How does an AR limit intranet users to access the network

An AR can be configured with a traffic policy to limit intranet users to access the network.
If an intranet user uses the static IP address, a traffic policy can be configured to deny the intranet user. If a terminal device obtains an IP address using DHCP, the IP address of the terminal device that is limited to access the network needs to be determined.
This prevents the impact on other users' Internet access after the address is released and allocated to other terminals.
The configuration roadmap is as follows:
Create an ACL and configure rules that match the IP or MAC addresses of users who are limited to access the network (ensure that users are connected to the router directly or through a switch). For example:
Create an ACL based on IP addresses.
[Huawei] acl 3000  //Create ACL 3000
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0.0.0.0   //Match terminal 10.1.1.1 of the intranet.
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.2 0.0.0.0  //Match terminal 10.1.1.2 of the intranet.
Create a traffic classifier that matches acl 3000.
[Huawei] traffic classifier c1
[Huawei-classifier-c1] if-match acl 3000
Create a traffic behavior to limit the matched IP address to access the network.
[Huawei] traffic behavior b1
[Huawei-behavior-b1] deny 
Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
[Huawei] traffic policy test 
[Huawei-trafficpolicy-test] classifier c1 behavior b1
Apply the traffic policy test to the interface.
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy test inbound 
Using the same method to match source MAC addresses except for creating an ACL. For example, permit users with the intranet MAC address 1122-1122-1122 to access the network.
[Huawei] acl 4000 //The Layer 2 ACL number must be in the range 4000 to 4999.
[Huawei-acl-L2-4000] rule permit source-mac 1122-1122-1122
Use the preceding profile to perform other configurations.

Scroll to top