Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges. Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can filter the packets sent from users to the specified server and thus restrict access to the specified server during a time range.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 1, the departments of an enterprise are connected through the Switch. The R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president office can access the server at anytime.
Configuration Roadmap
- Configure the time range, advanced ACL, and ACL-based traffic classifier to filter packets from users to the server in the specified time range. In this way, you can restrict the access of different users to the server in the specified time range.
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 30 100 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Switch-Vlanif10] quit
- Configure the time range.
# Configure the time range as 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day //Configure a periodic time range for an ACL.
- Configure ACLs.
# Configure an ACL for the marketing department accessing the salary query server.
[Switch] acl 3002 [Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the marketing department from accessing the salary query server in the time range satime. [Switch-acl-adv-3002] quit
# Configure an ACL for the R&D department accessing the salary query server.
[Switch] acl 3003 [Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime //Prevent the R&D department from accessing the salary query server in the time range satime. [Switch-acl-adv-3003] quit
- Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Switch] traffic classifier c_market //Create a traffic classifier. [Switch-classifier-c_market] if-match acl 3002 //Associate an ACL with the traffic classifier. [Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier. [Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic classifier. [Switch-classifier-c_rd] quit
- Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market //Create a traffic behavior. [Switch-behavior-b_market] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.
[Switch] traffic behavior b_rd //Create a traffic behavior. [Switch-behavior-b_rd] deny //Set the action of the traffic behavior to deny. [Switch-behavior-b_rd] quit
- Configure traffic policies.
# Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market //Create a traffic policy. [Switch-trafficpolicy-p_market] classifier c_market behavior b_market //Associate the traffic classifier c_market with the traffic behavior b_market. [Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy. [Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the traffic classifier c_rd with the traffic behavior b_rd. [Switch-trafficpolicy-p_rd] quit
- Apply the traffic policy.
# Packets from the marketing department to the server are received by GE1/0/2; therefore, apply the traffic policy p_market to the inbound direction of GE1/0/2.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] traffic-policy p_market inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/2] quit
# Packets from the R&D department to the server are received by GE1/0/3; therefore, apply the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet1/0/3] quit
- Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active)
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003 Total classifier number is 2
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: OR Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: OR Behavior: b_rd Deny Total policy number is 2
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: p_market Policy Index: 0 Classifier:c_market Behavior:b_market ------------------------------------------------- *interface GigabitEthernet1/0/2 traffic-policy p_market inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. # ------------------------------------------------- Policy Name: p_rd Policy Index: 1 Classifier:c_rd Behavior:b_rd ------------------------------------------------- *interface GigabitEthernet1/0/3 traffic-policy p_rd inbound slot 1 : success ------------------------------------------------- Policy total applied times: 1. #
# The R&D and marketing departments cannot access the salary query server in work hours (08:00 to 17:30).
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 30 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or precedence 5 if-match acl 3002 traffic classifier c_rd operator or precedence 10 if-match acl 3003 # traffic behavior b_market deny traffic behavior b_rd deny # traffic policy p_market match-order config classifier c_market behavior b_market traffic policy p_rd match-order config classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p_market inbound # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 30 traffic-policy p_rd inbound # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 100 # return