No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Basic ACL to Limit Access to the FTP Server

Example for Configuring a Basic ACL to Limit Access to the FTP Server

Networking Requirements

As shown in Figure 3-3, the Switch functions as an FTP server (172.16.104.110/24). The requirements are as follows:

  • All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
  • All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
  • Other users are not allowed to access the FTP server.

The routes between the Switch and subnets are reachable. You need to configure the Switch to limit user access to the FTP server.

Figure 3-3 Configuring a basic ACL to limit user access to the FTP server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a basic ACL on the Switch and configure rules in the basic ACL.
  2. Configure basic FTP functions on the Switch.
  3. Apply a basic ACL to the Switch to limit user access.

Procedure

  1. Configure a time range.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
    [*Switch] time-range ftp-access 14:00 to 18:00 off-day

  2. Configure a basic ACL.

    [*Switch] acl number 2001
    [*Switch-acl4-basic-2001] rule permit source 172.16.105.0 0.0.0.255
    [*Switch-acl4-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access
    [*Switch-acl4-basic-2001] rule deny source any
    [*Switch-acl4-basic-2001] commit
    [~Switch-acl4-basic-2001] quit

  3. Configure basic FTP functions.

    [~Switch] ftp server enable
    [*Switch] aaa
    [*Switch-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123
    [*Switch-aaa] local-user huawei level 3
    [*Switch-aaa] local-user huawei service-type ftp
    [*Switch-aaa] local-user huawei ftp-directory flash:
    [*Switch-aaa] commit
    [~Switch-aaa] quit
    

  4. Configure access permissions on the FTP server.

    [~Switch] ftp server acl 2001
    [*Switch] commit

  5. Verify the configuration.

    Run the ftp 172.16.104.110 command on Server A (172.16.105.111/24) in subnet 1. Server A can connect to the FTP server.

    Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 on Monday in 2010. Server B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on Server B (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. Server B can connect to the FTP server.

    Run the ftp 172.16.104.110 command on Server C (10.10.10.1/24). Server C cannot connect to the FTP server.

Configuration Files

# Switch configuration file

#
sysname Switch
#
ftp server enable
ftp server acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31
#
acl number 2001
 rule 5 permit source 172.16.105.0 0.0.0.255
 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher $1c$jq@D({%F%%$2_o]0cDbL0JfH-77MkA'g<A$.fCo::;5(,*&~}p($
 local-user huawei service-type ftp
 local-user huawei level 3
 local-user huawei ftp-directory flash:
#
return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18765

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next