Example for Using ACL-based Simplified Traffic Policies to Restrict Access Between Network Segments
Networking Requirements
As shown in Figure 1, department 1 and department 2 can access the Internet through SwitchC and the router. To facilitate network management, the administrator adds department 1 and department 2 to different VLANs and assigns IP addresses on two network segments to them. SwitchC is required to restrict access between the two network segments.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure IP addresses for interfaces on SwitchC and add the interfaces to VLANs.
- Configure an ACL to match packets exchanged between the two departments.
- Configure packet filtering in the inbound direction of GE0/0/1 and GE0/0/2 so that SwitchC discards the packets that match the ACL rule.
Procedure
- Configure IP addresses for interfaces and add the interfaces to VLANs.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 10 20
# Configure GE0/0/1 and GE0/0/2 on SwitchC as trunk interfaces and add them to VLAN 10 and VLAN 20, respectively.
[SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] port link-type trunk [SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] port link-type trunk [SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 [SwitchC-GigabitEthernet0/0/2] quit
# Create VLANIF 10 and VLANIF 20, and assign IP addresses to them.
[SwitchC] interface vlanif 10 [SwitchC-Vlanif10] ip address 10.1.1.1 24 [SwitchC-Vlanif10] quit [SwitchC] interface vlanif 20 [SwitchC-Vlanif20] ip address 10.1.2.1 24 [SwitchC-Vlanif20] quit
- Configure an ACL.
# Create advanced ACL 3001 and configure ACL rules to deny packets between the two network segments.
[SwitchC] acl 3001 [SwitchC-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SwitchC-acl-adv-3001] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [SwitchC-acl-adv-3001] quit
- Configure ACL-based packet filtering.
# Configure packet filtering based on ACL 3001 in the inbound direction of GE0/0/1 and GE0/0/2.
[SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] traffic-filter inbound acl 3001 [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] traffic-filter inbound acl 3001 [SwitchC-GigabitEthernet0/0/2] quit
- Verify the configuration.
# Check the ACL configuration.
[SwitchC] display acl 3001 Advanced ACL 3001, 2 rules Acl's step is 5 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255# Display the application records of the ACL-based simplified traffic policy.
[SwitchC] display traffic-applied record ------------------------------------------------------------------------- *interface GigabitEthernet0/0/1 traffic-filter inbound acl 3001 slot 0: success ------------------------------------------------------------------------- *interface GigabitEthernet0/0/2 traffic-filter inbound acl 3001 slot 0: success -------------------------------------------------------------------------
# The two network segments where department 1 and department 2 reside cannot access each other.
Configuration Files
SwitchC configuration file
# sysname SwitchC # vlan batch 10 20 # acl number 3001 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Vlanif20 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-filter inbound acl 3001 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 traffic-filter inbound acl 3001 # return