Table of Contents

Related Documents

23-Packet Filtering Quick Start Configuration Guide

Title	Size	Download
23-Packet Filtering Quick Start Configuration Guide	58.84 KB

Packet Filtering Quick Start Configuration Guide

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Contents

Configuring packet filtering· 1

Introduction· 1

Network configuration· 1

Procedure· 1

Verify the configuration· 2

Configuration files· 3

Configuring packet filtering

Introduction

The following information uses an example to describe the basic procedure for configuring packet filtering.

Network configuration

As shown in Figure 1, a company interconnects its departments through the device. Configure packet filtering to:

· Permit access from the Admin Dept at any time to the Internet and servers and deny access from the Admin Dept to the R&D Dept.

· Permit access from the R&D Dept to the servers and deny access from the R&D Dept to the Internet and the Admin Dept.

Figure 1 Network diagram

Procedure

1. Configure access to the Admin Dept.

# Create an IPv4 advanced ACL numbered 3000.

<Device> system-view

[Device] acl advanced 3000

# Configure a rule to deny packets from the R&D Dept.

[Device-acl-ipv4-adv-3000] rule deny ip destination 10.1.2.0 0.0.0.255

[Device-acl-ipv4-adv-3000] quit

# Apply IPv4 advanced ACL 3000 to filter incoming packets on GigabitEthernet 1/0/4.

[Device] interface gigabitethernet 1/0/4

[Device-GigabitEthernet1/0/4] packet-filter 3000 inbound

[Device-GigabitEthernet1/0/4] quit

2. Configure access to the R&D Dept.

# Create an IPv4 advanced ACL numbered 3001.

[Device] acl advanced 3001

# Configure a rule to permit packets from the Admin Dept.

[Device-acl-ipv4-adv-3001] rule permit ip destination 10.2.1.0 0.0.0.255

# Configure a rule to deny all other packets.

[Device-acl-ipv4-adv-3001] rule deny ip

# Apply IPv4 advanced ACL 3001 to filter incoming packets on GigabitEthernet 1/0/3.

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] packet-filter 3001 inbound

[Device-GigabitEthernet1/0/3] quit

Verify the configuration

# Display ACL application information for inbound packet filtering.

[Device] display packet-filter interface inbound

Interface: GigabitEthernet1/0/3

Inbound policy:

IPv4 ACL 3001

Interface: GigabitEthernet1/0/4

Inbound policy:

IPv4 ACL 3000

The output shows that GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are successfully applied with ACLs for packet filtering.

# Verify that a website on the Internet cannot be pinged from a PC in the R&D Dept.

C:\>ping www.google.com

Pinging www.google.com [172.217.194.99] with 32 bytes of data:

Request timed out.

Ping statistics for 173.194.127.242:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

# Verify that a server can be pinged from a PC in the R&D Dept.

C:\>ping 10.2.1.10

Ping 192.168.1.60 (10.2.1.10): 56 data bytes, press CTRL+C to break

56 bytes from 10.2.1.10: icmp_seq=0 ttl=255 time=12.963 ms

56 bytes from 10.2.1.10: icmp_seq=1 ttl=255 time=4.168 ms

56 bytes from 10.2.1.10: icmp_seq=2 ttl=255 time=7.390 ms

56 bytes from 10.2.1.10: icmp_seq=3 ttl=255 time=3.363 ms

56 bytes from 10.2.1.10: icmp_seq=4 ttl=255 time=2.901 ms

C:\>

# Verify that a website on the Internet can be pinged from a PC in the Admin Dept.

C:\>ping www.google.com

Pinging www.google.com [172.217.194.99] with 32 bytes of data:

Reply from 172.217.194.99: bytes=32 time=30ms TTL=50

Ping statistics for 172.217.194.99:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 30ms, Average = 30ms

C:\>

Configuration files

interface Ten-GigabitEthernet1/0/3

port link-mode bridge

packet-filter 3001 inbound

interface Ten-GigabitEthernet1/0/4

port link-mode bridge

packet-filter 3000 inbound

acl advanced 3000

rule 0 deny ip destination 10.1.2.0 0.0.0.255

acl advanced 3001

rule 0 permit ip destination 10.2.1.0 0.0.0.255

rule 5 deny ip

H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101

Configuring packet filtering

Introduction

Network configuration

Procedure

Verify the configuration

Configuration files

Related documentation

Cloud & AI

InterConnect

Intelligent Computing

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Training & Certification

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Online Exhibition Center

Contact Us