IPv4 advanced ACL configuration examples
Network requirements
A company interconnects its departments through Device A. Configure an ACL to:
Permit access from the President's office at any time to the financial database server.
Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days.
Deny access from any other department to the database server.
Figure 1: Network diagram
Configuration procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<DeviceA> system-view [DeviceA] time-range work 8:0 to 18:0 working-day
# Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President's office to the financial database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from any other department to the database server.
[DeviceA] acl number 3000 [DeviceA-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0 [DeviceA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work [DeviceA-acl-adv-3000] rule deny ip source any destination 192.168.0.100 0 [DeviceA-acl-adv-3000] quit
# Enable IPv4 firewall, and apply IPv4 advanced ACL 3000 to filter outgoing packets on interface Ethernet 1/1.
[DeviceA] firewall enable [DeviceA] interface ethernet 1/1 [DeviceA-Ethernet1/1] firewall packet-filter 3000 outbound [DeviceA-Ethernet1/1] quit
Verifying the configuration
# Ping the database server from a PC in the Financial department during working hours. (All PCs in this example use Windows XP.)
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
The output shows the database server can be pinged.
# Ping the database server from a PC in the Marketing department during working hours.
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows the database server cannot be pinged.
# Display configuration and match statistics for IPv4 advanced ACL 3000 on Device A during working hours.
[DeviceA] display acl 3000 Advanced ACL 3000, named -none-, 3 rules, ACL's step is 5 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work (4 times matched) (Active) rule 10 deny ip destination 192.168.0.100 0 (4 times matched)
The output shows rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of the ping operations.