H3C switch typical access control list (ACL) configuration instance

H3C switch typical access control list (ACL) configuration instance 1 networking requirements: 1. By configuring the basic access control list, you can achieve ~ Filter packets sent from hosts whose source IP address is 10.1.1.2 within; www.2cto.com 2. the Advanced Access Control List must be configured to prohibit mutual access between the R & D department and the Technical Support Department, and restrict the R & D department from visiting the salary query server from to on work hours. the layer-2 Access Control List is used to implement ~ Filter packets whose source MAC is 00e0-fc01-0101. 2. Networking diagram:

Step 3: 1. configure a shared configuration for the typical Access Control List of H3C 3600 5600 5100 Series switches. 1. create four VLANs based on the network diagram, corresponding to each port added <H3C> system-view [H3C] vlan 10 [H3C-vlan10] port GigabitEthernet 1/0/1 [H3C-vlan10] vlan 20 [H3C-vlan20] port GigabitEthernet 1/0/2 [H3C-vlan20] vlan 30 [H3C-vlan30] port GigabitEthernet 1/0/3 [H3C-vlan30] vlan 40 [H3C-vlan40] port GigabitEthernet 1/0/4 [H3C-vlan40] quit2. configure VLAN Virtual interface Address [H3C] interface vlan 10 [H3C-Vlan-interface10] ip address 10.1.1.1 24 [H3C-Vlan-interface10] quit [H3C] interface vlan 20 [H3C-Vlan-interface20] ip address 10.1.2.1 24 [H3C-Vlan-interface20] quit [H3C] interface vlan 30 [H3C-Vlan-interface30] ip address 10.1.3.1 24 [H3C-Vlan-interface30] quit [H3C] interface vlan 40 [H3C-Vlan-interface40] ip address 10.1.4.1 24 [H3C-Vlan-interface40] quit3. defined time period [H3C] time-range huawei to working-day requirement 1 configuration (Basic ACL configuration) 1. enter 2000 The basic Access Control List View of [H3C-GigabitEthernet1/0/1] acl number 20002. define access rules filter packets sent from 10.1.1.2 host [H3C-acl-basic-2000] rule 1 deny source 10.1.1.2 0 time-range deny wei3. apply no. 2000 ACL [H3C-acl-basic-2000] interface GigabitEthernet1/0/1 [H3C-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000 [H3C-GigabitEthernet1/0/1] quit requirement 2 configuration (Advanced ACL configuration) 1. go to the 3000 Advanced Access Control List View [H3C] acl number 30002. define access rules prohibit exchange between R & D and Technical Support Departments [H3C-acl-adv-3 000] rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.2553. define access rules prohibit R & D departments from accessing payroll query server [H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei [H3C-acl-adv-3000] quit4. 3000 ON INTERFACE no. ACL [H3C-acl-adv-3000] interface GigabitEthernet1/0/2 [H3C-GigabitEthernet1/0/2] packet-filter inbound ip-group 3000 requirement 3 configuration (L2 ACL configuration) 1. go to the 2nd-layer Access Control List View [H3C] acl on 4000 Number 40002. define access rule filter source MAC 00e0-fc01-0101 Packets [H3C-acl-ethernetframe-4000] rule 1 deny source 00e0-fc01-0101 ffff-ffff time-range limit wei3. apply no. 4000 ACL [H3C-acl-ethernetframe-4000] interface GigabitEthernet1/ 0/4 [H3C-GigabitEthernet1/0/4] packet-filter inbound link-group 40002 H3C 5500-SI 3610 5510 series switches typical Access Control List Configuration Requirements 2 configuration 1. go to the 3000 Advanced Access Control List View [H3C] acl number 30002. define access rules prohibit exchange between R & D and Technical Support Departments [H3C-acl-adv-3 000] rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.2553. define access rules prohibit R & D departments from visiting payroll query server [H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei [H3C-acl-adv-3000] quit4. define stream classification [h3C] traffic classifier abc [H3C-classifier-abc] if-match acl 3000 [H3C-classifier-abc] quit5. definitions popular, determine whether packets that match the stream classification are prohibited [H3C] traffic behavior abc [H3C-behavior-abc] filter de Ny [H3C-behavior-abc] quit6. defining Qos policies, associate stream classification and popularity to [H3C] qos policy abc [H3C-qospolicy-abc] classifier abc behavior abc [H3C-qospolicy-abc] quit7. issue Qos policy [H3C] interface g1/1/2 [H3C-GigabitEthernet1/ 1/2] qos apply policy abc inbound8. additional instructions: l acl is only used to differentiate data streams. permit and deny are determined by the filter. l if a port has both the permit and deny data streams, You need to define the stream classification and the popular, and associate them in the same QoS policy. l the QoS policy matches the message and classifier according to the configuration order. When the message and a classifier match, the corresponding classifier Behavior, and then the policy execution will end, and will not match the remaining classifier; l after applying the QoS policy to the port, the system will not be allowed to modify the definition stream classification, popular as, and QoS policy accordingly, until it is canceled. Four configuration key points: 1. time-name can be defined freely; 2. after setting an access control rule, you must apply the rule to the corresponding interface. When applying the rule, note that the inbound direction should correspond to the source and destination directions in the rule; 3. s5600 series switches only support the inbound direction rules. Therefore, pay attention to the selection of application interfaces;