No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FATAP and Cloud AP V200R009C00 Web-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ACL-based Packet Filtering

Example for Configuring ACL-based Packet Filtering

Networking Requirements

As shown in Figure 2-16, an enterprise deploys an AP to provide a WLAN with the SSID wlan-net so that users can access the network anywhere at any time.

The enterprise network administrator expects that an ACL can be configured to prohibit packets with the source IP address 10.23.101.10 and destination IP address 10.23.101.11.

Figure 2-16  Networking diagram for configuring ACL-based packet filtering

Data Preparation

Item Data

Service VLAN for STAs

VLAN 101

DHCP server

The AP functions as a DHCP server to assign IP addresses to STAs.

IP address pool for STAs

10.23.101.2-10.23.101.254/24

SSID profile

  • Name: wlan-net

  • SSID name: wlan-net

Security profile

  • Name: wlan-net

  • Security policy: WPA-WPA2+PSK+AES

  • Password: a1234567

Traffic profile

  • Name: wlan-traffic

  • Referenced ACL: 3001

VAP profile

  • Name: wlan-net

  • Service VLAN: VLAN 101

  • Referenced profiles: SSID profile wlan-net, security profile wlan-net, and traffic profile wlan-traffic.

Configuration Roadmap

The configuration roadmap is as follows:
  1. Use the WLAN configuration wizard to configure WLAN services.
  2. Configure ACL rules to filter packets.
  3. Connect STAs to the WLAN to verify the configuration.

Procedure

  1. Configure basic WLAN services.
    1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
    2. Configure Wi-Fi signals.

      # Click Create. The Basic Information page is displayed.

      # Configure basic information about an SSID.

      # Click Next. The IP and Rate page is displayed.

      # Set IP address parameters.
      NOTE:

      Configure the DNS server address as required.



      # Click Finish.

    3. Configure Internet connection parameters.

      # Click Next. The Configure Internet Connection page is displayed.

      # Add an interface to VLAN 101 in tagged mode.
      NOTE:

      If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs. As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs communicate with the AP through this interface. You can use the default IP address of the AP to log in to the web platform. If you need to use the default IP address to log in to the web platform, do not delete VLAN 1.



      # Click Finish.

  2. Configure an ACL.
    1. Configure ACL 3001 that rejects packets with the source IP address 10.23.101.10 and destination IP address 10.23.101.11.

      # Choose Configuration > Security > ACL > Advanced ACL Settings. The Advanced ACL Settings page is displayed.

      # Click Create. In the Create Advanced ACL page that is displayed, set the ACL name to ACL3001 and number to 3001, and click OK.

      # Click Add Rule to add ACL rules.



      # Click OK.

    2. Create a traffic profile and apply the ACL to the profile.

      # Choose Configuration > WLAN Service > WLAN Config.

      # In the WLAN Config navigation tree, click Radio0. Click in front of VAP Configuration. Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.

      # Click Create. The Create Traffic Profile page is displayed.

      # Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter setting page of the new traffic profile is displayed.

      # On the Advanced Configuration tab, expand Packet Filtering. In Inbound ACL, click Add, and set Packet Filtering Type to IPv4 and the packet filtering ACL to ACL 3001. Click to save the settings.



      # Click Apply. In the Info dialog box that is displayed, click OK.

  3. Verify the configuration.
    1. The WLAN with the SSID wlan-net is available.
    2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its gateway address is 10.23.101.1.



    3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see that STAs go online properly and obtain IP addresses.
    4. Run the display traffic-profile name wlan-traffic command on the AP to check applications of ACL-based packet filtering. The command output shows that the ACL has been applied to the traffic profile, and packets with the source and destination IP addresses 10.23.101.10 and 10.23.101.11 cannot pass through.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1100035626

Views: 11099

Downloads: 430

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next