laitimes
return

How to implement inter-VLAN access rights through flow policies is easy to see at a glance!

author:ICT Technology Community

01The overcurrent policy implements Layer 3 isolation between VLANs

1.1 Networking requirements

As shown in Figure 1, a company divides guests, employees, and servers into VLAN 10, VLAN 20, and VLAN 30 for communication security. The company wants to:

  • Employees, server hosts, and guests can all access the Internet.
  • Guests can only access the Internet and cannot communicate with users in any other VLAN.
  • Employee A can access all the resources in the server area, but other employees can only access port 21 (FTP service) of server A.
How to implement inter-VLAN access rights through flow policies is easy to see at a glance!

Figure 1 Configuration of Layer 3 Isolation Between VLANs through Traffic Policy

1.2 Configuration ideas

You can use the following methods to configure the flow policy to control mutual access between VLANs:

  1. Configure VLANs and add interfaces to VLANs to isolate employees, servers, and guests.
  2. Configure VLANIF interfaces and their IP addresses to enable Layer 3 communication between employees, servers, and guests.
  3. Configure upstream routes so that employees, servers, and guests can access the Internet through the switch.
  4. Configure and apply a flow policy so that employee A can access all resources in the server area, and other employees can only access port 21 of server A, and only employees are allowed to access the server. Make it possible for visitors to access the Internet only.

1.3 Procedure

[1] Configure VLANs and add each interface to the VLAN to isolate employees, servers, and guests at Layer 2

# Create VLAN 10 on the Switch_1 and add GE1/0/1 to VLAN 10 in Untagged mode and GE1/0/2 to VLAN 10 in Tagged mode. The configuration of the Switch_2 and Switch_3 is similar to that of Switch_1 and will not be repeated. (See the configuration file later in the article)

<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type access
[Switch_1-GigabitEthernet1/0/1] port default vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
[Switch_1] interface gigabitethernet 1/0/2
[Switch_1-GigabitEthernet1/0/2] port link-type trunk
[Switch_1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/2] quit

# Create VLAN10, VLAN20, VLAN30, and VLAN100 on the Switch_4, and configure interfaces GE1/0/1~GE1/0/4 to add VLAN10, VLAN20, VLAN30, and VLAN100 in Tagged mode, respectively.

<HUAWEI> system-view
[HUAWEI] sysname Switch_4
[Switch_4] vlan batch 10 20 30 100
[Switch_4] interface gigabitethernet 1/0/1
[Switch_4-GigabitEthernet1/0/1] port link-type trunk
[Switch_4-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_4-GigabitEthernet1/0/1] quit
[Switch_4] interface gigabitethernet 1/0/2
[Switch_4-GigabitEthernet1/0/2] port link-type trunk
[Switch_4-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch_4-GigabitEthernet1/0/2] quit
[Switch_4] interface gigabitethernet 1/0/3
[Switch_4-GigabitEthernet1/0/3] port link-type trunk
[Switch_4-GigabitEthernet1/0/3] port trunk allow-pass vlan 30
[Switch_4-GigabitEthernet1/0/3] quit
[Switch_4] interface gigabitethernet 1/0/4
[Switch_4-GigabitEthernet1/0/4] port link-type trunk
[Switch_4-GigabitEthernet1/0/4] port trunk allow-pass vlan 100
[Switch_4-GigabitEthernet1/0/4] quit

[2] Configure the VLANIF interface and its IP address to enable Layer 3 communication between employees, servers, and guests

# Create a VLANIF10, VLANIF20, VLANIF30, and VLANIF100 on the Switch_4 and set their IP addresses to 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24, respectively.

[Switch_4] interface vlanif 10
[Switch_4-Vlanif10] ip address 10.1.1.1 24
[Switch_4-Vlanif10] quit
[Switch_4] interface vlanif 20
[Switch_4-Vlanif20] ip address 10.1.2.1 24
[Switch_4-Vlanif20] quit
[Switch_4] interface vlanif 30
[Switch_4-Vlanif30] ip address 10.1.3.1 24
[Switch_4-Vlanif30] quit
[Switch_4] interface vlanif 100
[Switch_4-Vlanif100] ip address 10.1.100.1 24
[Switch_4-Vlanif100] quit

[3] Configure upstream routes so that employees, servers, and guests can access the Internet through the Switch.

# Configure basic OSPF functions on the Switch_4 to publish the user CIDR block and the Internet CIDR block between the Switch_4 and the Router

[Switch_4] ospf
[Switch_4-ospf-1] area 0
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.100.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] quit
[Switch_4-ospf-1] quit

The following configuration needs to be performed on the router:

Add the interface connected to the switch to the VLAN100 in Tagged mode and specify that the IP address of the VLANIF100 is on the same network segment as 10.1.100.1.

Configure basic OSPF functions and advertise the Internet segment between the switch and the router.

[4] Configure and apply flow policies to control access between employees, guests, and servers

A. Define each flow through ACL

# Configure ACL 3000 on the Switch_4 to prohibit guests from accessing the employee area and server area.

[Switch_4] acl 3000
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3000] quit

# Configure ACL 3001 on the Switch_4 so that employee A can access all resources in the server zone, and other employees can only access port 21 of server A.

[Switch_4] acl 3001
[Switch_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-port eq 21
[Switch_4-acl-adv-3001] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3001] quit

B. Configure flow classification to distinguish different flows

# Create a stream classification c_custom and c_staff on the Switch_4, and configure matching rules 3000 and 3001 respectively.

[Switch_4] traffic classifier c_custom
[Switch_4-classifier-c_custom] if-match acl 3000
[Switch_4-classifier-c_custom] quit
[Switch_4] traffic classifier c_staff
[Switch_4-classifier-c_staff] if-match acl 3001
[Switch_4-classifier-c_staff] quit

C. Configure pop behavior and specify flow action

# Create pop as b1 on the Switch_4 and configure the allowed actions.

[Switch_4] traffic behavior b1
[Switch_4-behavior-b1] permit
[Switch_4-behavior-b1] quit

D. Configure the flow policy, and associate the flow classification and prevalence behavior

# Create a flow policy p_custom and a p_staff on the Switch_4, and associate the stream classification c_custom and c_staff with the prevalence of B1, respectively.

[Switch_4] traffic policy p_custom
[Switch_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Switch_4-trafficpolicy-p_custom] quit
[Switch_4] traffic policy p_staff
[Switch_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Switch_4-trafficpolicy-p_staff] quit

E. Apply flow policies to achieve access control between employees, visitors, and servers

# On the Switch_4, apply the flow policy p_custom and p_staff to VLAN 10 and VLAN 20 respectively.

[Switch_4] vlan 10
[Switch_4-vlan10] traffic-policy p_custom inbound
[Switch_4-vlan10] quit
[Switch_4] vlan 20
[Switch_4-vlan20] traffic-policy p_staff inbound
[Switch_4-vlan20] quit

[5] Verify the configuration result

Set the IP address of Guest A to 10.1.1.2/24, the default gateway to the IP address of the VLANIF10 interface 10.1.1.1, the IP address of Employee A to 10.1.2.2/24, the default gateway to the secondary IP address of the VLANIF20 interface 10.1.2.1, and the IP address of Employee B to 10.1.2.3. 24. The default gateway is the slave IP address 10.1.2.1 of the VLANIF20 interface, and the IP address of server A is 10.1.3.2/24, and the default gateway is the slave IP address 10.1.3.1 of the VLANIF30 interface.

After the configuration is complete:

  • Visitor A cannot ping employee A and server A; Employee A and Server A cannot ping Guest A.
  • Employee A can ping Server A, either by using Server A's FTP service or Server A's.
  • Employee B can not ping Server A and can only use the FTP service of Server A.
  • Guest, Employee A, Employee B, and Server A can ping the IP address 10.1.100.2/24 of the interface that the Router connects to Switch_4, and they can all access the Internet.

1.4 Configuration Files

Switch_1 profile

#
sysname Switch_1
#
vlan batch 10
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Switch_2 profile

#
sysname Switch_2
#
vlan batch 20
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 20
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 20
#
return

Switch_3 profile

#
sysname Switch_3
#
vlan batch 30
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 30
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 30
#
return

Switch_4 profile

#
sysname Switch_4
#
vlan batch 10 20 30 100
#
acl number 3000
 rule 5 deny ip destination 10.1.2.0 0.0.0.255
 rule 10 deny ip destination 10.1.3.0 0.0.0.255
acl number 3001
 rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp 
 rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
 rule 15 deny ip destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator or precedence 5
 if-match acl 3000
traffic classifier c_staff operator or precedence 10
 if-match acl 3001
#
traffic behavior b1
 permit
#
traffic policy p_custom match-order config
 classifier c_custom behavior b1
traffic policy p_staff match-order config
 classifier c_staff behavior b1
#
vlan 10
 traffic-policy p_custom inbound
vlan 20
 traffic-policy p_staff inbound
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
 ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
 ip address 10.1.3.1 255.255.255.0
#
interface Vlanif100
 ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk allow-pass vlan 100
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.2.0 0.0.0.255
  network 10.1.3.0 0.0.0.255
  network 10.1.100.0 0.0.0.255
#
return
Previous: Female athletes have unlimited scenery on the field, and winning medals is inseparable from the hard work behind them
Next: Retribution has finally come! Jiang Wenli, who is 57 years old but still pretending to be tender, what is the current situation