< Home

Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet

ACL Overview

An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.

An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.

Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

In this example, a basic ACL is applied to the traffic policy module so that the device can filter the packets from internal hosts to the Internet and thus prevent internal hosts from accessing the Internet.

Configuration Notes

This example applies to all versions and models.

The following commands and output information are obtained from S7712 running V200R007C00.

Networking Requirements

As shown in Figure 1, the departments of an enterprise are connected through the Switch. The Switch needs to prevent some hosts of the R&D and marketing departments from accessing the Internet to protect information security of the enterprise.

Figure 1 Using an ACL to prevent internal hosts from accessing the Internet

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure a basic ACL and ACL-based traffic classifier to filter packets from the specified hosts of the R&D and marketing departments.
  2. Configure a traffic behavior to discard the packets matching the ACL.
  3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

  1. Configure VLANs and IP addresses for interfaces.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20

    # Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add it to both VLAN 10 and VLAN 20.

    [Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet2/0/1] quit

    # Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.

    [Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.1 24
[Switch-Vlanif20] quit

  2. Configure an ACL.

    # Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.

    [Switch] acl 2001
[Switch-acl-basic-2001] rule deny source 10.1.1.11 0  //Prevent the host with IP address 10.1.1.11 from accessing the Internet.
[Switch-acl-basic-2001] rule deny source 10.1.2.12 0  //Prevent the host with IP address 10.1.2.12 from accessing the Internet.
[Switch-acl-basic-2001] quit

  3. Configure the basic ACL-based traffic classifier.

    # Configure the traffic classifier tc1 to classify packets that match ACL 2001.

    [Switch] traffic classifier tc1  //Create a traffic classifier.
[Switch-classifier-tc1] if-match acl 2001  //Associate an ACL with the traffic classifier.
[Switch-classifier-tc1] quit

  4. Configure the traffic behavior.

    # Configure the traffic behavior tb1 to reject packets.

    [Switch] traffic behavior tb1  //Create a traffic behavior.
[Switch-behavior-tb1] deny  //Set the action of the traffic behavior to deny.
[Switch-behavior-tb1] quit

  5. Configure the traffic policy.

    # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.

    [Switch] traffic policy tp1  //Create a traffic policy.
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1  //Associate the traffic classifier tc1 with the traffic behavior tb1.
[Switch-trafficpolicy-tp1] quit

  6. Apply the traffic policy to an interface.

    # Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply the traffic policy to the outbound direction of GE2/0/1.

    [Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound  //Apply the traffic policy to the outbound direction of an interface.
[Switch-GigabitEthernet2/0/1] quit

  7. Verify the configuration.

    # Check the configuration of ACL rules.

    [Switch] display acl 2001
Basic ACL 2001, 2 rules                                                         
Acl's step is 5                                                                 
 rule 5 deny source 10.1.1.11 0 (match-counter 0)                               
 rule 10 deny source 10.1.2.12 0 (match-counter 0)

    # Check the configuration of the traffic classifier.

    [Switch] display traffic classifier user-defined
  User Defined Classifier Information:
   Classifier: tc1
    Precedence: 5
    Operator: OR
    Rule(s) : if-match acl 2001                                                 

Total classifier number is 1

    # Check the configuration of the traffic policy.

    [Switch] display traffic policy user-defined tp1
  User Defined Traffic Policy Information:                                      
  Policy: tp1                                                                   
   Classifier: tc1                                                              
    Operator: OR                                                                
     Behavior: tb1                                                              
      Deny

    # The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts can access the Internet.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 10 20 
#
acl number 2001                                                                 
 rule 5 deny source 10.1.1.11 0                                                 
 rule 10 deny source 10.1.2.12 0  
#
traffic classifier tc1 operator or precedence 5  
 if-match acl 2001                                                              
#
traffic behavior tb1
 deny
#
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 
#
interface GigabitEthernet1/0/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 20 
#
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 20 
 traffic-policy tp1 outbound
#
return
Parent Topic: Typical ACL Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >