How to restrict user access using an ACL on the AR

1

An advanced ACL and ACL-based traffic classification can be used on the AR to limit access of users on different network segments.

Other related questions:
How to restrict the period during which users access the Internet
You can define ACL rules with the time range specified. For example, to limit users' access to 2.2.2.0/24 from 00:00 to 08:00, perform the following configurations: system-view [Huawei] time-range wb 00:00 to 08:00 daily [Huawei] acl number 3000 [Huawei-acl-adv-3000] rule deny ip destination 2.2.2.0 0.0.0.255 time-range wb [Huawei-acl-adv-3000] rule permit ip For details on how to configure a traffic classifiers, behaviors (action is set to permit), and traffic policies, see MQC Configuration in AR QoS Configuration Guide.

Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

How can I restrict the NMSs that can manage S series switches
You can use the following methods to restrict the NMSs that can manage S series switches (except the S1700): 1. For switches running all SNMP versions, you can run the snmp-agent acl command to configure an SNMP access control list (ACL). Only the NMS that matches the ACL can manage switches based on SNMP. 2. To restrict the NMSs that can manage switches running SNMPv1 or SNMPv2c based on community names, run the snmp-agent community { read | write } { community-name | cipher community-name } acl acl-number command with an ACL specified. After the command is executed, only the NMS using the specified SNMP community name and matching this ACL can manage the switches. 3. To restrict the NMSs that can manage switches running SNMPv3 based on user groups or users, run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } acl acl-number or the snmp-agent usm-user v3 user-name acl acl-number command with an ACL specified to configure an SNMPv3 user group or user. After the command is executed, only the NMS using the specified SNMPv3 user group or user and matching the ACL can manage the switches. Note: If the login user name used by the NMS to send a request packet is not configured on the switch, the switch discards the request packet and records an error log. In addition, the switch does not check the request packet against the ACL. If the login user name used by the NMS to send a request packet is configured on the switch, the switch checks the request packet against the ACL. If the packet does not match the ACL, a log indicating negative ACL matching is recorded. For example, run the following commands to restrict the NMSs that can manage the switch based on an SNMP community name. [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0 [HUAWEI-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0 [HUAWEI-acl-basic-2001] quit [HUAWEI] snmp-agent community write huawei_user acl 2001 For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user group. [HUAWEI] snmp-agent group v3 huawei_group privacy acl 2001 For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user. [HUAWEI] snmp-agent usm-user v3 huawei_user acl 2001 For details on typical SNMP configuration examples, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples and choose Typical Network Management and Monitoring Configuration > Typical SNMP Configuration. Choose corresponding materials based on the device model. Sx700 series is used here as an example.

How to control mutual access between network segments
On AR routers, you can configure advanced ACL and ACL-based traffic classifiers to control mutual access between users on different network segments.

Method used to restrict users to access the Internet within a specified period of time for the USG2000 and USG5000
In the NAT policy, run the policy time-range time-name command and configure the policy validity period. In this way, users can only access the Internet within the specified period of time.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top