Configure ACLs on S series switches to restrict communications between VLANs

21

For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Other related questions:
Configure ACLs on S series switches to restrict communications between VLANs
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Can ACLs on S series switches restrict time range
ACLs on S series switches can restrict time range. For example, you can use a Layer 2 ACL to restrict the PPPoE dial-up time segment on a switch. Run the time-range command to specify a time range, and reference the time range in a Layer 2 ACL rule.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

How to configure the restrict VLAN function on S series switches
You can configure a restrict VLAN on an interface of a switch, so that a user can still access some network resources (for example, update the virus library) when the user fails authentication. The user who fails authentication is added to the restrict VLAN to access resources in the restrict VLAN. Note that a user fails authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect password, but not because the authentication times out or the network is disconnected. Configure a restrict VLAN on S series switches (except the S1700) as follows: - Perform the following operations in the system view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 [HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1 [HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 1/0/1 - Perform the following operations in the interface view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x port-method port [HUAWEI-GigabitEthernet1/0/1] authentication restrict-vlan 20

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top