Configure S series switches to prevent internal hosts from accessing external websites

4

You can configure ACLs on S series switches (except S1700 switches) to prevent internal hosts from accessing external websites as follows:
# Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and 10.1.2.12.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent host 10.1.1.11 from accessing external networks.
[HUAWEI-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent host 10.1.2.12 from accessing external networks.
[HUAWEI-acl-basic-2001] quit

# Configure the traffic classifier tc1 to classify packets that match ACL 2001.
[HUAWEI] traffic classifier tc1 //Create a traffic classifier.
[HUAWEI-classifier-tc1] if-match acl 2001 //Associate the traffic classifier with ACL 2001.
[HUAWEI-classifier-tc1] quit

# Configure the traffic behavior tb1 to reject packets.
[HUAWEI] traffic behavior tb1 //Creates a traffic behavior.
[HUAWEI-behavior-tb1] deny //Configure the traffic behavior tb1 to reject packets.
[HUAWEI-behavior-tb1] quit

# Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[HUAWEI] traffic policy tp1 //Create a traffic policy.
[HUAWEI-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic behavior tb1.
[HUAWEI-trafficpolicy-tp1] quit

# Packets from internal hosts are forwarded to the Internet through GE2/0/1. Therefore, apply the traffic policy to the outbound direction of GE2/0/1.
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound direction of the interface.
[HUAWEI-GigabitEthernet2/0/1] quit

Other related questions:
Can an AR prevent users from accessing websites
AR150&160&200&1200 and AR2200 (AR2201 and AR2202) series routers do not support deep security defense, which means URL filtering is not supported. URL filtering can only be applied to HTTP URLs.

Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Configure NAT on the AR router to allow internal hosts to access internal servers using an external IP address
All models of Huawei AR routers in V200R003C01 and later versions allow internal and external users to access internal servers by configuring static NAT. GE1/0/0 on the router connects to the internal network and its IP address is 192.168.1.1/24. GE2/0/0 on the router connects to the external network and its IP address is 11.11.11.1/8. The internal server has an internal IP address 192.168.1.2/24 and an external IP address 11.11.11.6. The internal host at 192.168.1.3/24 wants to access the internal server. The configuration details on the AR router are as follows: 1. Assign IP addresses to interfaces on the router. [Huawei] interface GigabitEthernet1/0/0 [Huawei-GigabitEthernet1/0/0] ip address 192.168.1.1 24 [Huawei-GigabitEthernet1/0/0] quit [Huawei] interface GigabitEthernet2/0/0 [Huawei-GigabitEthernet2/0/0] ip address 11.11.11.1 8 [Huawei-GigabitEthernet2/0/0] quit 2. Configure a default router to ensure interconnection between internal users and the external network. [Huawei] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 3. Configure internal users to access internal servers. The internal host use 11.11.11.6 to access servers. NAT is implemented through GE1/0/0 and one-to-one NAT is configured on the internal network service only when service requests are initiated from the internal network. [Huawei] acl number 2000 [Huawei-acl-basic-2000] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0 [Huawei-acl-basic-2000] quit [Huawei] interface GigabitEthernet1/0/0 [Huawei-GigabitEthernet1/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 [Huawei-GigabitEthernet1/0/0] nat outbound 2000 [Huawei-GigabitEthernet1/0/0] quit 4. Configure external users to access internal servers to ensure that external users use 11.11.11.6 to access internal servers. [Huawei] interface GigabitEthernet2/0/0 [Huawei-GigabitEthernet2/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 [Huawei-GigabitEthernet2/0/0] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top