Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, an advanced ACL is applied to the traffic policy module so that the device can filter the packets sent from external hosts to internal servers and thus restrict access of external hosts to internal servers.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 1, the departments of an enterprise are connected through the Switch. The enterprise allows only internal hosts to access the finance server, preventing external hosts from accessing the server.
Configuration Roadmap
- Configure an advanced ACL and ACL-based traffic classifier to filter the packets from external hosts to the finance server and thus prevent external hosts from accessing this server.
- Configure a traffic behavior to permit the packets that match the ACL permit rule.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure an ACL.
# Create advanced ACL 3002 and configure rules to allow the packets from the president's office, R&D department, and marketing department to reach the finance server and block the packets sent from external hosts to the finance server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the president's office to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the marketing department to access the finance server. [Switch-acl-adv-3002] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow the R&D department to access the finance server. [Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent other users from accessing the finance server. [Switch-acl-adv-3002] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier c_network to classify the packets that match ACL 3002.
[Switch] traffic classifier c_network //Create a traffic classifier. [Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_network] quit
- Configure a traffic behavior.
# Configure the traffic behavior b_network and keep the action set to permit (default value).
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior b_network //Create a traffic behavior. [Switch-behavior-b_network] quit
- Configure the traffic policy.
# Configure the traffic policy p_network and associate the traffic classifier c_network and the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy. [Switch-trafficpolicy-p_network] classifier c_network behavior b_network //Associate the traffic classifier c_network with the traffic behavior b_network. [Switch-trafficpolicy-p_network] quit
- Apply the traffic policy.
# Packets from internal and external hosts are forwarded to the finance server through GE2/0/1; therefore, apply the traffic policy p_network to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the traffic policy to the outbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3002 Advanced ACL 3002, 4 rules Acl's step is 5 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0) rule 20 deny ip destination 10.164.4.4 0 (match-counter 0)# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_network Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_network Classifier: c_network Operator: OR Behavior: b_network Permit Total policy number is 1
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_network Policy Index: 0 Classifier:c_network Behavior:b_network ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy p_network outbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The president's office, marketing department, and R&D department can access the finance server, but external hosts cannot.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # acl number 3002 rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0 rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0 rule 20 deny ip destination 10.164.4.4 0 # traffic classifier c_network operator or precedence 5 if-match acl 3002 # traffic behavior b_network permit # traffic policy p_network match-order config classifier c_network behavior b_network # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.4.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 traffic-policy p_network outbound # return