Huawei device configuration controls access based on source MAC address
- Spoto
- |
- Posted on: 2019-05-10
- |
- Views: 2950
Networking requirements As shown in Figure 1, the router is an enterprise gateway, and internal users access the Internet through routers. It is now required to restrict access to the Internet by certain hosts on the LAN. However, since these hosts can change the IP address, they cannot be effectively prevented by firewall restrictions. The most appropriate method is to limit based on the source MAC address. In this case, you can restrict access to the Internet by some hosts, but you can access the gateway.
Configure the networking diagram
Steps
Router configuration
Sysname router
#
Vlan batch 10
#
Acl number 3001 //Configure the numbered access control list numbered 3001
Rule 1 permit ip destination 10.1.1.0 0.0.0.255 //Configure rule 1, specify the matching destination address as 10.1.1.1/24 (that is, the gateway address)
#
Traffic classification gate operator and
If-match acl 3001 //Configure the flow classification gate, specify matching ACL 3001
Traffic classifier mac1 operator and
If-match source-mac 0015-c50d-0001 //Configure the traffic classifier mac1 and specify the matching source address as 0015-c50d-0001.
Traffic classifier mac2 operator and
If-match source-mac 0015-c50d-0002 //Configure the traffic classifier mac2 and specify the matching source address as 0015-c50d-0002.
Traffic classifier mac3 operator and
If-match source-mac 0015-c50d-0003 //Configure the traffic classifier mac3 and specify the matching source address as 0015-c50d-0003.
#
Traffic behavior p1
Permit // configure the traffic behavior as p1 to allow
Traffic behavior d1
Deny //Configure the traffic behavior as d1 for reject and discard
#
Traffic policy myqos //Configure the traffic policy myqos
Classifier gate behavior p1 //Bind the flow classification gate and the popularity is p1
Classifier mac1 behavior d1 //Bind the traffic classifier mac1 and the popular d1
Classifier mac2 behavior d1 // Bind traffic classifier mac2 and pop d1
Classifier mac3 behavior d1 //Binding traffic classifier mac3 and pop d1
#
Interface Vlanif10
Ip address 10.1.1.1 255.255.255.0
Traffic-policy myqos inbound //Apply the traffic policy myqos in the inbound direction of the interface.
#
Interface Ethernet2/0/0
Port link-type trunk //Configure the link type of the interface as trunk
Port trunk allow-pass vlan 10 //Configure the trunk type interface to join vlan 10
#
Verify the configuration result
# Run the display traffic policy user-defined command to view the configured traffic policy information.
The gateway address can be successfully pinged on the restricted host, but the IP address in the non-LAN cannot be pinged.
Configuration considerations
Configure the interface that connects the Switch to the Router as a trunk interface and add it to VLAN 10.
After the traffic policy is applied to the interface, the traffic classifiers are matched with the traffic classifiers. Therefore, you must configure the traffic classifiers and traffic behaviors of the access gateways.
More you may be interested:
Passed CCIE RS Written
Where Can I Get the Latest CCIE RS Lab Workbooks?