DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Huawei device configuration controls access based on source MAC address


  •     Spoto
  • |
  •   Posted on: 2019-05-10
  • |
  •   Views: 2826

 

Networking requirements As shown in Figure 1, the router is an enterprise gateway, and internal users access the Internet through routers. It is now required to restrict access to the Internet by certain hosts on the LAN. However, since these hosts can change the IP address, they cannot be effectively prevented by firewall restrictions. The most appropriate method is to limit based on the source MAC address. In this case, you can restrict access to the Internet by some hosts, but you can access the gateway.

Configure the networking diagram


 

 

 

Steps

Router configuration

Sysname router

#

Vlan batch 10

#

Acl number 3001 //Configure the numbered access control list numbered 3001

Rule 1 permit ip destination 10.1.1.0 0.0.0.255 //Configure rule 1, specify the matching destination address as 10.1.1.1/24 (that is, the gateway address)

#

Traffic classification gate operator and

If-match acl 3001 //Configure the flow classification gate, specify matching ACL 3001

Traffic classifier mac1 operator and

If-match source-mac 0015-c50d-0001 //Configure the traffic classifier mac1 and specify the matching source address as 0015-c50d-0001.

Traffic classifier mac2 operator and

If-match source-mac 0015-c50d-0002 //Configure the traffic classifier mac2 and specify the matching source address as 0015-c50d-0002.

Traffic classifier mac3 operator and

If-match source-mac 0015-c50d-0003 //Configure the traffic classifier mac3 and specify the matching source address as 0015-c50d-0003.

#

Traffic behavior p1

Permit // configure the traffic behavior as p1 to allow

Traffic behavior d1

Deny //Configure the traffic behavior as d1 for reject and discard

#

Traffic policy myqos //Configure the traffic policy myqos

Classifier gate behavior p1 //Bind the flow classification gate and the popularity is p1

Classifier mac1 behavior d1 //Bind the traffic classifier mac1 and the popular d1

Classifier mac2 behavior d1 // Bind traffic classifier mac2 and pop d1

Classifier mac3 behavior d1 //Binding traffic classifier mac3 and pop d1

#

Interface Vlanif10

Ip address 10.1.1.1 255.255.255.0

Traffic-policy myqos inbound //Apply the traffic policy myqos in the inbound direction of the interface.

#

Interface Ethernet2/0/0

Port link-type trunk //Configure the link type of the interface as trunk

Port trunk allow-pass vlan 10 //Configure the trunk type interface to join vlan 10

#

Verify the configuration result

# Run the display traffic policy user-defined command to view the configured traffic policy information.

The gateway address can be successfully pinged on the restricted host, but the IP address in the non-LAN cannot be pinged.

 


Configuration considerations

Configure the interface that connects the Switch to the Router as a trunk interface and add it to VLAN 10.

After the traffic policy is applied to the interface, the traffic classifiers are matched with the traffic classifiers. Therefore, you must configure the traffic classifiers and traffic behaviors of the access gateways. 

 

More you may be interested:

Passed CCIE RS Written

 

Where Can I Get the Latest CCIE RS Lab Workbooks?

 

Free SPOTO CCIE RS TEST-Section 1.3 Spanning Tree

Comments:


Start the discussion...


To Leave a Comment or reply to posts please log in