How to configure access control on the AR

20

AR series routers can implement access control through ACL filtering. Traffic filtering can be used on an interface to filter packets based on ACLs, but only WAN interfaces support this configuration. You can also configure a traffic policy to implement access control. Unidirectional access is implemented based on firewall zones but not ACLs.
Model 1:
Configure Eth2/0/0 to allow packet with the source IP address of 192.168.0.2/32 to pass through based on an ACL.
< system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0
[Huawei-acl-adv-3000] quit
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] traffic-filter inbound acl 3000
Model 2: The method used to create the ACL is similar to that in mode 1. The difference is that the traffic policy is used.
< system-view
[Huawei] traffic classifier c1
[Huawei-classifier-c1] if-match acl  3000
[Huawei-classifier-c1] quit
[Huawei] traffic behavior b1
[Huawei-behavior-b1]permit
[Huawei-behavior-b1] quit
[Huawei] traffic policy p1
[Huawei-trafficpolicy-p1] classifier c1 behavior b1 
# Apply the traffic policy p1 to Eth2/0/0 in the inbound direction.
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] traffic-policy p1 inbound
[Huawei-Ethernet2/0/0] quit

Other related questions:
How is access control configured on an AR
You can configure a traffic policy on an AR to implement access control. For example, to prevent users on a network segment from accessing the Internet, perform the following operations: # acl number 2015 //Configure an ACL to define the network segment. rule 5 permit source 192.168.10.0 0.0.0.255 # traffic classifier c1 operator or //Configure a traffic classifier and reference the ACL. if-match acl 2015 # traffic behavior b1 //Configure a traffic behavior and define the deny action. deny # traffic policy p1 //Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy. classifier c1 behavior b1 # interface Ethernet5/0/0 traffic-policy p1 inbound //Apply the traffic policy to an interface. #

How to configure access control on the AR
AR series routers can implement access control through ACL filtering. Traffic filtering can be used on an interface to filter packets based on ACLs, but only WAN interfaces support this configuration. You can also configure a traffic policy to implement access control. Unidirectional access is implemented based on firewall zones but not ACLs.
Model 1:
Configure Eth2/0/0 to allow packet with the source IP address of 192.168.0.2/32 to pass through based on an ACL.
< system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0
[Huawei-acl-adv-3000] quit
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] traffic-filter inbound acl 3000
Model 2: The method used to create the ACL is similar to that in mode 1. The difference is that the traffic policy is used.
< system-view
[Huawei] traffic classifier c1
[Huawei-classifier-c1] if-match acl  3000
[Huawei-classifier-c1] quit
[Huawei] traffic behavior b1
[Huawei-behavior-b1]permit
[Huawei-behavior-b1] quit
[Huawei] traffic policy p1
[Huawei-trafficpolicy-p1] classifier c1 behavior b1 
# Apply the traffic policy p1 to Eth2/0/0 in the inbound direction.
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] traffic-policy p1 inbound
[Huawei-Ethernet2/0/0] quit

How to configure access control on an AR router
1. Control login to the device through HTTP. Users can log in to the device through the web platform. The device cannot limit source addresses of users, which causes security risks. To ensure device security and prevent unauthorized users from using the web platform to log in to the device, an ACL can be used to allow specified users to log in to the device through HTTP. a. Configure ACL 2000 to allow the device at 192.168.6.10 and devices on network segment 192.168.5.0 to log in to the device through HTTP. b. Reference the ACL After the preceding configuration is completed, only the device at 192.168.6.10 and devices on network segment 192.168.5.0 are allowed to log in to the device through the web platform. After the configuration, limited users can open the web platform page, but cannot access the web platform after entering the user name and password. 2. Configure a security policy to limit users' login through Telnet. The route is reachable between the PC and the device, and users want to configure and manage remote devices easily. To meet the requirement, configure AAA authentication for Telnet users on the server and configure an ACL-based security policy. This ensures that only the users that meet the security policy can log in to the device. a. Set the server port number and enable the server function. system-view [Huawei] sysname Telnet Server [Telnet Server] telnet server enable [Telnet Server] telnet server port 1025 b. Configure the parameters of VTY user interface. # Configure the maximum number of VTY user interfaces. [Telnet Server] user-interface maximum-vty 8 # Configure the host address allowed by the device. [Telnet Server] acl 2001 [Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0 [Telnet Server-acl-basic-2001] quit [Telnet Server] user-interface vty 0 7 [Telnet Server-ui-vty0-7] acl 2001 inbound # Configure terminal attributes of the VTY user interface. # Configure the user authentication mode for the VTY user interface. [Telnet Server-ui-vty0-7] authentication-mode aaa [Telnet Server-ui-vty0-7] quit c. Configure information about login users. # Set the authentication mode for login users. [Telnet Server] aaa [Telnet Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 [Telnet Server-aaa] local-user admin1234 service-type telnet [Telnet Server-aaa] local-user admin1234 privilege level 3 [Telnet Server-aaa] quit d. Log in to the client. Access the Windows command line prompt interface of the administrator’s PC, and run commands to log in to the device through Telnet. C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025 Press Enter, and enter the configured user name and password in the login window. If authentication succeeds, command line prompt is displayed in the user view, indicating that you have successfully logged in to the device. Login authentication Username:admin1234 Password: After the configuration, limited users cannot log in to the device.

How to configure access control for AR routers on web pages
AR routers support Classic and EasyOperation web systems. You can configure access control in two web systems as follows: Classic web system: 1. Log in to the web system and choose System Management > System Configuration > Service Management to access the Service Management page. 2. In the Service Management area, click Enabled in the Value-added security service line, and click Apply. The deep security defense function is enabled. 3. Choose System Management > System Configuration > Service Management to access the Service Management page. 4. In the Application interface line, select the interface to which online behavior management is to be applied. 5. Click Apply. EasyOperation web system: 1. Choose Configuration > Network Behavior Management > Website Access Control to access the Website Access Control page. 2. Set User group name by selecting a user group from the drop-down list box or creating a user group. 3. Set other parameters based on the site requirements. 4. Click OK.

How to control Internet access on an AR router
The AR router provides the URL filter function, which enables the AR router to control URLs and forbid/allow users to access specific web page resources so as to regulate Internet access behavior. For details about the configuration procedure, choose Configuration Guide (via Command Line)> Security> Deep Security Defense Configuration> URL Filtering Configuration through the URL: Product documentation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top