Login
- Table of Contents
-
- 09-ACL and QoS Configuration Examples
- 00-S12500_ACL_Configuration_Examples
- 01-S12500_Packet_Filtering_Configuration_Examples
- 02-S12500_Priority_Mapping_and_Priority_Marking_Configuration_Examples
- 03-S12500_Traffic_Policing_Configuration_Examples
- 04-S12500_GTS_Configuration_Examples
- 05-S12500_Queue_Scheduling_Configuration_Examples
- 06-S12500_Control_Plane-Based_QoS_Policy_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-S12500_Packet_Filtering_Configuration_Examples | 82.47 KB |
Introduction
This document provides packet filtering configuration examples.
Packet filtering uses ACLs to identify traffic based on matching criteria such as source IP address, destination IP address, and port number. When a packet matches an ACL rule, the device performs the predefined action, such as dropping or forwarding.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of H3C packet filtering.
Example: Configuring packet filtering
Network requirements
As shown in Figure 1, the FTP server at 129.1.1.2 in the internal IPv4 network provides FTP services (port 21) to external users.
Configure packet filtering on GigabitEthernet 4/0/1 to allow only the host at 20.3.3.3 to access the internal FTP server and deny all the other incoming FTP traffic.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration procedures
# Configure VLAN 10 and VLAN 20.
<Device> system-view
[Device] vlan 10
[Device-vlan10] port Gigabitethernet 4/0/2
[Device-vlan10] quit
[Device] vlan 20
[Device-vlan20] port Gigabitethernet 4/0/1
[Device-vlan20] quit
[Device] interface GigabitEthernet 4/0/1
[Device-GigabitEthernet4/0/1] undo shutdown
[Device-GigabitEthernet4/0/1] quit
[Device] interface GigabitEthernet 4/0/2
[Device-GigabitEthernet4/0/2] undo shutdown
[Device-GigabitEthernet4/0/2] quit
[Device] interface vlan-interface 10
[Device-Vlan-interface10] ip address 192.1.1.1 24
[Device–Vlan-interface10] undo shutdown
[Device-Vlan-interface10] quit
[Device] interface vlan-interface 20
[Device-Vlan-interface20] ip address 20.1.1.1 24
[Device–Vlan-interface20] undo shutdown
[Device-Vlan-interface20] quit
# Create advanced IPv4 ACL 3000, and configure two rules: one permits TCP packets from the host to the internal FTP server, and the other denies packets sent to TCP port 21.
<Device> system-view
[Device] acl number 3000
[Device-acl-adv-3000] rule permit tcp destination-port eq 21 source 20.3.3.3 0 destination 129.1.1.2 0
[Device-acl-adv-3000] rule deny tcp destination-port eq 21
[Device-acl-adv-3000] quit
# Apply ACL 3000 to the inbound direction of GigabitEthernet 4/0/1.
[Device] interface GigabitEthernet 4/0/1
[Device-GigabitEthernet4/0/1] packet-filter 3000 inbound
[Device-GigabitEthernet4/0/1] quit
Verifying the configuration
# Display packet filtering configuration on GigabitEthernet 4/0/1.
[Device] display packet-filter interface GigabitEthernet 4/0/1
Interface: GigabitEthernet4/0/1
In-bound Policy:
acl 3000, Successful
Out-bound Policy:
Configuration files
#
acl number 3000
rule 0 permit tcp source 20.3.3.3 0 destination 129.1.1.2 0 destination-port eq ftp
rule 5 deny tcp destination-port eq ftp
#
vlan 1
#
vlan 10
#
vlan 20
#
interface Vlan-interface10
ip address 129.1.1.1 255.255.255.0
#
interface Vlan-interface20
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet4/0/1
port link-mode bridge
port access vlan 20
packet-filter 3000 inbound
#
interface GigabitEthernet4/0/2
port link-mode bridge
port access vlan 10
#
Related documentation
· H3C S12500 Routing Switch Series ACL and QoS Configuration Guide
· H3C S12500 Routing Switch Series ACL and QoS Command Reference
