Configure an ACL on the SSH server

27

Run the ssh [ ipv6 ] server acl { acl-number | acl-name } command in the system view to configure an ACL on the SSH server to control access permission of SSH clients.

# Configure ACL 2000 on the SSH server to allow the client with source IP address 10.10.10.10 to log in to the server.



system-view

[~HUAWEI] acl 2000

[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.10 0

[*HUAWEI-acl4-basic-2000] quit

[*HUAWEI] ssh server acl 2000

[*HUAWEI] commit

# Configure an ACL named huawei on the SSH server.

system-view

[~HUAWEI] acl name huawei

[*HUAWEI-acl4-advance-huawei] rule permit tcp

[*HUAWEI-acl4-advance-huawei] quit

[*HUAWEI] ssh server acl huawei

[*HUAWEI] commit

Other related questions:
Configuring Telnet and SSH on the USG6000
Configure Telnet and SSH on the USG6000 as follows: 1. Set the administrator IP addresses that can access the device remotely. The administrator cannot use IP addresses that are not specified in the ACL to remotely access the device through Telnet or SSH. 2. Configure connection number limit on the VTY administrator interface. Limit the number of concurrent remote login sessions on the device to avoid occupying two many system resources, facilitate centralized operation and maintenance, and ensure normal operation when a fault occurs. 3. Configure login through Telnet or SSH.

Number of concurrent server BMC connections
The WebUI of server iBMC or iMana supports a maximum of four concurrent logins. The CLI supports a maximum of five concurrent logins.

Configuring SSH on the USG2000&5000
Configure SSH on the USG2000&5000 as follows: Configuration roadmap: USG_A serves as the client, and USG_B as the SSH server. 1. Create an SSH user on USG_B. 2. Generate a local key pair on USG_B. 3. Enable the STelnet/SFTP service on USG_B. 4. Log in to USG_B through USG_A on the client.

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top