How does an AR limit intranet users to access the network

6

An AR can be configured with a traffic policy to limit intranet users to access the network.
If an intranet user uses the static IP address, a traffic policy can be configured to deny the intranet user. If a terminal device obtains an IP address using DHCP, the IP address of the terminal device that is limited to access the network needs to be determined.
This prevents the impact on other users' Internet access after the address is released and allocated to other terminals.
The configuration roadmap is as follows:
Create an ACL and configure rules that match the IP or MAC addresses of users who are limited to access the network (ensure that users are connected to the router directly or through a switch). For example:
Create an ACL based on IP addresses.
[Huawei] acl 3000  //Create ACL 3000
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0.0.0.0   //Match terminal 10.1.1.1 of the intranet.
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.2 0.0.0.0  //Match terminal 10.1.1.2 of the intranet.
Create a traffic classifier that matches acl 3000.
[Huawei] traffic classifier c1
[Huawei-classifier-c1] if-match acl 3000
Create a traffic behavior to limit the matched IP address to access the network.
[Huawei] traffic behavior b1
[Huawei-behavior-b1] deny 
Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
[Huawei] traffic policy test 
[Huawei-trafficpolicy-test] classifier c1 behavior b1
Apply the traffic policy test to the interface.
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy test inbound 
Using the same method to match source MAC addresses except for creating an ACL. For example, permit users with the intranet MAC address 1122-1122-1122 to access the network.
[Huawei] acl 4000 //The Layer 2 ACL number must be in the range 4000 to 4999.
[Huawei-acl-L2-4000] rule permit source-mac 1122-1122-1122
Use the preceding profile to perform other configurations.

Other related questions:
Does an AR record the websites accessed by intranet users
An AR router does not record the websites accessed by intranet users.

How to set a specified time range on an AR to limit users to access the network
Method 1: You can configure an ACL with the time range specified and configure a traffic policy. Create a time range, for example, 8:00 to 18:00 from Monday to Friday. [Huawei]time-range workday 8:00 to 18:00 working-day Create an ACL based on the time range. [Huawei]acl 3000 //Set the validity period of ACL 3000 to workday. [Huawei-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 time-range workday //Match network segment 10.1.1.0/24 on the intranet, and set the validity time to workday. Then create a traffic classifier, traffic behavior, and traffic policy, and apply the traffic policy. Method 2: You can also disable NAT in the specified time range to limit users to access the network. Create a time range, for example, 8:00 to 18:00 from Monday to Friday. [Huawei]time-range workday 8:00 to 18:00 working-day Create an ACL based on the time range. [Huawei]acl 3000 //Set the validity period of ACL 3000 to workday. [Huawei-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 [Huawei-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 time-range workday //Match network segment 10.1.2.0/24 on the intranet, and set the validity time to workday. [Huawei]interface GigabitEthernet 0/0/2 [Huawei-GigabitEthernet0/0/2]nat outbound 3000 //Devices on the network segment 10.1.2.0/24 can only access the network at 8:00 to 18:00 from Monday to Friday, while devices on the network segment 10.1.1.0/24 can access the network at any time.

Check whether the AR routers support limit intranet users' online
AR routers support limit intranet users' online, you can configure traffic policies to implement.

Configure NAT on the AR to permit Internet access and allow external users to access internal servers
Huawei AR routers support outbound NAT and NAT server to allow the intranet users to access the Internet and external users to access internal servers. The figure on the right page shows the networking diagram. Eth2/0/0 on the router connects to the internal network and its intranet IP address is 192.168.20.1/24. GE3/0/0 on the router connects to the external network and its extranet IP address is 202.169.10.1/24. The internal server has an internal IP address 192.168.20.2/24 and an external IP address 202.169.10.5. The internal host with the IP address 192.168.20.3/24 wants to access the internal server. The configuration details are as follows: 1. Configure IP addresses for interfaces on the router. [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 202.169.10.1 24 [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next-hop address 202.169.10.2 on the router. [Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 3. Configure outbound NAT in Easy IP mode to allow internal users to access external networks. [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [Huawei-acl-basic-2000] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat outbound 2000 4. Configure the NAT server to allow external users to access the internal servers. [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [Huawei-GigabitEthernet3/0/0] quit Note: The command that configures the NAT server function takes effect on Layer 3 interfaces, excluding Loopback and NULL interfaces.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top