How to set a specified time range on an AR to limit users to access the network

14

Method 1: You can configure an ACL with the time range specified and configure a traffic policy.
Create a time range, for example, 8:00 to 18:00 from Monday to Friday.
[Huawei]time-range workday 8:00 to 18:00 working-day
Create an ACL based on the time range.
[Huawei]acl 3000 //Set the validity period of ACL 3000 to workday.
[Huawei-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 time-range workday //Match network segment 10.1.1.0/24 on the intranet, and set the validity time to workday.
Then create a traffic classifier, traffic behavior, and traffic policy, and apply the traffic policy.

Method 2: You can also disable NAT in the specified time range to limit users to access the network.
Create a time range, for example, 8:00 to 18:00 from Monday to Friday.
[Huawei]time-range workday 8:00 to 18:00 working-day
Create an ACL based on the time range.
[Huawei]acl 3000 //Set the validity period of ACL 3000 to workday.
[Huawei-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 time-range workday //Match network segment 10.1.2.0/24 on the intranet, and set the validity time to workday.
[Huawei]interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2]nat outbound 3000 //Devices on the network segment 10.1.2.0/24 can only access the network at 8:00 to 18:00 from Monday to Friday, while devices on the network segment 10.1.1.0/24 can access the network at any time.

Other related questions:
How to configure rate limiting based on the time range on an AR
You can use an ACL to match data flows for which rate limiting is performed and set a time range. 1. Use a traffic policy for rate limiting. 2. Configure rate limiting on an interface.

How does an AR limit intranet users to access the network
An AR can be configured with a traffic policy to limit intranet users to access the network.
If an intranet user uses the static IP address, a traffic policy can be configured to deny the intranet user. If a terminal device obtains an IP address using DHCP, the IP address of the terminal device that is limited to access the network needs to be determined.
This prevents the impact on other users' Internet access after the address is released and allocated to other terminals.
The configuration roadmap is as follows:
Create an ACL and configure rules that match the IP or MAC addresses of users who are limited to access the network (ensure that users are connected to the router directly or through a switch). For example:
Create an ACL based on IP addresses.
[Huawei] acl 3000  //Create ACL 3000
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0.0.0.0   //Match terminal 10.1.1.1 of the intranet.
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.2 0.0.0.0  //Match terminal 10.1.1.2 of the intranet.
Create a traffic classifier that matches acl 3000.
[Huawei] traffic classifier c1
[Huawei-classifier-c1] if-match acl 3000
Create a traffic behavior to limit the matched IP address to access the network.
[Huawei] traffic behavior b1
[Huawei-behavior-b1] deny 
Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
[Huawei] traffic policy test 
[Huawei-trafficpolicy-test] classifier c1 behavior b1
Apply the traffic policy test to the interface.
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy test inbound 
Using the same method to match source MAC addresses except for creating an ACL. For example, permit users with the intranet MAC address 1122-1122-1122 to access the network.
[Huawei] acl 4000 //The Layer 2 ACL number must be in the range 4000 to 4999.
[Huawei-acl-L2-4000] rule permit source-mac 1122-1122-1122
Use the preceding profile to perform other configurations.

How to limit the specified source or destination address to access the network
You can configure an ACL to match the source or destination address. If the host with the source IP address of 10.1.1.1 is required to access only the host on network segment 10.1.1.18/26, the configuration is as follows: For details on how to configure a traffic classifiers, behaviors (action is set to permit), and traffic policies, see MQC Configuration in AR CLI-based Configuration Guide - QoS.

How to configure an ACL time range on a WLAN device
If some services or functions need to be started at intervals or a specific period of time, run the time-range command on a WLAN device. When configuring ACL rules, you can use the name of a time range to reference this time range. You can associate a time range with ACL rules in either of the following ways: Mode 1 �?Periodic time range: defines a time range by week. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday. Format: time-range time-name start-time to end-time { days } &<1-7> Mode 2 �?Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period. Format: time-range time-name from time1 date1 [ to time2 date2 ] Create time range working-time (8:00�?8:00 from Monday to Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the period of the working time. [HUAWEI] time-range working-time 8:00 to 18:00 working-day [HUAWEI] acl name work-acl basic [HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

Configure ACL validity time range on S series switch
An S series switch, except S1700, supports two types of validity time of ACL rules: 1. Periodic time range: defines a time range based on weeks. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday. Format: time-range time-name start-time to end-time { days } &<1-7> 2. Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period. Format: time-range time-name from time1 date1 [ to time2 date2 ] Create a time range working-time (8:00-18:00 from Monday to Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the period working-time. [HUAWEI] time-range working-time 8:00 to 18:00 working-day [HUAWEI] acl name work-acl basic [HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top