No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

Networking Requirements

As shown in Figure 5-18, the departments of an enterprise are connected through the Router. The R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.

Figure 5-18  Using advanced ACLs to control access to the specified server in the specified time range

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:
  1. Configure the time range, advanced ACL, and ACL-based traffic classifier to filter packets from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.
  2. Configure a traffic behavior to discard the packets matching the ACL.
  3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.

    # Add Eth2/0/0 - Eth2/0/2 to VLANs 10, 20, and 30 respectively, add Eth2/0/3 to VLAN 100, and assign IP addresses to the VLANIF interfaces. The configurations on Eth2/0/0 and VLANIF 10 are used as an example here. The configurations on Eth2/0/1, Eth2/0/2, and Eth2/0/3 are similar to those on Eth2/0/0, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20 30 100
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type trunk
    [Router-Ethernet2/0/0] port trunk allow-pass vlan 10
    [Router-Ethernet2/0/0] quit
    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 10.164.1.1 255.255.255.0
    [Router-Vlanif10] quit
    

  2. Configure a time range.

    # Configure the time range from 08:00 to 17:30.

    [Router] time-range satime 8:00 to 17:30 working-day
    

  3. Configure ACLs.

    # Configure an ACL for the marketing department to access the salary query server.

    [Router] acl 3002
    [Router-acl-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [Router-acl-3002] quit

    # Configure an ACL for the R&D department to access the salary query server.

    [Router] acl 3003
    [Router-acl-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [Router-acl-3003] quit

  4. Configure ACL-based traffic classifiers.

    # Configure the traffic classifier c_market to classify the packets that match ACL 3002.

    [Router] traffic classifier c_market
    [Router-classifier-c_market] if-match acl 3002
    [Router-classifier-c_market] quit

    # Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

    [Router] traffic classifier c_rd
    [Router-classifier-c_rd] if-match acl 3003
    [Router-classifier-c_rd] quit

  5. Configure traffic behaviors.

    # Configure the traffic behavior b_market to reject packets.

    [Router] traffic behavior b_market
    [Router-behavior-b_market] deny
    [Router-behavior-b_market] quit

    # Configure the traffic behavior b_rd to reject packets.

    [Router] traffic behavior b_rd
    [Router-behavior-b_rd] deny
    [Router-behavior-b_rd] quit

  6. Configure traffic policies.

    # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.

    [Router] traffic policy p_market
    [Router-trafficpolicy-p_market] classifier c_market behavior b_market
    [Router-trafficpolicy-p_market] quit

    # Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.

    [Router] traffic policy p_rd
    [Router-trafficpolicy-p_rd] classifier c_rd behavior b_rd
    [Router-trafficpolicy-p_rd] quit

  7. Apply the traffic policy.

    # Packets from the marketing department are received by Eth2/0/1, so apply the traffic policy p_market to the inbound direction of Eth2/0/1.

    [Router] interface ethernet2/0/1
    [Router-Ethernet2/0/1] traffic-policy p_market inbound
    [Router-Ethernet2/0/1] quit

    # Packets from the R&D department are received by Eth2/0/2, so apply the traffic policy p_rd to the inbound direction of Eth2/0/2.

    [Router] interface ethernet2/0/2
    [Router-Ethernet2/0/2] traffic-policy p_rd inbound
    [Router-Ethernet2/0/2] quit

  8. Verify the configuration.

    # Check the configuration of ACL rules.

    [Router] display acl all
     Total quantity of nonempty ACL number is 2
    
    Advanced ACL 3002, 1 rule
    Acl's step is 5
     rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Active) 
    
    Advanced ACL 3003, 1 rule
    Acl's step is 5
     rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Active) 

    # Check the configuration of traffic classifiers.

    [Router] display traffic classifier user-defined
      User Defined Classifier Information:                                          
       Classifier: c_market                                                         
        Operator: OR                                                                
        Rule(s) :                                                                   
         if-match acl 3002                                                          
       Classifier: c_rd                                                             
        Operator: OR                                                                
        Rule(s) :                                                                   
         if-match acl 3003                                                          
    

    # Check the configuration of traffic policies.

    [Router] display traffic policy user-defined
      User Defined Traffic Policy Information:                                      
      Policy: p_market                                                              
       Classifier: c_market                                                         
        Operator: OR                                                                
         Behavior: b_market                                                         
          Deny                                                                      
                                                                                    
      Policy: p_rd                                                                  
       Classifier: c_rd                                                             
        Operator: OR                                                                
         Behavior: b_rd                                                             
          Deny                                                                      
     
    

    # Check the traffic policy use records.

    [Router] display traffic-policy applied-record
    -------------------------------------------------                               
      Policy Name:   p_market                                                       
      Policy Index:  6                                                              
         Classifier:c_market     Behavior:b_market                                  
    -------------------------------------------------                               
     *interface Ethernet2/0/1                                                       
        traffic-policy p_market inbound                                             
          slot 0    :  success                                                      
    -------------------------------------------------                               
      Policy Name:   p_rd                                                           
      Policy Index:  7                                                              
         Classifier:c_rd     Behavior:b_rd                                          
    -------------------------------------------------                               
     *interface Ethernet2/0/2                                                       
        traffic-policy p_rd inbound                                                 
          slot 0    :  success                                                      
    -------------------------------------------------                               
      

    # The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).

Configuration Files

Router configuration file

#
 sysname Router
#                                                                               
 time-range satime 08:00 to 17:30 working-day  
#                                                                               
vlan batch 10 20 30 100 
# 
acl number 3002                                                                 
 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime                                                                         
acl number 3003                                                                 
 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime 
#                                                                               
traffic classifier c_market operator or                                         
 if-match acl 3002                                                              
traffic classifier c_rd operator or                                             
 if-match acl 3003                                                              
#                                                                               
traffic behavior b_market                                                       
 deny                                                                           
traffic behavior b_rd                                                           
 deny                                                                           
#                                                                               
traffic policy p_market                                                         
 classifier c_market behavior b_market                                          
traffic policy p_rd                                                             
 classifier c_rd behavior b_rd    
#                                                                               
interface Vlanif10                                                              
 ip address 10.164.1.1 255.255.255.0                                            
#                                                                               
interface Vlanif20                                                              
 ip address 10.164.2.1 255.255.255.0                                            
#                                                                               
interface Vlanif30                                                              
 ip address 10.164.3.1 255.255.255.0                                            
#                                                                               
interface Vlanif100                                                             
 ip address 10.164.9.9 255.255.255.0   
#                                                                               
interface Ethernet2/0/0                                                         
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
#                                                                               
interface Ethernet2/0/1                                                         
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                                  
 traffic-policy p_market inbound                                                
#                                                                               
interface Ethernet2/0/2                                                         
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                                  
 traffic-policy p_rd inbound                                                    
#                                                                               
interface Ethernet2/0/3                                                         
 port link-type trunk                                                           
 port trunk allow-pass vlan 100  
#
return 
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112104

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next