Example for Using an ACL to Block Network Access of the Specified Users
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet matching conditions. These conditions include source addresses, destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter packets based on Layer 2 information. For example, if you want to filter packets based on MAC addresses and VLANs, configure a Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the device can filter the packets sent from users with certain MAC addresses to the Internet and thus prevent these users from accessing the Internet.
Configuration Notes
This example applies to all versions of all S series switches.
The following commands and output information are obtained from S7712 running V200R007C00.
Networking Requirements
As shown in Figure 1, the Switch that functions as the gateway is connected to PCs, and there are reachable routes to all subnets on Switch. The administrator wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101) is an unauthorized user.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as follows:
- Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC address 00e0-f201-0101 (preventing the user with this MAC address from accessing the network).
- Configure a traffic behavior to discard the packets matching the ACL.
- Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
- Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] acl 4000 [Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff //Reject the packets from source MAC address 00e0-f201-0101. [Switch-acl-L2-4000] quit
- Configure an ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 //Create a traffic classifier. [Switch-classifier-tc1] if-match acl 4000 //Associate an ACL with the traffic classifier. [Switch-classifier-tc1] quit
- Configure the traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior. [Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny. [Switch-behavior-tb1] quit
- Configure the traffic policy.
# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy. [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1. [Switch-trafficpolicy-tp1] quit
- Apply the traffic policy.
# Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the traffic policy tp1 to the inbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound direction of an interface. [Switch-GigabitEthernet2/0/1] quit
- Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 4000 L2 ACL 4000, 1 rule Acl's step is 5 rule 5 deny source-mac 00e0-f201-0101# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 5 Operator: OR Rule(s) : if-match acl 4000 Total classifier number is 1# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: tc1 Operator: OR Behavior: tb1 Deny
# Check the traffic policy application records.
[Switch] display traffic-policy applied-record # ------------------------------------------------- Policy Name: tp1 Policy Index: 0 Classifier:tc1 Behavior:tb1 ------------------------------------------------- *interface GigabitEthernet2/0/1 traffic-policy tp1 inbound slot 2 : success ------------------------------------------------- Policy total applied times: 1. #
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
Configuration Files
Configuration file of the Switch
# sysname Switch # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 # traffic classifier tc1 operator or precedence 5 if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 match-order config classifier tc1 behavior tb1 # interface GigabitEthernet2/0/1 traffic-policy tp1 inbound # return