No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S7700 V200R019C10 Web-based Configuration Guide

This document describes how to configure and maintain devices through the web NMS client, including device status statistics, SVF, interface, Ethernet switching, IP service, IP routing, security, ACL, AAA, system management, QoS, WLAN, diagnosis service, and EasyDeploy.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

Example for Using Advanced ACLs to Control Access to the Specified Server in the Specified Time Range

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.

In this example, an advanced ACL is configured so that the device can filter the packets sent from external hosts to internal servers and thus restrict access of external hosts to internal servers.

Networking Requirements

As shown in Figure 10-161, the departments of an enterprise are connected through the Switch. The R&D and marketing departments cannot access the salary query server at 10.164.9.9/24 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.

Figure 10-161 Using advanced ACLs to control access to the specified server in the specified time range

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:
  1. Configure VLANs and configure IP addresses for VLANIF interfaces.
  2. Configure a time range and advanced ACLs.
  3. Apply the ACLs so that the device can filter packets sent from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
    1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
    2. Click Create. The Create VLAN dialog box is displayed.

      • Enter 10 in the VLAN ID text box.
      • Select Create VLANIF, enter 10.164.1.1 in the IPv4 address text box, and set Mask to 24.
      • Click Add Interface and then Select Interface, select GigabitEthernet1/0/1, and click OK.

      Click OK, as shown in Figure 10-162.

      Figure 10-162 Configuring VLAN 10

    3. Configure VLANs 20, 30, and 100 in the same way based on Table 10-7.

      Table 10-7 VLAN list

      VLAN ID

      IP Address

      Subnet Mask

      Interface Name

      20

      10.164.2.1

      255.255.255.0

      GigabitEthernet1/0/2

      30

      10.164.3.1

      255.255.255.0

      GigabitEthernet1/0/3

      100

      10.164.9.1

      255.255.255.0

      GigabitEthernet2/0/1

  2. Configure a time range.
    1. Choose Configuration > Security Services > ACL Config > Validity Time Range to access the validity time range configuration page.
    2. Click Create. The Create Time Range dialog box is displayed.

      • Set Time range name.
      • Deselect Time Range.
      • Select Validity Time, set Validity time, Start time, and End time, and click .

      Click OK, as shown in Figure 10-163.

      Figure 10-163 Configuring a time range

  3. Configure ACLs.
    1. Choose Configuration > Security Services > ACL Config to access the ACL configuration page.
    2. Click Create. In the Create ACL dialog box, set ACL number to 3002 and click OK, as shown in Figure 10-164.

      Figure 10-164 Creating ACL 3002

    3. Click Add Rule on the right of ACL 3002. In the Add Rule dialog box, set Action, Protocol type, Source IP, Destination IP, Wildcard, and Time range, and click OK, as shown in Figure 10-165.

      Figure 10-165 Configuring ACL 3002

    4. Create and configure ACL 3003 in the same way based on Figure 10-166.

      Figure 10-166 Configuring ACL 3003

  4. Apply the ACLs.
    1. Choose Configuration > Security Services > ACL Reference > Interface ACL.
    2. Set Interface name. Click New next to Inbound interface ACL number, and select ACLs, as shown in Figure 10-167 and Figure 10-168. Click Apply to apply the ACLs.

      The inbound interface of traffic from the marketing department to the server is GE0/0/2 of Switch. The inbound interface of traffic from the R&D department to the server is GE0/0/3 of Switch. Therefore, apply ACLs on the two inbound interfaces, respectively.

      Figure 10-167 Applying ACL 3002

      Figure 10-168 Applying ACL 3003

Result

  1. Choose Configuration > Security Services > ACL Config to view ACL information, as shown in Figure 10-169 and Figure 10-170.
    Figure 10-169 ACL 3002 configuration

    Figure 10-170 ACL 3003 configuration

  2. Choose Configuration > Security Services > ACL Reference > Interface ACL. Click GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to view the ALCs applied on these interfaces, as shown in Figure 10-167 and Figure 10-168.

  3. The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).

Translation
简体中文
Download
Updated: 2022-05-20

Document ID: EDOC1100126882

Views: 155553

Downloads: 138

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :