< Home

Example for Using Advanced ACLs to Restrict Mutual Access Between Network Segments

Networking Requirements

As shown in Figure 1, the departments of an enterprise are connected through a switch. To facilitate network management, the administrator allocates IP addresses of different network segments to the R&D and marketing departments. In addition, the administrator adds the two departments to different VLANs for broadcast domain isolation. For information security purposes, the enterprise requires that the switch prevent user hosts on different network segments from communicating with each other.

Figure 1 Using advanced ACLs to restrict mutual access between network segments



Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure VLANs and configure IP addresses for VLANIF interfaces.
  2. Configure advanced ACLs.
  3. Apply the ACLs to enable the device to filter user packets based on the source and destination IP addresses, thereby restricting mutual access between users on different network segments.

Procedure

  1. Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
    1. Choose Configuration > Basic Services > VLAN to access the VLAN page.
    2. Click Create. The Create VLAN dialog box is displayed.

      • Enter 10 in the VLAN ID text box.
      • Select Create VLANIF, enter 10.1.1.1 in the IPv4 address text box, and set Mask to 24.
      • Click Add Interface and then Select Interface, select GigabitEthernet0/0/1.
      • Click OK, as shown in Figure 2.

      Figure 2 Create VLAN 10

    3. Configure VLAN 20. The configuration method is similar to that of VLAN 10. Table 1 lists the involved configuration items.

      Table 1 VLAN list

      VLAN ID

      IP Address

      Subnet Mask

      Interface Name

      20

      10.1.2.1

      255.255.255.0

      GigabitEthernet0/0/2

  2. Configure ACLs.
    1. Choose Configuration > Security Services > ACL Config to access the ACL Config page.
    2. Click Create. In the Create ACL dialog box, set ACL number to 3001 and click OK, as shown in Figure 3.

      Figure 3 Creating ACL 3001

    3. Click Add Rule on the right of ACL 3001. In the Add Rule dialog box, set Action, Protocol type, Source IP, Destination IP and Wildcard, and click OK, as shown in Figure 4.

      Figure 4 Configuring ACL 3001

    4. Create and configure ACL 3002 in the same way based on Figure 5.

      Figure 5 Configuring ACL 3002

  3. Apply the ACLs.
    1. Choose Configuration > Security Services > ACL Reference > Interface ACL to access the Interface ACL page.
    2. Set Interface name. Click New next to Inbound interface ACL number, and select ACLs, as shown in Figure 6 and Figure 7. Click Apply to apply the ACLs.

      The traffic from the marketing department to the R&D department enters the switch through GE0/0/2, and the traffic from the R&D department to the marketing department enters the switch through GE0/0/1. Therefore, apply the corresponding ACL to the inbound direction on the two interfaces.

      Figure 6 Applying ACL 3001
      Figure 7 Applying ACL 3002

Result

  1. Choose Configuration > Security Services > ACL Config to view ACL information, as shown in Figure 8 and Figure 9.
    Figure 8 ACL 3001 configuration
    Figure 9 ACL 3002 configuration
  2. Choose Configuration > Security Services > ACL Reference > Interface ACL. Click GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to view the ACLs applied on these interfaces, as shown in Figure 6 and Figure 7.

  3. The two network segments where the R&D and marketing departments reside cannot access each other.

Parent Topic: Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic