No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an Advanced ACL to Configure Traffic Classifiers

Example for Using an Advanced ACL to Configure Traffic Classifiers

Networking Requirements

As shown in Figure 3-5, the departments of the company are connected through the Switch. An IPv4 ACL needs to be configured to prevent the R&D department and marketing department from accessing the salary query server from 8:00 to 17:30 and allow the president's office to access the salary query server at any time.

Figure 3-5 Using an advanced ACL to configure traffic classifiers

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces.
  2. Configure the time range.
  3. Configure ACLs.
  4. Configure traffic classifiers.
  5. Configure traffic behaviors.
  6. Configure traffic policies.
  7. Apply traffic policies to interfaces.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.

    # Add 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add 10GE1/0/4 to VLAN 100. The first IP address of a network segment is taken as the address of the VLANIF interface on the same network segment. The configurations on 10GE1/0/1 and VLANIF 10 are used as an example here. The configurations of 10GE1/0/2, 10GE1/0/3, 10GE1/0/4 are similar to those on 10GE1/0/1, and the configurations of VLANIF 20, VLANIF 30, and VLANIF 100 are similar to those on VLANIF 10, and are not mentioned here.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] vlan batch 10 20 30 100
    [*Switch] interface 10ge 1/0/1
    [*Switch-10GE1/0/1] port link-type access
    [*Switch-10GE1/0/1] port default vlan 10
    [*Switch-10GE1/0/1] commit
    [~Switch-10GE1/0/1] quit
    [~Switch] interface vlanif 10
    [*Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
    [*Switch-Vlanif10] quit
    

  2. Configure a time range.

    # Configure a time range from 8:00 to 17:30.

    [*Switch] time-range satime 8:00 to 17:30 working-day

  3. Configure ACLs.

    # Configure an ACL for the marketing department to access the salary query server.

    [*Switch] acl 3002
    [*Switch-acl4-advance-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [*Switch-acl4-advance-3002] commit
    [~Switch-acl4-advance-3002] quit

    # Configure an ACL for the R&D department to access the salary query server.

    [~Switch] acl 3003
    [*Switch-acl4-advance-3003] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
    [*Switch-acl4-advance-3003] commit
    [~Switch-acl4-advance-3003] quit

  4. Configure ACL-based traffic classifiers.

    # Configure the traffic classifier c_market to classify the packets that match ACL 3002.

    [~Switch] traffic classifier c_market
    [*Switch-classifier-c_market] if-match acl 3002
    [*Switch-classifier-c_market] commit
    [~Switch-classifier-c_market] quit

    # Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

    [~Switch] traffic classifier c_rd
    [*Switch-classifier-c_rd] if-match acl 3003
    [*Switch-classifier-c_rd] commit
    [~Switch-classifier-c_rd] quit

  5. Configure traffic behaviors.

    # Configure the traffic behavior b_market to reject packets.

    [~Switch] traffic behavior b_market
    [*Switch-behavior-b_market] deny
    [*Switch-behavior-b_market] commit
    [~Switch-behavior-b_market] quit

    # Configure the traffic behavior b_rd to reject packets.

    [~Switch] traffic behavior b_rd
    [*Switch-behavior-b_rd] deny
    [*Switch-behavior-b_rd] commit
    [~Switch-behavior-b_rd] quit

  6. Configure traffic policies.

    # Configure the traffic policy p_market, and bind the traffic classifier c_market and the traffic behavior b_market to the traffic policy.

    [~Switch] traffic policy p_market
    [*Switch-trafficpolicy-p_market] classifier c_market behavior b_market
    [*Switch-trafficpolicy-p_market] commit
    [~Switch-trafficpolicy-p_market] quit

    # Configure the traffic policy p_rd, and bind the traffic classifier c_rd and the traffic behavior b_rd to the traffic policy.

    [~Switch] traffic policy p_rd
    [*Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd
    [*Switch-trafficpolicy-p_rd] commit
    [~Switch-trafficpolicy-p_rd] quit

  7. Apply the traffic policies.

    # Apply the traffic policy p_market to 10GE1/0/2.

    [~Switch] interface 10ge 1/0/2
    [~Switch-10GE1/0/2] traffic-policy p_market inbound
    [*Switch-10GE1/0/2] commit
    [~Switch-10GE1/0/2] quit

    # Apply the traffic policy p_rd to 10GE1/0/3.

    [~Switch] interface 10ge 1/0/3
    [~Switch-10GE1/0/3] traffic-policy p_rd inbound
    [*Switch-10GE1/0/3] commit
    [~Switch-10GE1/0/3] quit

  8. Verify the configuration.

    # Check the configuration of ACL rules.

    [~Switch] display acl all
     Total nonempty ACL number is 2                                                 
                                                                                    
    Advanced ACL 3002, 1 rule                                                       
    ACL's step is 5                                                                 
     rule 5 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)      
                                                                                    
    Advanced ACL 3003, 1 rule                                                       
    ACL's step is 5                                                                 
     rule 5 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)    

    # Check the configuration of the traffic classifiers.

    [~Switch] display traffic classifier
      Traffic Classifier Information:
        Classifier: c_market                                                        
          Type: OR                                                              
          Rule(s):                                                                  
            if-match acl 3002                                                       
                                                                                    
        Classifier: c_rd                                                            
          Type: OR                                                              
          Rule(s):                                                                  
            if-match acl 3003                                                       
                                                                                    
    Total classifier number is 2                                                    

    # Check the configuration of the traffic policies.

    [~Switch] display traffic policy
       Traffic Policy Information:                                                  
        Policy: p_market                                                            
          Classifier: c_market                                                      
            Type: OR                                                            
          Behavior: b_market                                                        
            Deny                                                                    
                                                                                    
        Policy: p_rd                                                                
          Classifier: c_rd                                                          
            Type: OR                                                            
          Behavior: b_rd                                                            
            Deny                                                                    
                                                                                    
    Total policy number is 2                                                        
    [~Switch] display traffic-policy applied-record
    Total records : 2                                                                                                                   
    -------------------------------------------------------------------------------                                                     
    Policy Name                      Apply Parameter           Slot     State                                                           
    -------------------------------------------------------------------------------                                                     
    p_market                         10GE1/0/2 inbound            1     success                                                         
    -------------------------------------------------------------------------------                                                     
    p_rd                             10GE1/0/3 inbound            1     success                                                         
    -------------------------------------------------------------------------------     

Configuration Files

# Switch configuration file

#
sysname Switch
#
vlan batch 10 20 30 100 
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
 rule 5 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
acl number 3003
 rule 5 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market type or
 if-match acl 3002
#
traffic classifier c_rd type or
 if-match acl 3003
#
traffic behavior b_market
 deny
#
traffic behavior b_rd
 deny
#
traffic policy p_market
 classifier c_market behavior b_market precedence 5
#
traffic policy p_rd
 classifier c_rd behavior b_rd precedence 5
#
interface Vlanif10
 ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
 ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
 ip address 10.164.9.1 255.255.255.0  
#
interface 10GE1/0/1
 port default vlan 10
#
interface 10GE1/0/2
 port default vlan 20
 traffic-policy p_market inbound
#
interface 10GE1/0/3
 port default vlan 30
 traffic-policy p_rd inbound  
#
interface 10GE1/0/4
 port default vlan 100
#
return 
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18684

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next