eNSP Files
system-view
[Huawei-Router] acl 2222
[Huawei-Router-acl-basic-2222] rule deny source 10.1.1.0 0.0.0.255
[Huawei-Router-acl-basic-2222] rule deny source 10.2.2.0 0.0.0.255
[Huawei-Router-acl-basic-2222] rule permit source 172.16.0.0 0.0.255.255
[Huawei-Router-acl-basic-2222] quit
[Huawei-Router] interface GigabitEthernet1/1/1
[Huawei-Router-GigabitEthernet1/1/1] traffic-filter outbound acl 2222
[Huawei-Router-GigabitEthernet1/1/1] quit
[Huawei-Router-GigabitEthernet1/1/1] traffic-filter outbound acl 2222
[Huawei-Router-GigabitEthernet1/1/1] quit
display acl 2222”
Advanced Access List Configuration
In this second example, we will focus on Advanced Access List Configuration. With this Advanced Access List Configuration, we can prevent the traffic from a specific network to a specific network. We can allow a specific host to access to a specific server with a specific port. This can be reproducible.
For our example, we will configure an Advanced Access List in the right router. And we will apply this to the inbound direction of GigabitEthernet1/1/1.
We will allow R&D to FTP to the Server, but we will prevent Sales to access the Server. And we will allow Sales to communicate with Marketing and we will prevent R&D to access the Marketing.
system-view
[Huawei-Router] acl 3500
[Huawei-Router-acl-basic-3500] rule deny source 10.10.5.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[Huawei-Router-acl-basic-3500] rule deny tcp source 10.10.6.0 0.0.0.255 destination 172.16.2.1 0.0.0.0 destination-port eq 21
[Huawei-Router-acl-basic-3500] rule permit tcp source 10.10.5.0 0.0.0.255 destination 172.16.2.1 0.0.0.0 destination-port eq 21
[Huawei-Router-acl-basic-3500] rule permit source 10.10.6.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[Huawei-Router-acl-basic-3500] quit
[Huawei-Router] interface GigabitEthernet1/1/1
[Huawei-Router-acl-basic-3500] traffic-filter inbound acl 3500
[Huawei-Router-acl-basic-3500] quit
[Huawei-Router-acl-basic-3500] traffic-filter inbound acl 3500
[Huawei-Router-acl-basic-3500] quit
Create a MAC ACL with a number (e.g., 3000)
[Switch] acl number 3000
[Switch-acl-adv-3000]
[Switch-acl-adv-3000] rule permit source MAC-address
[Switch-acl-adv-3000] rule deny source MAC-address
[Switch-acl-adv-3000] rule 0 permit source 0011-2233-4455 destination ffff-ffff-ffff
[Switch-acl-adv-3000] rule 1 deny source 0022-3344-5566 destination ffff-ffff-ffff
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port default vlan 10 // Example: Assign port to a VLAN
[Switch-GigabitEthernet0/0/1] packet-filter 3000 inbound
[Switch] display acl 3000
[Switch] save
No comments:
Post a Comment