Example for Configuring ACL-based Packet Filtering

WLAN V200R019C00 Typical Configuration Examples

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Networking Requirements

Enterprise users can access the network through WLANs, which is the basic requirement of mobile office. Furthermore, users' services are not affected during roaming in the coverage area.

To control network traffic, the administrator requires that packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 4-78 Networking for configuring ACL-based packet filtering

Data Planning

Table 4-83 AC data planning

Item	Data
AP group	Name: ap-group1 Referenced profiles: VAP profile wlan-net
VAP profile	Name: wlan-net Referenced profiles: traffic profile wlan-traffic
Traffic profile	Name: wlan-traffic Configuration of ACL-based IPv4 packet filtering

Configuration Roadmap

Configure ACL-based packet filtering in a traffic profile.

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

Check the basic configuration of the WLAN.

Check Item	Command	Data
Check the AP group to which an AP belongs.	display ap all	AP group: ap-group1
Check all profiles referenced by the AP group.	display ap-group name ap-group1	VAP profile: wlan-net

If an AP has different configurations from that in the AP group, the configuration on the AP takes precedence.
A new profile takes effect only after being bound to an AP or an AP group.

Configure ACL-based packet filtering.

# Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11 to pass.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] acl 3001
[AC-acl-adv-3001] rule deny ip source 10.23.101.10 0 destination 10.23.101.11 0
[AC-acl-adv-3001] quit

# Create traffic profile wlan-traffic and apply the ACL to it.

[AC] wlan
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001
[AC-wlan-traffic-prof-wlan-traffic] quit

# Bind traffic profile wlan-traffic to VAP profile wlan-net.

[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] traffic-profile wlan-traffic
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC-wlan-vap-prof-wlan-net] quit

Verify the configuration.

Run the display traffic-profile name wlan-traffic command on the AC to check the configuration of the traffic profile. The command output shows that ACL 3001 has been configured to filter out packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11.

[AC-wlan-view] display traffic-profile name wlan-traffic
----------------------------------------------------                            
...
---------------------------------------------------------------------------------------------
Traffic Type                        Direction  AppliedRecord 
---------------------------------------------------------------------------------------------
traffic-filter                      inbound    IPv4 ACL 3001
---------------------------------------------------------------------------------------------
----------------------------------------------------

Configuration Files

AC configuration file

#
 sysname AC
#
acl number 3001
 rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
#
wlan
 traffic-profile name wlan-traffic   
  traffic-filter inbound ipv4 acl 3001  
 vap-profile name wlan-net
  traffic-profile wlan-traffic
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return

Networking Requirements
Data Planning
Configuration Roadmap
Configuration Notes

Translation

简体中文

Download

Updated: 2021-11-18

Document ID: EDOC1100096116

Downloads: 2545

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate