Example for Using an ACL to Restrict FTP Access Rights
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges. If you only need to filter packets based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the specified clients to access the FTP server, improving FTP server security.
Configuration Notes
In this example, the local user password is in irreversible-cipher mode, indicating that the password is encrypted using the irreversible algorithm. Unauthorized users cannot obtain the password through decryption. Therefore, this algorithm is secure. This password mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, the local user passwords can only be in cipher mode, indicating that the passwords are encrypted using the reversible algorithm. Unauthorized users can obtain the passwords through decryption. This algorithm is less secure.
- This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 1, the Switch functions as an FTP server. The requirements are as follows:
- All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server anytime.
- All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only during the specified period of time.
- Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the Switch to limit user access to the FTP server.
Procedure
- Configure a time range.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an absolute time range for an ACL. [Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time range for an ACL. The time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time ranges.
- Configure a basic ACL.
[Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //Allow users on network segment 172.16.105.0/24 to access the FTP server anytime. [Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access //Allow users on network segment 172.16.107.0/24 to access the FTP server only in the ftp-access time range. [Switch-acl-basic-2001] rule deny source any //Prevent other users from accessing the FTP server. [Switch-acl-basic-2001] quit
- Configure basic FTP functions.
[Switch] ftp server enable //Enable the FTP server to allow users to log in to the device through FTP. [Switch] aaa [Switch-aaa] local-user huawei password irreversible-cipher SetUserPassword@123 //Configure the FTP user name and password. The password in irreversible-cipher mode only applies to V200R003C00 and later versions. In versions earlier than V200R003C00, only the passwords in cipher mode can be used. [Switch-aaa] local-user huawei privilege level 15 //Set the FTP user level. [Switch-aaa] local-user huawei service-type ftp //Set the FTP user service type. [Switch-aaa] local-user huawei ftp-directory cfcard:/ //Configure the FTP working directory, which must be configured as flash:/ on a fixed switch. [Switch-aaa] quit
- Configure access permissions on the FTP server.
[Switch] ftp acl 2001 //Apply an ACL to the FTP module.
- Verify the configuration.
Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on a Saturday in 2014. PC2 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the FTP server.
Configuration Files
Configuration file of the Switch
# sysname Switch # FTP server enable FTP acl 2001 # time-range ftp-access 14:00 to 18:00 off-day time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31 # acl number 2001 rule 5 permit source 172.16.105.0 0.0.0.255 rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access rule 15 deny # aaa local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!R7M_d^!o{*@N9g'e0baw#%^%# local-user huawei privilege level 15 local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # return