Example for Preventing a Specified Host to Access the External Network
Networking Requirements
As shown in Figure 1, users connect to external network devices through GE0/0/2 of the switch.
During work hours from 8:30 to 18:00, GE0/0/1 filters packets and prevents access to the external network.
Configuration Roadmap
You can define the deny action in a traffic policy to filter packets. The configuration roadmap is as follows:
- Configure interfaces so that users can access the external network through the Switch.
- Configure a time range and reference the time range in an ACL.
- Configure an ACL to deny packets during work hours.
- Configure packet filtering in the inbound direction of GE0/0/1.
Procedure
- Create VLANs and configure interfaces.
# Create VLAN 10 on the Switch.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan 10 [Switch-vlan10] quit
# Configure GE0/0/1 and GE0/0/2 on the Switch as trunk interfaces and add them to VLAN 10.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type trunk [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [Switch-GigabitEthernet0/0/2] quit
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
# Create VLANIF 10 and configure IP address 192.168.1.1/24 for it.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.1 24 [Switch-Vlanif10] quit
Configure IP address 192.168.1.2/24 for the router interface connected to the Switch.
- Create a periodic time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day - Configure ACL 3001 and define three rules to prevent packets from 192.168.1.10, 192.168.1.11, and 192.168.1.12 passing through during work hours.
[Switch] acl number 3001 [Switch-acl-adv-3001] rule deny ip source 192.168.1.10 0 time-range working_time [Switch-acl-adv-3001] rule deny ip source 192.168.1.11 0 time-range working_time [Switch-acl-adv-3001] rule deny ip source 192.168.1.12 0 time-range working_time [Switch-acl-adv-3001] quit
- Configure packet filtering in the inbound direction of GE0/0/1.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] traffic-filter inbound acl 3001 [Switch-GigabitEthernet0/0/1] quit
- Verify the configuration.
# Check information about ACL rules and actions on the interface in the inbound direction.
[Switch] display traffic-applied interface gigabitethernet 0/0/1 inbound ----------------------------------------------------------- ACL applied inbound interface GigabitEthernet0/0/1 ACL 3001 rule 5 deny ip source 192.168.1.10 0 time-range working_time (match-counter 0) ACTIONS: filter ----------------------------------------------------------- ACL 3001 rule 10 deny ip source 192.168.1.11 0 time-range working_time (match-counter 0) ACTIONS: filter ----------------------------------------------------------- ACL 3001 rule 15 deny ip source 192.168.1.12 0 time-range working_time (match-counter 0) ACTIONS: filter -----------------------------------------------------------
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 10 # time-range working_time 08:30 to 18:00 working-day # acl number 3001 rule 5 deny ip source 192.168.1.10 0 time-range working_time rule 10 deny ip source 192.168.1.11 0 time-range working_time rule 15 deny ip source 192.168.1.12 0 time-range working_time # interface Vlanif10 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-filter inbound acl 3001 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # return