H3C WX3500H series Скачать руководство пользователя

Страница: 22 / 57

ACL configuration example

Network requirements

A company interconnects its departments through the AC. Configure a packet filter to:

•

Permit access from the President's office at any time to the financial database server.

•

Permit access from the Financial department to the database server only during working hours

(from 8:00 to 18:00) on working days.

•

Deny access from any other department to the database server.

Figure 1 Network diagram

Configuration procedure

# Create a periodic time range from 8:00 to 18:00 on working days.

<AC> system-view

[AC] time-range work 08:0 to 18:00 working-day

# Create an IPv4 advanced ACL numbered 3000.

[AC] acl advanced 3000

# Configure a rule to permit access from the President's office to the financial database server.

[AC-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination

192.168.0.100 0

# Configure a rule to permit access from the Financial department to the database server during

working hours.

[AC-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination

192.168.0.100 0 time-range work

# Configure a rule to deny access to the financial database server.

GE 1/0/1

Financial database server

192.168.0.100

IP network

AP 1

AP 3

President's office

192.168.1.0/24

Marketing department

192.168.3.0/24

AP 2

Financial department

192.168.2.0/24

Содержание WX3500H series

Страница 1: ...H3C Access Controllers ACL and QoS Configuration Guide New H3C Technologies Co Ltd http www h3c com hk Document version 6W101 20171122 ...

Страница 2: ... SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements inform...

Страница 3: ... E5208P03 WX1810H CMW710 E5215P01 WX1820H CMW710 E5208P03 WX2500H series WX2510H WX2540H WX2560H WX2510H CMW710 R5215P01 WX2540H CMW710 R5215P01 WX2560H CMW710 R5215P01 WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L WX3010H CMW710 R5215P01 WX3010HL CMW710 R5215P01 WX3010HX CMW710 R5215P01 WX3024H CMW710 R5215P01 WX3024HL CMW710 R5215P01 WX3500H series WX3508H WX3510H WX3520H WX3540H ...

Страница 4: ...enclose a set of optional syntax choices separated by vertical bars from which you select one or none x y Asterisk marked braces enclose a set of required syntax choices separated by vertical bars from which you select a minimum of one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The arg...

Страница 5: ...sents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Wireless terminator unit Wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Repre...

Страница 6: ... com hk Technical_Documents To obtain software version information such as release notes click http www h3c com hk Software_Download Technical support service h3c com http www h3c com hk Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments ...

Страница 7: ...filtering 11 Configuring SNMP notifications for packet filtering 12 Setting the packet filtering default action 12 Displaying and maintaining ACLs 13 ACL configuration example 14 Network requirements 14 Configuration procedure 14 Verifying the configuration 15 QoS overview 16 Compatibility information 16 Feature and hardware compatibility 16 Command and hardware compatibility 17 QoS service models...

Страница 8: ...the MQC approach 28 Configuring traffic policing for a user profile by using the non MQC approach 29 Displaying and maintaining traffic policing 30 Configuring traffic filtering 31 Configuration procedure 31 Configuration example 31 Network requirements 31 Configuration procedure 32 Configuring priority marking 33 Configuration procedure 33 Configuration example 34 Network requirements 34 Configur...

Страница 9: ...number and other Layer 3 and Layer 4 header fields Layer 2 ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link layer protocol type Numbering and naming ACLs When creating an ACL you must assign it a number or name for identification You can specify an existing ACL by its number or name Each ACL type has a unique range of ACL n...

Страница 10: ...ervice port number range 6 Rule configured earlier Layer 2 ACL 1 More 1s in the source MAC address mask more 1s means a smaller MAC address 2 More 1s in the destination MAC address mask 3 Rule configured earlier A wildcard mask also called an i nverse mask is a 32 bit binary number represented in dotted decimal notation In contrast to a network mask the 0 bits in a wildcard mask represent do care ...

Страница 11: ...ules 5 10 13 and 15 as rules 0 2 4 and 6 Fragments filtering with ACLs Traditional packet filtering matches only first fragments of packets and al lows all subsequent non first fragments to pass through Attackers can fabricate non first fragments to attack networks To avoid the risks the ACL feature is designed as follows Filters all fragments by default including non first fragments Allows for ma...

Страница 12: ...eria and functions Source and destination IP addresses Source and destination ports Transport layer protocol ICMP or ICMPv6 message type message code and message name VPN instance Logging Time range Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation which affects the device forwarding performance Configuration task list Tasks at a glance Required Conf...

Страница 13: ...basic ACL Use the acl basic name acl name command to enter the view of a named IPv4 basic ACL 3 Optional Configure a description for the IPv4 basic ACL description text By default an IPv4 basic ACL does not have a description 4 Optional Set the rule numbering step step step value By default the rule numbering step is 5 and the start rule ID is 0 5 Create or edit a rule rule rule id deny permit fra...

Страница 14: ...permit fragment routing type routing type source source address source prefix source address source prefix any time range time range name By default an IPv6 basic ACL does not contain any rules 6 Optional Add or edit a rule comment rule rule id comment text By default no rule comment is configured Configuring an advanced ACL This section describes procedures for configuring IPv4 and IPv6 advanced ...

Страница 15: ... syn value urg urg value established destination dest address dest wildcard any destination port operator port1 port2 dscp dscp precedence precedence tos tos fragment icmp type icmp type icmp code icmp message source source address source wildcard any source port operator port1 port2 time range time range name By default an IPv4 advanced ACL does not contain any rules 6 Optional Add or edit a rule...

Страница 16: ...eny permit protocol ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value established destination dest address dest prefix dest address dest prefix any destination port operator port1 port2 dscp dscp flow label flow label value fragment icmp6 type icmp6 type icmp6 code icmp6 message routing type routing type hop by hop type hop type source source address source prefix...

Страница 17: ...e range name By default a Layer 2 ACL does not contain any rules 6 Optional Add or edit a rule comment rule rule id comment text By default no rule comment is configured Configuring a WLAN client ACL WLAN client ACLs match packets based on the SSID that the WLAN clients use to access the WLAN You can use WLAN client ACLs to perform access control on WLAN clients To configure a WLAN client ACL Step...

Страница 18: ...LAN AP ACL 3 Optional Configure a description for the WLAN AP ACL description text By default a WLAN AP ACL does not have a description 4 Optional Set the rule numbering step step step value By default the rule numbering step is 5 and the start rule ID is 0 5 Configure or edit a rule rule rule id deny permit mac mac address mac mask serial id serial id By default a WLAN AP ACL does not contain any...

Страница 19: ...regation member port Applying an ACL to an interface for packet filtering The following matrix shows the feature and hardware compatibility Hardware series Model Feature compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L No WX3500H series WX3508H WX3510H WX3520H WX3540H Yes WX5500E series ...

Страница 20: ...otification instead of waiting for the next output The notification records the number of matching packets and the matched ACL rules For more information about the information center and SNMP see Network Management and Monitoring Configuration Guide To configure SNMP notifications for packet filtering Step Command Remarks 1 Enter system view system view N A 2 Set the interval for outputting packet...

Страница 21: ... ACL rule to pass Displaying and maintaining ACLs Execute display commands in any view Task Command Display ACL configuration and match statistics display acl ipv6 mac wlan acl number all name acl name Display ACL application information for packet filtering display packet filter interface interface type interface number inbound outbound slot slot number Display detailed ACL packet filtering infor...

Страница 22: ...ge work 08 0 to 18 00 working day Create an IPv4 advanced ACL numbered 3000 AC acl advanced 3000 Configure a rule to permit access from the President s office to the financial database server AC acl ipv4 adv 3000 rule permit ip source 192 168 1 0 0 0 0 255 destination 192 168 0 100 0 Configure a rule to permit access from the Financial department to the database server during working hours AC acl ...

Страница 23: ...0 100 bytes 32 time 1ms TTL 255 Ping statistics for 192 168 0 100 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 0ms Maximum 1ms Average 0ms Verify that a wireless client in the Marketing department cannot ping the database server during working hours C ping 192 168 0 100 Pinging 192 168 0 100 with 32 bytes of data Request timed out Request timed out ...

Страница 24: ...echniques Compatibility information Feature and hardware compatibility Hardware series Model QoS compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L Yes WX3010H WX3010H X WX3024H No WX3010H L WX3024H L WX3500H series WX3508H WX3510H WX3520H WX3540H Yes WX5500E series WX5510E WX5540E Yes WX5...

Страница 25: ...quest service from the network before it sends data IntServ signals the service request with the RSVP All nodes receiving the request reserve resources as requested and maintain state information for the application flow The IntServ model demands high storage and processing capabilities because it requires all nodes along the transmission path to maintain resource state information for each flow T...

Страница 26: ...efly describes how the QoS module processes traffic 1 Traffic classifier identifies and classifies traffic for subsequent QoS actions 2 The QoS module takes various QoS actions on classified traffic as configured depending on the traffic processing phase and network status For example you can configure the QoS module to perform traffic policing for incoming traffic Figure 3 QoS processing flow WAN...

Страница 27: ...ing traffic and it uses the AND or OR operator If the operator is AND a packet must match all the criteria to match the traffic class If the operator is OR a packet matches the traffic class if it matches any of the criteria in the traffic class A traffic behavior defines a set of QoS actions to take on packets such as priority marking By associating a traffic behavior with a traffic class in a Qo...

Страница 28: ...ng and priority marking By default no action is configured for a traffic behavior Defining a QoS policy To perform actions defined in a behavior for a class of packets associate the behavior with the class in a QoS policy To associate a traffic class with a traffic behavior in a QoS policy Step Command Remarks 1 Enter system view system view N A 2 Create a QoS policy and enter QoS policy view qos ...

Страница 29: ...kets include link maintenance RIP and SSH packets To apply a QoS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Apply the QoS policy to the interface qos apply policy policy name inbound outbound By default no QoS policy is applied to an interface Applying the QoS policy to a user profile The fo...

Страница 30: ...to apply the QoS policy to the outgoing traffic of the device traffic received by the online users Displaying and maintaining QoS policies Execute display commands in any view Task Command Display traffic class configuration display traffic classifier system defined user defined classifier name slot slot number Display traffic behavior configuration display traffic behavior system defined user def...

Страница 31: ...re information about these priorities see Appendixes Locally assigned priorities only have local significance They are assigned by the device only for scheduling The device supports only local precedence for locally assigned priorities A local precedence value corresponds to an output queue A packet with higher local precedence is assigned to a higher priority output queue to be preferentially sch...

Страница 32: ... priority map lp dot1p Local 802 1p priority map lp dscp Local DSCP priority map To configure a priority map Step Command Remarks 1 Enter system view system view N A 2 Enter priority map view qos map table dot11e lp dot1p lp dscp lp lp dot11e lp dot1p lp dscp N A 3 Configure mappings for the priority map import import value list export export value By default the default priority maps are used For...

Страница 33: ...nter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Set the port priority of the interface qos priority priority value The default setting is 0 Displaying and maintaining priority mapping Execute display commands in any view Task Command Display priority map configuration display qos map table dot11e lp dot1p lp dscp lp lp dot11e lp dot1p lp dscp...

Страница 34: ...thernet 1 0 2 No trusted packet priority type is configured on GigabitEthernet 1 0 1 or GigabitEthernet 1 0 2 AC system view AC interface gigabitethernet 1 0 1 AC GigabitEthernet1 0 1 qos priority 3 AC GigabitEthernet1 0 1 quit AC interface gigabitethernet 1 0 2 AC GigabitEthernet1 0 2 qos priority 1 AC GigabitEthernet1 0 2 quit Internet Device A AC Server GE1 0 1 IP precedence 3 GE1 0 2 IP preced...

Страница 35: ...d is colored green The corresponding tokens are taken away from the bucket Otherwise the packet does not conform to the specification called excess traffic and is colored red Traffic policing uses the single rate two color mechanism This mechanism uses one token bucket bucket C and the following parameters Committed information rate CIR Mean rate at which tokens are put into bucket C It sets the a...

Страница 36: ...view system view N A 2 Create a traffic class and enter traffic class view traffic classifier classifier name operator and or By default no traffic class exists 3 Configure match criteria if match not match criteria By default no match criterion is configured For more information about the if match command see ACL and QoS Command Reference 4 Return to system view quit N A 5 Create a traffic behavi...

Страница 37: ...profile Choose one of the application destinations as needed By default no QoS policy is applied Configuring traffic policing for a user profile by using the non MQC approach The following matrix shows the feature and hardware compatibility Hardware series Model Feature compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010...

Страница 38: ...p Command Remarks 1 Enter system view system view N A 2 Enter user profile view user profile profile name The configuration made in user profile view takes effect when the users are online 3 Configure a CAR policy for the user profile qos car inbound outbound any cir committed information rate cbs committed burst size By default no CAR policy is configured for a user profile The conforming traffic...

Страница 39: ...figure the traffic filtering action filter deny permit By default no traffic filtering action is configured 7 Return to system view quit N A 8 Create a QoS policy and enter QoS policy view qos policy policy name By default no QoS policy exists 9 Associate the traffic class with the traffic behavior in the QoS policy classifier classifier name behavior behavior name By default a traffic class is no...

Страница 40: ...sifier classifier_1 quit Create a traffic behavior named behavior_1 and configure the traffic filtering action to drop packets AC traffic behavior behavior_1 AC behavior behavior_1 filter deny AC behavior behavior_1 quit Create a QoS policy named policy and associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy AC qos policy policy AC qospolicy policy classifier cl...

Страница 41: ...e match criteria if match not match criteria By default no match criterion is configured For more information about the if match command see ACL and QoS Command Reference 4 Return to system view quit N A 5 Create a traffic behavior and enter traffic behavior view traffic behavior behavior name By default no traffic behavior exists 6 Configure a priority marking action Set the DSCP value for packet...

Страница 42: ...dure Create advanced ACL 3000 and configure a rule to match packets with destination IP address 192 168 0 1 AC system view AC acl advanced 3000 AC acl ipv4 adv 3000 rule permit ip destination 192 168 0 1 0 AC acl ipv4 adv 3000 quit Create advanced ACL 3001 and configure a rule to match packets with destination IP address 192 168 0 2 AC acl advanced 3001 AC acl ipv4 adv 3001 rule permit ip destinat...

Страница 43: ...server remark local precedence 4 AC behavior behavior_dbserver quit Create a traffic behavior named behavior_mserver and configure the action of setting the local precedence value to 3 AC traffic behavior behavior_mserver AC behavior behavior_mserver remark local precedence 3 AC behavior behavior_mserver quit Create a traffic behavior named behavior_fserver and configure the action of setting the ...

Страница 44: ...ed Service DSCP Differentiated Services Code Point EBS Excess Burst Size IntServ Integrated Service ISP Internet Service Provider PIR Peak Information Rate QoS Quality of Service ToS Type of Service Appendix B Default priority maps Table 3 Default dot1p lp priority map Input priority value dot1p lp map dot1p lp 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Table 4 Default dot11e lp priority map dot11e lp 0 2 1 ...

Страница 45: ... 3 32 to 39 4 40 to 47 5 48 to 55 6 56 to 63 7 Table 6 Default lp dot1p lp dot11e and lp dscp priority maps Input priority value lp dot1p map lp dot11e map lp dscp map lp dot1p dot11e DSCP 0 1 1 0 1 2 2 8 2 0 0 16 3 3 3 24 4 4 4 32 5 5 5 40 6 6 6 48 7 7 7 56 Table 7 Default port priority local priority map Port priority Local precedence 0 0 1 1 2 2 3 3 ...

Страница 46: ...63 The remaining 2 bits 6 and 7 are reserved Table 8 IP precedence IP precedence decimal IP precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network Table 9 DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 M B Z RFC 1122 IP Type of Service ToS RFC 79...

Страница 47: ...is is not needed and QoS must be assured at Layer 2 Figure 10 An Ethernet frame with an 802 1Q tag header As shown in Figure 10 the 4 byte 802 1Q tag header contains the 2 byte tag protocol identifier TPID and the 2 byte tag control information TCI The value of the TPID is 0x8100 Figure 11 shows the format of the 802 1Q tag header The Priority field in the 802 1Q tag header is called 802 1p priori...

Страница 48: ... a MAC layer enhancement to IEEE 802 11 IEEE 802 11e adds a 2 byte QoS control field to the 802 11e MAC frame header The 3 bit QoS control field represents the 802 11e priority in the range of 0 to 7 Figure 12 802 11e frame structure 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority C F I VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 7 5 4 3 2 1 0 7 5 4 3 2 1 ...

Страница 49: ... name You can create a maximum of 1024 time ranges each with a maximum of 32 periodic statements and 12 absolute statements The active period of a time range is calculated as follows 1 Combining all periodic statements 2 Combining all absolute statements 3 Taking the intersection of the two statement sets as the active period of the time range Feature and hardware compatibility Hardware series Mod...

Страница 50: ...me1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 No time range exists Displaying and maintaining time ranges Execute the display command in any view Task Command Display time range configuration and status display time range time range name all Time range configuration example Network requirements As shown in Figure 13 configure an ACL on the AC to allow Client 1 to access t...

Страница 51: ...k AC acl ipv4 basic 2001 rule deny source any time range work AC acl ipv4 basic 2001 quit Apply IPv4 basic ACL 2001 to filter outgoing packets on interface GigabitEthernet 1 0 1 AC interface gigabitEthernet 1 0 1 AC GigabitEthernet1 0 1 packet filter 2001 outbound AC GigabitEthernet1 0 1 quit Verifying the configuration Display time range configuration and status on the AC AC display time range al...

Страница 52: ...ms 36 Appendix B Default priority maps 36 Appendix C Packet precedence 38 applying ACL packet filtering to interface 11 QoS policy 20 QoS policy interface PVC 21 QoS policy user profile 21 auto ACL auto match order sort 1 ACL automatic rule numbering renumbering 3 B bandwidth QoS overview 16 QoS policy configuration 19 basic ACL type 1 behavior QoS traffic behavior definition 20 best effort QoS se...

Страница 53: ...SCP values 38 E evaluating QoS traffic 27 QoS traffic with token bucket 27 27 F filtering ACL packet fragments 3 QoS traffic filtering configuration 31 31 forwarding ACL configuration 1 4 14 ACL configuration advanced 6 ACL configuration basic 5 ACL configuration Layer 2 8 ACL configuration WLAN AP 10 ACL configuration WLAN client 9 QoS token bucket 27 fragment ACL fragment filtering 3 H hardware ...

Страница 54: ...ffic policing 27 QoS traffic policing configuration 27 28 network management ACL configuration 1 4 14 QoS overview 16 QoS priority mapping configuration 25 QoS service models 17 QoS techniques 17 time range configuration 41 42 non modular QoS Use non MQC non MQC QoS traffic policing configuration 28 non MQC QoS traffic policing user profile 29 notifying ACL packet filtering SNMP notifications 12 n...

Страница 55: ...guring QoS priority mapping map uncolored 24 configuring QoS priority mapping trusted port packet priority 24 configuring QoS priority marking 33 34 configuring QoS traffic filtering 31 31 configuring QoS traffic policing 28 configuring time range 42 42 copying ACL 10 defining QoS policy 20 defining QoS traffic behavior 20 defining QoS traffic class 19 displaying ACL 13 displaying QoS policies 22 ...

Страница 56: ...ation IPv4 basic 5 ACL configuration IPv6 advanced 7 ACL configuration IPv6 basic 5 ACL configuration Layer 2 8 ACL configuration WLAN AP 10 ACL configuration WLAN client 9 service QoS best effort service model 17 QoS DiffServ service model 17 QoS IntServ service model 17 QoS models 17 QoS overview 16 QoS policy configuration 19 QoS priority marking configuration 33 34 QoS techniques 17 QoS traffi...

Страница 57: ...cing 18 27 QoS traffic policing configuration 27 28 QoS traffic shaping 18 traffic policing QoS display 30 trapping ACL packet filtering SNMP notifications 12 trusted port packet priority QoS 24 type ACL advanced 1 ACL auto match order sort 1 ACL basic 1 ACL config match order sort 1 ACL Layer 2 1 U user QoS policy application user profile 21 QoS priority mapping user priority 23 user profile QoS ...

Результаты поиска

Содержание WX3500H series

Отзывы:

Похожие инструкции для WX3500H series

Бренды по названию

Популярные бренды

H3C WX3500H series, Руководство по настройке пользователя

Результаты поиска

Содержание WX3500H series

Отзывы:

Похожие инструкции для WX3500H series

Бренды по названию

Популярные бренды