H3C Access Controllers
File Filtering Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring file filtering· 1

Network configuration· 1

Restrictions and guidelines· 1

Procedures· 1

Configuring the AC· 1

Configuring the switch· 4

Verifying the configuration· 5

Configuration files· 5

Related documentation· 7

 

Introduction

The following information provides examples for configuring file filtering.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of file filtering.

Example: Configuring file filtering

Network configuration

As shown in Figure 1, the AC connects to the Internet.

Configure file filtering on the AC so the AC performs the following operations:

·     Blocks files with the pptx or dotx extension.

·     Logs the blocked files.

Figure 1 Network diagram

 

Restrictions and guidelines

Use the actual serial ID of an AP to uniquely identify that AP.

Procedures

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AP will obtain this IP address to establish CAPWAP tunnels with the AC.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 192.1.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The client will access the wireless network in this VLAN.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 192.2.1.1 24

[AC-Vlan-interface200] quit

# Set the link type of GigabitEthernet 1/0/1 (the port connected to the switch) to trunk, and allow traffic from VLAN 100 and VLAN 200 to pass through the port.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a wireless service:

# Create service template 1 and enter service template view.

[AC] wlan service-template 1

# Set the SSID to service.

[AC-wlan-st-1] ssid service

# Set the AKM mode to PSK and configure simple character string 12345678 as the PSK.

[AC-wlan-st-1] akm mode psk

[AC-wlan-st-1] preshared-key pass-phrase simple 12345678

# Set the AES-CCMP cipher suite for frame encryption, and enable the RSN IE in beacon and probe responses.

[AC-wlan-st-1] cipher-suite ccmp

[AC-wlan-st-1] security-ie rsn

# Configure the AC to forward client traffic. If the default client traffic forwarding location is the same as the configuration in this step, you can skip this step.

[AC-wlan-st-1] client forwarding-location ac

# Assign the client to VLAN 200 after it comes online.

[AC-wlan-st-1] vlan 200

# Enable the service template.

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

3.     Configure the AP:

 

IMPORTANT: In a large-scale network, configure AP groups as a best practice.

 

# Create a manual AP named ap1, and specify the AP model.

[AC] wlan ap ap1 model WA6320

# Set the serial ID to 219801A28N819CE0002T.

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap1] quit

# Create AP group group1 and create an AP grouping rule by AP names to add AP ap1 to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Bind service template 1 to radio 1 in AP group group1.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template 1

# Enable radio 1.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit

# Bind service template 1 to radio 2 in AP group group1.

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template 1

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] return

4.     Configure an IP address object group named filefilter and specify subnet 192.2.1.0/24 for the object group.

<AC> system-view

[AC] object-group ip address filefilter

[AC-obj-grp-ip-filefilter] network subnet 192.2.1.0 24

[AC-obj-grp-ip-filefilter] quit

5.     Configure file filtering:

a.     Create a file type group named fg1 and create two file type match patterns to match files with the pptx and dotx extensions, respectively.

[AC] file-filter filetype-group fg1

[AC-file-filter-fgroup-fg1] pattern 1 text pptx

[AC-file-filter-fgroup-fg1] pattern 2 text dotx

[AC-file-filter-fgroup-fg1] quit

b.     Create a file filtering policy named p1 and enter file filtering policy view. Create a file filtering rule named r1 and configure it to drop and log both upload and download HTTP packets that match file type group fg1.

[AC] file-filter policy p1

[AC-file-filter-policy-p1] rule r1

[AC-file-filter-policy-p1-rule-r1] filetype-group fg1

[AC-file-filter-policy-p1-rule-r1] application type http

[AC-file-filter-policy-p1-rule-r1] direction both

[AC-file-filter-policy-p1-rule-r1] action drop logging

[AC-file-filter-policy-p1-rule-r1] quit

[AC-file-filter-policy-p1] quit

6.     Configure a DPI application profile and activate the file filtering policy and rule settings:

# Create a DPI application profile named profile1 and apply file filtering policy p1 to the DPI application profile.

[AC] app-profile profile1

[AC-app-profile-profile1] file-filter apply policy p1

[AC-app-profile-profile1] quit

# Activate the file filtering policy and rule settings.

[AC] inspect activate

7.     Configure a security policy:

# Enter IPv4 security policy view.

[AC] security-policy ip

# Create a security policy rule named inspect1. Configure the rule to permit packets from IP addresses in IP address object group filefilter and apply DPI application profile profile1 to the security policy.

[AC-security-policy-ip] rule name inspect1

[AC-security-policy-ip-14-inspect1] source-ip filefilter

[AC-security-policy-ip-14-inspect1] action pass

[AC-security-policy-ip-14-inspect1] profile profile1

[AC-security-policy-ip-14-inspect1] quit

# Activate rule matching acceleration.

[AC-security-policy-ip] accelerate enhanced enable

[AC-security-policy-ip] quit

Configuring the switch

1.     Configure interfaces on the switch:

# Create VLANs 100 and 200, create VLAN-interface 100 and VLAN-interface 200, and assign IP addresses to VLAN-interface 100 and VLAN-interface 200. The switch will use VLAN 100 to forward the traffic on CAPWAP tunnels between the AC and APs, and use VLAN 200 to forward client traffic.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ip address 192.1.1.2 24

[Switch-Vlan-interface100] quit

[Switch] vlan 200

[Switch-vlan200] quit

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 192.2.1.2 24

[Switch-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 that connects the switch to the AC as a trunk port.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

# Assign the port to VLAN 100 and VLAN 200.

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects the switch to the AP as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on the trunk port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

2.     Configure DHCP:

# Enable DHCP.

[Switch] dhcp enable

# Create a DHCP address pool named vlan100 to assign IP addresses and other configuration parameters to clients on subnet 192.1.1.0/24.

[Switch] dhcp server ip-pool vlan100

[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0

# Exclude IP addresses 192.1.1.1 and 192.1.1.2 from dynamic allocation.

[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2

# Specify a gateway.

[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1

[Switch-dhcp-pool-vlan100] quit

# Create a DHCP address pool named vlan200 to assign IP addresses and other configuration parameters to clients on subnet 192.2.1.0/24.

[Switch] dhcp server ip-pool vlan200

[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0

# Exclude IP addresses 192.2.1.1 and 192.2.1.2 from dynamic allocation.

[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2

# Specify a gateway and a DNS server.

[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1

[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1

[Switch-dhcp-pool-vlan200] quit

Verifying the configuration

# Verify that the AC blocks and logs files that meet the specified criteria. (Details not shown.)

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template 1

 ssid service

 vlan 200

 akm mode psk

 preshared-key pass-phrase cipher $c$3$29gn1DalRVhkcyZ1CKwevH+xb6Lxopy3eq/H

 cipher-suite ccmp

 security-ie rsn

 service-template enable

#

interface Vlan-interface100

 ip address 192.1.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

wlan ap-group group1

 vlan 1

 ap ap1

 ap-model WA6320

 radio 1

  radio enable

  service-template 1

 radio 2

  radio enable

  service-template 1

 gigabitethernet 1

#

object-group ip address filefilter

 0 network subnet 192.2.1.0 255.255.2

#

file-filter policy p1

 rule r1

  filetype-group fg1

  application type http

  direction both

  action drop logging

#

file-filter filetype-group fg1

 pattern 1 text pptx

 pattern 2 text dotx

#

app-profile profile1

 file-filter apply policy p1

#

security-policy ip

 rule 1 name inspect1

  action pass

  profile profile1

  source-ip filefilter

·     Switch:

#

 dhcp enable

#

vlan 100

#

vlan 200

#

interface Vlan-interface100

 ip address 192.1.1.2 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.2 255.255.255.0

#

dhcp server ip-pool vlan100

 network 192.1.0.0 mask 255.255.255.0

 forbidden-ip 192.1.1.1 192.2.1.2

gateway-list 192.1.1.1

#

dhcp server ip-pool vlan200

 gateway-list 192.2.1.1

 network 192.2.1.0 mask 255.255.255.0

 forbidden-ip 192.2.1.1 192.2.1.2

dns-list 192.2.1.1

#

interface GigabitEthernet1/0/1

port link-type trunk

 port trunk permit vlan 100 200

#

interface GigabitEthernet1/0/2

port link-type access

 port access vlan 100

 poe enable

Related documentation

·     File Filtering Command Reference in H3C Access Controllers Command References

·     File Filtering Configuration Guide in H3C Access Controllers Configuration Guides

·     Security Policy Command Reference in H3C Access Controllers Command References

·     Security Policy Configuration Guide in H3C Access Controllers Configuration Guides