No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Basic ACL6 to Limit Access to the FTP Server

Example for Configuring a Basic ACL6 to Limit Access to the FTP Server

Networking Requirements

As shown in Figure 3-4, the Switch functions as an FTP server (fc00:1::2/64). The requirements are as follows:

  • All the users on subnet 1 (fc00:2::1/64) are allowed to access the FTP server anytime.
  • All the users on subnet 2 (fc00:2::2/64) are allowed to access the FTP server only at the specified period of time.
  • Other users are not allowed to access the FTP server.

The routes between the Switch and subnets are reachable. You need to configure the Switch to limit user access to the FTP server.

Figure 3-4 Configuring a basic ACL6 to limit user access to the FTP server

Configuration Roadmap

The configuration roadmap is as follows:

  • Create a basic ACL6 on the Switch and configure rules in the basic ACL6.
  • Configure basic FTP functions on the Switch.
  • Apply a basic ACL6 to the Switch to limit user access.

Procedure

  1. Configure a time range.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] time-range ftp-access from 0:0 2013/1/1 to 23:59 2013/12/31
    [*Switch] time-range ftp-access 14:00 to 18:00 off-day

  2. Configure a basic ACL6.

    [*Switch] acl ipv6 number 2001
    [*Switch-acl6-basic-2001] rule permit source fc00:2::1/64
    [*Switch-acl6-basic-2001] rule permit source fc00:2::2/64 time-range ftp-access
    [*Switch-acl6-basic-2001] rule deny source any
    [*Switch-acl6-basic-2001] commit
    [~Switch-acl6-basic-2001] quit

  3. Configure basic FTP functions.

    [~Switch] ftp ipv6 server enable
    [*Switch] aaa
    [*Switch-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123
    [*Switch-aaa] local-user huawei service-type ftp
    [*Switch-aaa] local-user huawei level 3
    [*Switch-aaa] local-user huawei ftp-directory flash:
    [*Switch-aaa] commit
    [~Switch-aaa] quit
    

  4. Configure access permissions on the FTP server.

    [~Switch] ftp ipv6 server acl 2001
    [*Switch] commit

  5. Verify the configuration.

    Run the ftp ipv6 fc00:1::2 command on PC A (fc00:2::1/64) in subnet 1. PC A can connect to the FTP server.

    Run the ftp ipv6 fc00:1::2 command on PC B (fc00:2::2/64) in subnet 2 on Monday in 2013. PC B cannot connect to the FTP server. Run the ftp ipv6 fc00:1::2 command on PC B (fc00:2::2/64) in subnet 2 at 15:00 on Saturday in 2013. PC B can connect to the FTP server.

    Run the ftp ipv6 fc00:1::2 command on PC C (fc00:2::3/64). PC C cannot connect to the FTP server.

Configuration Files

# Configuration file of the Switch

#
sysname Switch
#
ftp ipv6 server enable
ftp ipv6 server acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2013/1/1 to 23:59 2013/12/31
#
acl ipv6 number 2001
 rule 5 permit source FC00:2::/64
 rule 10 permit source FC00:2::/64 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher $1c$jq@D({%F%%$2_o]0cDbL0JfH-77MkA'g<A$.fCo::;5(,*&~}p($ 
 local-user huawei service-type ftp  
 local-user huawei level 3
 local-user huawei ftp-directory flash:
#
return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22800

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next