Deny Hosts in a Subnet to Access a Specific Device

Deny Hosts in a Subnet to Access a Specific Device

Scenario Description

As shown in the following figure, the departments of a company connect to each other through the 100Base-TX ports of Switch A. The financial department uses 129.110.1.2 as the IP address of the wage query server. ACL Management manages Switch A through 129.110.1.1.

Deploy an ACL on Ethernet2/1/1 to deny users in  the R&D department to access the wage query server from 08:00 to 18:00 on working days.

Configuration example networking

Operation Procedure

1. Add device to the the system platform.
   In the the system platform homepage, click Add Device in the My Shortcut tree. Type 129.110.1.1 (IP address of Switch A) in the Host Name/IP text box.
2. Add ACL resource.
   a. Select the Service tab, select ACL Management and click ACL Resource in the navigation tree, click Add and then click Common ACL Resource to enter the ACL Resource page.
   b. Select Advanced for ACL Type, type the ACL identifier 3006 and enter the ACL resource name Deny Host Worktime, then click OK.
   
3. Add ACL rule set.
   a. In the ACL Resource page, click the 3006 identifier link.
   b. Click Add. Enter the basic information and select Configure ACL Rules with Time Range, click Next.
   c. Click Add. Set the name to workTime and click Add.
   d. Set the type to Cyclic, set the period to Workday, set the start time to 08:00, set the end time to 18:00, and then click OK.
   e. Click OK to add a time range. Click Next.
   f. Click Add to enter the Add Rule page. Set the action to deny, set the time range to workTime, select All in the Source Address area, select IP Address/Mask in the Destination Address area and type 129.110.1.2/32, accept the defaults for the other items, and finally click OK.
   g. Click Finish.
   
4. Access ACL Devices.
   a. Select the Service tab, select ACL Management and click ACL Devices in the navigation tree to show the ACL device list. Click the ACL Config link of Switch A to enter the ACL configuration page of Switch A.
   
5. Add ACL definition.
   a. Select the ACL Definitions tab and click Add. Select 3006 and the rule set you have just added, and then click Next.
   b. Click Deploy. Set the task name to setRule7, set the deployment order to Serial, set the error handling mechanism to Stop all deployments when error occurs, set the execution time to Immediately, and then click OK.
   
6. Add ACL use.
   a. Select the ACL Uses tab and click Add. Set the service type to Packet Filter, and then click Next.
   b. Set the filter direction to inbound, select Ethernet2/1/1, and then click Next.
   c. Select 3006 and click OK.
   d. Set the task name to addApp7, set the deployment order to Serial, set the error handling mechanism to Stop all deployments when error occurs, set the execution time to Immediately, and then click OK.
   

Precautions

• You can save frequent used rules and definitions as templates for further use.
• IP address masks are used in ACL Management, and inverse masks are used on devices.
• When adding a device in the system platform, make sure that the Telnet and SNMP settings are same as those on the device.
• After the deployment, you can view the result in the task list. Only Succeeded indicates the deployment is successful.