< Home

Example for Using Basic ACLs to Restrict FTP Access Rights

Networking Requirements

As shown in Figure 1, the Switch functions as an FTP server. The requirements are as follows:

  • All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
  • All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
  • Other users are not allowed to access the FTP server.

Reachable routes exist between the Switch and subnets. You need to configure the Switch to limit user access to the FTP server.

Figure 1 Using basic ACLs to restrict FTP access rights

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure time ranges and ACLs so that the device can filter user packets to control FTP access rights of different users.
  2. Configure basic FTP functions.
  3. Apply the ACL to the FTP module to make the ACL take effect.

Procedure

  1. Configure time ranges. 

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31
[Switch] time-range ftp-access 14:00 to 18:00 off-day

  2. Configure a basic ACL. 

    [Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access
[Switch-acl-basic-2001] rule deny source any
[Switch-acl-basic-2001] quit

  3. Configure basic FTP functions. 

    [Switch] ftp server enable
[Switch] aaa
[Switch-aaa] local-user huawei password irreversible-cipher SetUserPasswd@123
[Switch-aaa] local-user huawei privilege level 15
[Switch-aaa] local-user huawei service-type ftp
[Switch-aaa] local-user huawei ftp-directory flash:
[Switch-aaa] quit

  4. Apply the ACL to the FTP server for access permission control. 

    [Switch] ftp acl 2001

  5. Verify the configuration.

    Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can connect to the FTP server.

    Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2014. PC2 can connect to the FTP server.

    Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the FTP server.

Configuration Files

Switch configuration file

#
sysname Switch
#
FTP server enable
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
 rule 5 permit source 172.16.105.0 0.0.0.255
 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
 rule 15 deny 
#
aaa
 local-user huawei password irreversible-cipher $1a$a/sUWg/.p1*))=~SWzIRS0N",`&aS%'7X).m=o[PkQcv"!!TTQOI~Z)C'1<9$
 local-user huawei privilege level 15
 local-user huawei ftp-directory flash:
 local-user huawei service-type ftp
#
return
Parent Topic: Configuration Examples for ACLs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >