Example for Using Layer 2 ACLs to Block Network Access of the Specified Users
Networking Requirements
As shown in Figure 1, the Switch that functions as the gateway is connected to the users' PCs. The administrator wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101) is unauthorized.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a Layer 2 ACL and an ACL-based traffic classifier to discard packets from the MAC address 00e0-f201-0101 (preventing the user with this MAC address from accessing the network).
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 4000 [Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff [Switch-acl-L2-4000] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 [Switch-classifier-tc1] if-match acl 4000 [Switch-classifier-tc1] quit
- Configure a traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 [Switch-behavior-tb1] deny [Switch-behavior-tb1] quit
- Configure a traffic policy.
# Configure the traffic policy tp1, and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy.
# Packets from PC1 to the Internet are received by GE0/0/2, so apply the traffic policy tp1 to the inbound direction of GE0/0/2.
[Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] traffic-policy tp1 inbound [Switch-GigabitEthernet0/0/2] quit
- Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 deny source-mac 00e0-f201-0101# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Operator: OR Rule(s) : if-match acl 4000 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny# Check the traffic policy use record.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: tp1 Policy Index: 0 Classifier:tc1 Behavior:tb1 ------------------------------------------------- *interface GigabitEthernet0/0/2 traffic-policy tp1 inbound slot 0 : success ------------------------------------------------- Policy total applied times: 1. #
# The user with the MAC address 00e0-f201-0101 cannot access the Internet.
Configuration Files
Switch configuration file
# sysname Switch # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 # traffic classifier tc1 operator or if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface GigabitEthernet0/0/2 traffic-policy tp1 inbound # return