No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an Advanced ACL to Configure Traffic Classifiers

Example for Using an Advanced ACL to Configure Traffic Classifiers

Networking Requirements

As shown in Figure 3-6, the departments of the company are connected through the Switch. An IPv4 ACL needs to be configured to prevent the R&D department and marketing department from accessing the salary query server from 8:00 to 17:30 and allow the president's office to access the salary query server at any time.

Figure 3-6 Using an advanced ACL to configure traffic classifiers

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces.
  2. Configure the time range.
  3. Configure ACLs.
  4. Configure traffic classifiers.
  5. Configure traffic behaviors.
  6. Configure traffic policies.
  7. Apply traffic policies to interfaces.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.

    # Add 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add 10GE2/0/1 to VLAN 100. The first IP address of a network segment is taken as the address of the VLANIF interface on the same network segment. The configurations on 10GE1/0/1 and VLANIF 10 are used as an example here. The configurations of 10GE1/0/2, 10GE1/0/3, 10GE2/0/1 are similar to those on 10GE1/0/1, and the configurations of VLANIF 20, VLANIF 30, and VLANIF 100 are similar to those on VLANIF 10, and are not mentioned here.

    <HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 10 20 30 100
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type access
[*Switch-10GE1/0/1] port default vlan 10
[*Switch-10GE1/0/1] commit
[~Switch-10GE1/0/1] quit
[~Switch] interface vlanif 10
[*Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
[*Switch-Vlanif10] quit

  2. Configure a time range.

    # Configure a time range from 8:00 to 17:30.

    [*Switch] time-range satime 8:00 to 17:30 working-day

  3. Configure ACLs.

    # Configure an ACL for the marketing department to access the salary query server.

    [*Switch] acl 3002
[*Switch-acl4-advance-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
[*Switch-acl4-advance-3002] commit
[~Switch-acl4-advance-3002] quit

    # Configure an ACL for the R&D department to access the salary query server.

    [~Switch] acl 3003
[*Switch-acl4-advance-3003] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime
[*Switch-acl4-advance-3003] commit
[~Switch-acl4-advance-3003] quit

  4. Configure ACL-based traffic classifiers.

    # Configure the traffic classifier c_market to classify the packets that match ACL 3002.

    [~Switch] traffic classifier c_market
[*Switch-classifier-c_market] if-match acl 3002
[*Switch-classifier-c_market] commit
[~Switch-classifier-c_market] quit

    # Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

    [~Switch] traffic classifier c_rd
[*Switch-classifier-c_rd] if-match acl 3003
[*Switch-classifier-c_rd] commit
[~Switch-classifier-c_rd] quit

  5. Configure traffic behaviors.

    # Configure the traffic behavior b_market to reject packets.

    [~Switch] traffic behavior b_market
[*Switch-behavior-b_market] deny
[*Switch-behavior-b_market] commit
[~Switch-behavior-b_market] quit

    # Configure the traffic behavior b_rd to reject packets.

    [~Switch] traffic behavior b_rd
[*Switch-behavior-b_rd] deny
[*Switch-behavior-b_rd] commit
[~Switch-behavior-b_rd] quit

  6. Configure traffic policies.

    # Configure the traffic policy p_market, and bind the traffic classifier c_market and the traffic behavior b_market to the traffic policy.

    [~Switch] traffic policy p_market
[*Switch-trafficpolicy-p_market] classifier c_market behavior b_market
[*Switch-trafficpolicy-p_market] commit
[~Switch-trafficpolicy-p_market] quit

    # Configure the traffic policy p_rd, and bind the traffic classifier c_rd and the traffic behavior b_rd to the traffic policy.

    [~Switch] traffic policy p_rd
[*Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[*Switch-trafficpolicy-p_rd] commit
[~Switch-trafficpolicy-p_rd] quit

  7. Apply the traffic policies.

    # Apply the traffic policy p_market to 10GE1/0/2.

    [~Switch] interface 10ge 1/0/2
[~Switch-10GE1/0/2] traffic-policy p_market inbound
[*Switch-10GE1/0/2] commit
[~Switch-10GE1/0/2] quit

    # Apply the traffic policy p_rd to 10GE1/0/3.

    [~Switch] interface 10ge 1/0/3
[~Switch-10GE1/0/3] traffic-policy p_rd inbound
[*Switch-10GE1/0/3] commit
[~Switch-10GE1/0/3] quit

  8. Verify the configuration.

    # Check the configuration of ACL rules.

    [~Switch] display acl all
 Total nonempty ACL number is 2                                                 
                                                                                
Advanced ACL 3002, 1 rule                                                       
ACL's step is 5                                                                 
 rule 5 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)      
                                                                                
Advanced ACL 3003, 1 rule                                                       
ACL's step is 5                                                                 
 rule 5 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime(Inactive) (0 times matched)

    # Check the configuration of the traffic classifiers.

    [~Switch] display traffic classifier
  Traffic Classifier Information:
    Classifier: c_market                                                        
      Type: OR                                                              
      Rule(s):                                                                  
        if-match acl 3002                                                       
                                                                                
    Classifier: c_rd                                                            
      Type: OR                                                              
      Rule(s):                                                                  
        if-match acl 3003                                                       
                                                                                
Total classifier number is 2

    # Check the configuration of the traffic policies.

    [~Switch] display traffic policy
   Traffic Policy Information:                                                  
    Policy: p_market                                                            
      Classifier: c_market                                                      
        Type: OR                                                            
      Behavior: b_market                                                        
        Deny                                                                    
                                                                                
    Policy: p_rd                                                                
      Classifier: c_rd                                                          
        Type: OR                                                            
      Behavior: b_rd                                                            
        Deny                                                                    
                                                                                
Total policy number is 2                                                        
    [~Switch] display traffic-policy applied-record
Total records : 2                                                                                                                   
-------------------------------------------------------------------------------                                                     
Policy Type/Name                    Apply Parameter           Slot     State                                                           
-------------------------------------------------------------------------------                                                     
p_market                         10GE1/0/2(IN)            1     success                                                         
-------------------------------------------------------------------------------                                                     
p_rd                             10GE1/0/3(IN)            1     success                                                         
-------------------------------------------------------------------------------

Configuration Files

# Switch configuration file

#
sysname Switch
#
vlan batch 10 20 30 100 
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
 rule 5 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
acl number 3003
 rule 5 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market type or
 if-match acl 3002
#
traffic classifier c_rd type or
 if-match acl 3003
#
traffic behavior b_market
 deny
#
traffic behavior b_rd
 deny
#
traffic policy p_market
 classifier c_market behavior b_market precedence 5
#
traffic policy p_rd
 classifier c_rd behavior b_rd precedence 5
#
interface Vlanif10
 ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
 ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
 ip address 10.164.9.1 255.255.255.0  
#
interface 10GE1/0/1
 port default vlan 10
#
interface 10GE1/0/2
 port default vlan 20
 traffic-policy p_market inbound
#
interface 10GE1/0/3
 port default vlan 30
 traffic-policy p_rd inbound  
#
interface 10GE2/0/1
 port default vlan 100
#
return
Translation
简体中文
Download
Updated: 2021-09-17

Document ID: EDOC1100075347

Views: 236000

Downloads: 100

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :