Configure ACL Recourses for Access Control

Configure ACL Recourses for Access Control

Scenario Description

The EAD Security Policy Component allows you to select several security policies, each corresponding to an ACL number. Security policy A corresponds to ACL 3000, which includes three rule sets. When you issue the policy A deployment command, the EAD Security Policy Component calls ACL Management to do so and specifies the device which each ACL resource is deployed to.

Configuration example networking

Scenario Analysis

• If a Shanghai user fails to pass the security policy check, it is isolated and the only available resource as the updates server is 61.168.1.1.
• If a Beijing user fails to pass the security policy check, it is isolated and the only available resource as the updates server is 61.168.1.2.
• If a Hangzhou user fails to pass the security policy check, it is isolated and the only available resource as the updates server is 61.168.1.3.

Operation Procedure

1. Add device to the the system platform.
   In the the system homepage, click Add Device in the My Shortcut tree. Type 61.168.1.7 (IP address of the device in Shanghai), 61.168.1.8 (IP address of the device in Beijing) and 61.168.1.9 (IP address of the device in Hangzhou).
   
2. Add ACL resource.
   a. Click the Service tab, click ACL Resource in the navigation tree, and then click Add > Common ACL Resource to enter the ACL Resource page.
   b. Select Advanced for ACL Type, type the ACL identifier 3000 and enter the ACL resource name Deny Host, then click OK.
   
3. Add ACL rule set.
   a. In the ACL Resource page, click the 3000 identifier link.
   b. Click Add. Set the ACL rule set name to rulesh, enter the other basic information, and then click Next.
   c. Click Add to enter the Add Rule page. Set the action to permit, set the time range to Undefined, select IP Address/Mask in the Destination Address area and type 61.168.1.1/32, accept the defaults for the other items, and finally click OK.
   d. Click Add to enter the Add Rule page. Set the action to deny, set the time range to Undefined, select ALL in the Destination Address area, accept the defaults for the other items, and finally click OK.
   e. Repeat Step 2 , Step 3 and Step 4. Set the ACL rule set name to rulebj, and the destination IP address to 61.168.1.2/32.
   f. Repeat Step 2 , Step 3 and Step 4. Set the ACL rule set name to rulehz, and the destination IP address to 61.168.1.3/32.
   
4. Access ACL Devices.
   a. Select the Service tab, select ACL Management and click ACL Device in the navigation tree to enter the ACL Device List. Click the ACL Config link of the device in Shanghai to enter the ACL configuration page of the device.
   
5. Add ACL definition.
   a. Select the ACL Definitions tab and click Add. Select 3000 and rule set rulesh you have just added, and then click Next.
   b. Click Deploy. Set the task name to setRule6, set the deployment order to Serial, set the error handling mechanism to Stop all deployments when error occurs, set the execution time to Immediately, and then click OK.
   
6. Repeat Step 4 and select the device in Beijing.
   
7. Repeat Step 5 and select rule rulebj.
8. Repeat Step 4 and select the device in Hangzhou
9. Repeat Step 5 and select rule rulehz.

Precautions

• IP address masks are used in ACL Management while inverse masks are used on devices.
• After the deployment, you can view the result in the task list. Only Succeeded indicates the deployment is successful.