Example for Configuring ACL-based Packet Filtering
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of mobile office. Furthermore, users' services are not affected during roaming in the coverage area.
To control network traffic, the administrator requires that packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.
Data Planning
Item |
Data |
|---|---|
AP group |
|
VAP profile |
|
Traffic profile |
|
Configuration Notes
- No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
- Configure ACL-based packet filtering.
- Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IPv4 address 10.23.101.11 to pass.
# Choose . The Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set the ACL name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.
# Click OK.
- Create traffic profile wlan-traffic and apply the ACL to it.
# Choose .
# In the AP group list, click ap-group1. Click
in front of VAP Configuration. Under it, click
in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, expand Packet Filtering. In Inbound ACL, click Add. Set Packet Filtering Type to IPv4 and ACL used to filter incoming packets to ACL3001. Click
to save the settings.
# Click Apply. In the Info dialog box that is displayed, click OK.
- Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IPv4 address 10.23.101.11 to pass.
- Verify the configuration.
- Packets with the source IP address of 10.23.101.10 and destination IP address of 10.23.101.11 are forbidden to pass, achieving network traffic control.
in front of 
to save the settings.