Example for Using Advanced ACLs to Prevent User Hosts on Different Network Segments from Communicating

Networking Requirements

As shown in Figure 1, the departments of a company are connected through Router. To facilitate network management, the administrator plans IP addresses of different network segments for the R&D and marketing departments. In addition, the administrator adds the two departments to different VLANs for broadcast domain isolation. The company requires that Router prevent the user hosts on different network segments from communicating to ensure information security.

Figure 1 Example for using advanced ACLs to prevent user hosts on different network segments from communicating

Interfaces 1 and 2 in this example represent GE 0/1/0 and GE 0/1/8, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an advanced ACL and ACL-based traffic classifier to filter the packets exchanged between the R&D and marketing departments.

  2. Configure a traffic behavior to deny the packets matching the ACL rules.

  3. Configure and apply a traffic policy for the ACL and traffic behavior to take effect.

Procedure

  1. Configure VLANs to which interfaces belong and allocate IP addresses to VLANIF interfaces.

    # Configure VLAN 10 and VLAN 20.

    <HUAWEI> system-view
[~HUAWEI] sysname Router
[*HUAWEI] commit
[~Router] vlan batch 10 20
[*Router] commit
[~Router] quit

    # Configure interface 1 and interface 2 on Router as trunk interfaces and add them to VLAN 10 and VLAN 20, respectively.

    [~Router] interface gigabitethernet 0/1/0
[~Router-GigabitEthernet0/1/0] port link-type trunk
[~Router-GigabitEthernet0/1/0] port trunk allow-pass vlan 10
[~Router-GigabitEthernet0/1/0] quit
[~Router] interface gigabitethernet 0/1/8
[~Router-GigabitEthernet0/1/8] port link-type trunk
[~Router-GigabitEthernet0/1/8] port trunk allow-pass vlan 20
[~Router-GigabitEthernet0/1/8] quit
[*Router] commit
[~Router] quit

    # Create VLANIF 10 and VLANIF 20 and configure IP addresses for them.

    [~Router] interface vlanif 10
[~Router-Vlanif10] ip address 10.1.1.1 24
[*Router-Vlanif10] commit
[~Router-Vlanif10] quit
[~Router] interface vlanif 20
[~Router-Vlanif20] ip address 10.1.2.1 24
[*Router-Vlanif20] commit
[~Router-Vlanif20] quit

  2. Configure ACLs.

    # Create ACL 3001 and configure rules for the ACL to deny packets from the R&D department to the marketing department.

    [~Router] acl number 3001
[*Router-acl4-advance-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[~Router-acl4-advance-3001] commit
[~Router-acl4-advance-3001] quit

    # Create ACL 3002 and configure rules for the ACL to deny packets from the marketing department to the R&D department.

    [~Router] acl number 3002
[*Router-acl4-advance-3002] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[~Router-acl4-advance-3002] commit
[~Router-acl4-advance-3002] quit

  3. Configure a traffic classifier based on the advanced ACLs.

    # Configure a traffic classifier named tc1 to classify packets that match ACL 3001 and ACL 3002.

    [~Router] traffic classifier tc1
[*Router-classifier-tc1] if-match acl 3001
[~Router-classifier-tc1] if-match acl 3002
[~Router-classifier-tc1] commit
[~Router-classifier-tc1] quit

  4. Configure a traffic behavior.

    # Configure a traffic behavior named tb1 to deny packets.

    [~Router] traffic behavior tb1
[*Router-behavior-tb1] deny
[~Router-behavior-tb1] commit
[~Router-behavior-tb1] quit

  5. Configure a traffic policy.

    # Define a traffic policy, and associate the traffic classifier and traffic behavior with the traffic policy.

    [~Router] traffic policy tp1
[*Router-trafficpolicy-tp1] classifier tc1 behavior tb1
[~Router-trafficpolicy-tp1] commit
[~Router-trafficpolicy-tp1] quit

  6. Apply the traffic policy in the inbound direction of interface 1 and interface 2.

    [~Router] interface gigabitethernet 0/1/0
[~Router-GigabitEthernet0/1/0] traffic-policy tp1 inbound
[~Router-GigabitEthernet0/1/0] commit
[~Router-GigabitEthernet0/1/0] quit
[~Router] interface gigabitethernet 0/1/8
[~Router-GigabitEthernet0/1/8] traffic-policy tp1 inbound
[~Router-GigabitEthernet0/1/8] commit
[~Router-GigabitEthernet0/1/8] quit

  7. Verify the configuration.

    # Check the ACL rule configuration.

    [~Router] display acl 3001
Advanced ACL 3001, 1 rule                                                        
Acl's step is 5                                                                  
 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[~Router] display acl 3002
Advanced ACL 3002, 1 rule                                                        
Acl's step is 5                                                                  
 rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

    # Check the traffic classifier configuration.

    [~Router] display traffic classifier user-defined
  User Defined Classifier Information:                                           
   Classifier: class1                                                            
    Operator: OR                                                                 
    Rule(s) :  -none-                                                            
   Classifier: tc1                                                               
    Operator: OR                                                                 
    Rule(s) :                                                                    
     if-match acl 3001 precedence 1                                                           
     if-match acl 3002 precedence 2

    # Check the traffic policy configuration.

    [~Router] display traffic policy user-defined tp1
  User Defined Traffic Policy Information:                                       
  Policy: tp1                                                                    
   Classifier: tc1                                                               
    Operator: OR                                                                 
     Behavior: tb1                                                         
      Deny         
     Precedence: 5

Configuration Files

  • Router configuration file

    # 
 sysname Router 
# 
vlan batch 10 20  
# 
acl number 3001                                                                  
 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255         
acl number 3002                                                                  
 rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
# 
traffic classifier tc1 operator or    
 if-match acl 3001                                                               
 if-match acl 3002    
# 
traffic behavior tb1 
 deny 
# 
traffic policy tp1 
 classifier tc1 behavior tb1 precedence 5 
# 
interface Vlanif10 
 ip address 10.1.1.1 255.255.255.0 
# 
interface Vlanif20 
 ip address 10.1.2.1 255.255.255.0 
# 
interface GigabitEthernet0/1/0 
 port link-type trunk                                                            
 port trunk allow-pass vlan 10  
 traffic-policy tp1 inbound 
# 
interface GigabitEthernet0/1/8 
 port link-type trunk                                                            
 port trunk allow-pass vlan 20  
 traffic-policy tp1 inbound 
# 
return
Parent Topic: Configuration Examples for ACLs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic