To enhance security, you can configure access control on web users to specify clients that can log in to the device through the web system. This configuration can be applied to the Huawei switches S5700, switches S2700, switches S3700, switches S6700.
Context
You can configure an HTTPS access control list to allow only specified web users to log in to the device, which enhances security. To prevent idle users from occupying web channel resources for a long time, you can run commands to force these users to go offline.
NOTE:
ACL/ACL6 rules:
· If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set up HTTPS connections with the local device.
· If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up HTTPS connections with the local device.
· If an ACL/ACL6 rule is configured but packets from a client do not match the rule, the client is not allowed to set up HTTPS connections with the local device.
· If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS connections with the local device.
Procedure
- Run the system-view command to enter the system view.
- Configure an ACL/ACL6 on the HTTPS server.
Configure an HTTPS IPv4 ACL as follows:
a. Run the acl [ number ] acl-number command to enter the ACL view.
HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is configured, the value of acl-number ranges from 2000 to 2999. If an advanced ACL is configured, the value of acl-number ranges from 3000 to 3999.
b. Configure an ACL.
The commands for configuring basic and advanced ACLs are different.
§ Command for configuring a basic ACL:
Rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment |logging | time-range time-name | vpn-instance vpn-instance-name ] *(The S2750, S5700LI, and S5700S-LI do not support vpn-instance vpn-instance-name.)
§ Command for configuring an advanced ACL:
Rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } |tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instancevpn-instance-name ] *
c. Run the quit command to return to the system view.
d. Run the http acl acl-number command to configure an HTTPS IPv4 ACL.
By default, no ACL is configured on the HTTPS IPv4 server, that is, all web clients can set up HTTPS IPv4 connections with the server.
Configure an HTTPS IPv6 ACL6 as follows:
e. Run the acl ipv6 [ number ] acl6-number command to enter the ACL6 view.
HTTPS IPv6 supports basic and advanced ACL6s. If a basic ACL6 is configured, the value of acl6-number ranges from 2000 to 2999. If an advanced ACL6 is configured, the value of acl6-number ranges from 3000 to 3999.
f. Configure an ACL6.
The commands for configuring basic and advanced ACL6s are different.
§ Command for configuring a basic ACL6:
Rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length| source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-rangetime-name | vpn-instance vpn-instance-name ] *(The S2750, S5700LI, and S5700S-LI do not support vpn-instance vpn-instance-name.)
§ Command for configuring an advanced ACL6:
Rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-addressprefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length| any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedenceprecedence | tos tos } * | dscp dscp } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } |source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin| psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
g. Run the quit command to return to the system view.
h. Run the http ipv6 acl acl-number command to configure an HTTPS IPv6 ACL.
By default, no ACL6 is configured on the HTTPS IPv6 server, that is, all web clients can set up HTTPS IPv6 connections with the server.
- (Optional) Run the free http user-id user-id command to force a web user offline.
Currently, the device supports a maximum of five concurrent online web users. The value of user-id ranges from 89 to 93. If a user occupies the web channel resources but performs no operation in a long time, other users may fail to log in. To prevent this situation, run the command to force idle web users to go offline and release the occupied channel resources.
No comments:
Post a Comment