection setup to teardown only the packets used for TCP connection establishment can have the ACK value of 1 and RST value of 1. According to this characteristic, configure the following ACL rules to permit the packets used for establishing TCP connections and deny other TCP packets on the network segment 192.168.2.0/24. In this way, you can limit the TCP connection requests initiated from this network segment.

      • Rule 1: Configure an ACL rule with the ack and rst keywords specified.

        rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack  //Permit the TCP packets with the ACK value of 1.       
        rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst   //Permit the TCP packets with the RST value of 1.
        rule 15 deny tcp source 192.168.2.0 0.0.0.255  //Reject other TCP packets.
        
      • Rule 2: Configure an ACL rule with the established keyword specified.

        rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established  //established indicates that ACK is 1 or RST is 1. The packets exchanged during TCP connection established are permitted.
        rule deny tcp source 192.168.2.0 0.0.0.255     //Reject other TCP packets.
        
    3. Configure a traffic classifier.
      1. Run the traffic classifier classifier-name [ operator { and | or } ] command in the system view to enter the traffic classifier view.
      2. Run the if-match acl { acl-number | acl-name } command to configure an ACL-based matching rule.
    4. Configure a traffic behavior.

      Run the traffic behavior behavior-name command in the system view to create a traffic behavior and enter the traffic behavior view.

    5. Configure a traffic action.

      There are two actions for packet filtering: deny and permit. For other traffic actions, see Huawei AR Series Access Routers Configuration Guide - QoS.

    6. Configure a traffic policy.

      1. Run the traffic policy policy-name command in the system view to create a traffic policy and enter the traffic policy view.

      2. Run the classifier classifier-name behavior behavior-name command to configure a traffic behavior for the specified traffic classifier in the traffic policy. That is, bind the traffic behavior to the classifier.

    7. Apply the traffic policy.

      Run the traffic-policy policy-name { inbound | outbound } command in the interface view to apply the traffic policy.

      In this example, apply the traffic policy to the inbound direction of the interface connected to network segment 192.168.2.0/24.

  • Method 2: Simplified traffic policy

    1. Configure an advanced ACL and rules. The configurations are the same as those in traffic policy.

    2. Apply the simplified traffic policy.

      Run the traffic-filter { inbound | outbound } acl xxx command in the interface view to apply the simplified traffic policy (ACL-based packet filtering).

      In this example, apply the simplified traffic policy to the inbound direction of the interface connected to network segment 192.168.2.0/24.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 120479

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next