Configure S series switches to prevent internal hosts from accessing external websites

You can configure ACLs on S series switches (except S1700 switches) to prevent internal hosts from accessing external websites as follows:
# Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent host 10.1.1.11 from accessing external networks.
[HUAWEI-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent host 10.1.2.12 from accessing external networks.
[HUAWEI-acl-basic-2001] quit

# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[HUAWEI] traffic classifier tc1 //Create a traffic classifier.
[HUAWEI-classifier-tc1] if-match acl 2001 //Associate the traffic classifier with ACL 2001.
[HUAWEI-classifier-tc1] quit

# Configure the traffic behavior tb1 to reject packets.
[HUAWEI] traffic behavior tb1 //Creates a traffic behavior.
[HUAWEI-behavior-tb1] deny //Configure the traffic behavior tb1 to reject packets.
[HUAWEI-behavior-tb1] quit

# Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[HUAWEI] traffic policy tp1 //Create a traffic policy.
[HUAWEI-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1.
[HUAWEI-trafficpolicy-tp1] quit

# Packets from internal hosts are forwarded to the Internet through GE2/0/1. Therefore, apply the traffic policy to the outbound direction of GE2/0/1.
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of the interface.
[HUAWEI-GigabitEthernet2/0/1] quit

Scroll to top