How do I restrict unauthorized multicast sources through configuration

18

To enable routers to filter multicast data packets based on the sources or source groups so that unauthorized multicast sources are restricted, run the source-policy { acl-number | acl-name acl-name } command in the protocol independent multicast (PIM) view.

Other related questions:
How does the AR router restrict unauthorized multicast sources
Run the source-policy { acl-number | acl-name acl-name } command in the PIM view to enable the AR router to filter multicast data packets based on sources or source groups so that unauthorized multicast sources are restricted.

How do I control access through specific source or destination addresses

You can configure access control lists (ACLs) to match source or destination addresses. For example, under the following configuration, the host at 10.1.1.1 can only access hosts on the 10.1.1.18/26 network segment.

[Huawei] acl 3000 [Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0 destination 10.1.1.18 0.0.0.63 [Huawei-acl-adv-3000] rule deny ip source 10.1.1.1 0

For configurations of other traffic classifiers, behaviors (actions set to permit), and policies, see Traffic Policy Configuration in the AR Configuration Guide - QoS.


How do I configure call sources on the U1980
Different calling numbers are displayed in outgoing calls for numbers belonging to different call sources. 1. Add trunk incoming calls to call source 1. [%eSpace U1930(config)]#show trunkgroup //Query the trunkgroup value corresponding to the trunk. TKCGroup Info GroupNo Office Protocol Direction Restrict BasicOutgoing WithCUS CLIIndex DomainType ------- ------ -------- ----------- -------- ------------- ------- -------- ---------- 72 3 AT0 BiDirection NO --- NO --- COMMON 96 4 AT0 BiDirection NO --- NO --- COMMON 6098 254 PRA BiDirection NO --- NO --- COMMON 52 2 ISUP BiDirection NO --- NO --- COMMON 7 0 SIP BiDirection YES INTER/LOCAL NO --- CO [%eSpace U1930(config)]#config add callsource no 1//Add call source 1. ==== Command executed success ! ==== [%eSpace U1930(config)]#config modify trunkgroup no 52 callsourceno 1//Add the trunk to call source 1. ==== Command executed success ! ==== 2. Configure a trunk bearer. conf add tgld callsourceno 1 officeno 0 protocol pra prefix 6763 clipredeal yes cliindex 3 config add predeal index 3 changetype delete changepos 0 changelen 4 In the preceding trunk bearer configuration commands, the prefix parameter applies to the called numbers after number change. After the configuration, different calling numbers are displayed in outgoing calls for numbers belonging to different call sources.

Restricting the administrator to access the USG2000&5000&6000 through a fixed source address
Configure the USG2000&5000&6000 to restrict the administrator to access through a fixed source address as follows: Set the VTY authentication mode to AAA on the USG to allow login of only a certain IP address: system-view [USG6600] [USG6600] acl 3000 [USG6600-acl-adv-3000]rule permit ip source 192.168.1.2 0 //192.168.1.2 allowed only. [USG6600-acl-adv-3000]quit [USG6600] user-interface vty 0 4 [USG6600-ui-vty0-4] authentication-mode aaa [USG6600-ui-vty0-4]acl 3000 inbound //The ACL here is deny by default. [USG6600-ui-vty0-4] quit After the preceding configurations, only addresses for which the action is permit in ACL 3000 or specific source addresses can telnet to the firewall.

How to configure the restrict VLAN function on S series switches
You can configure a restrict VLAN on an interface of a switch, so that a user can still access some network resources (for example, update the virus library) when the user fails authentication. The user who fails authentication is added to the restrict VLAN to access resources in the restrict VLAN. Note that a user fails authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect password, but not because the authentication times out or the network is disconnected. Configure a restrict VLAN on S series switches (except the S1700) as follows: - Perform the following operations in the system view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 [HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1 [HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 1/0/1 - Perform the following operations in the interface view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x port-method port [HUAWEI-GigabitEthernet1/0/1] authentication restrict-vlan 20

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top