Permitting Access for Specific Subnets by Using Packet Filtering

Contents

Introduction· 1

Prerequisites· 1

Configuration example· 1

Network configuration· 1

Analysis· 2

Procedure· 2

Verifying the configuration· 2

Configuration files· 2

Related documentation· 3

Introduction

The following information provides configuration examples for permitting access for specific subnets by using packet filtering.

Prerequisites

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of ACL.

Configuration example

Network configuration

As shown in Figure 1, the device acts as the gateway for the 192.168.10.0/24, 192.168.20.0/24, and 192.168.20.0/24 subnets. Configure ACLs to meet the following requirements:

·     Allow hosts on the 192.168.10.0/24 subnet to access only servers on the 192.168.20.0/24 subnet.

·     Deny hosts on any other subnet to access servers on the 192.168.20.0/24 and 192.168.30.0/24 subnets.

Figure 1 Network diagram

Analysis

To only allow hosts on a subnet to access hosts on another subnet, configure an ACL on GigabitEthernet 1/0/ 1 to allow the incoming packets with the specified source IP address and destination IP address.

Procedure

# Assign IP addresses to interfaces.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 192.168.10.1 24

[Device-GigabitEthernet1/0/1] quit

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] ip address 192.168.20.1 24

[Device-GigabitEthernet1/0/2] quit

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] ip address 192.168.30.1 24

[Device-GigabitEthernet1/0/3] quit

# Create IPv4 advanced ACL 3000, configure a rule to permit packets with a source IP address on the 192.168.10.0/24 subnet and a destination IP address on the 192.168.20.0/24 subnet, and configure another rule to deny all other packets.

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[Device-acl-ipv4-adv-3000] rule deny ip

# Apply ACL 3000 to filter the incoming packets on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] packet-filter 3000 inbound

Verifying the configuration

# Use the display packet-filter command to display ACL application information for packet filtering.

[Device] display packet-filter interface inbound

Interface: GigabitEthernet1/0/1

 In-bound policy:

  ACL 3000

The output shows that GigabitEthernet 1/0/1 has been successfully applied with an ACL for packet filtering. Ping a server on the 192.168.10.0/24 subnet from a host on the 192.168.20.0/24 subnet. The ping succeeds. Ping a server on any other subnet from a host on the 192.168.10.0/24 subnet. The ping fails.

Configuration files

#

interface GigabitEthernet1/0/1

 port link-mode route

 combo enable copper

 ip address 192.168.10.1 255.255.255.0

 packet-filter 3000 inbound

#

interface GigabitEthernet1/0/2

 port link-mode route

 combo enable copper

 ip address 192.168.20.1 255.255.255.0

#

interface GigabitEthernet1/0/3

 port link-mode route

 combo enable copper

 ip address 192.168.30.1 255.255.255.0

#

acl advanced 3000

 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

 rule deny ip

#

Related documentation

·     ACL and QoS Configuration Guide in H3C MSR Router Series Comware 7 Configuration Guides

·     ACL and QoS Command Reference in H3C MSR Router Series Comware 7 Command References