R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ACL configuration example

NOTE:

IPv4 ACL application usually works with NAT. For IPv4 ACL configuration examples, see

NAT

Configuration Guide

Network requirements

A company interconnects its departments through Firewall. Configure an ACL to:

• Permit access from the President's office at any time to the financial database server.

• Permit access from the Financial department to the database server only during working hours (from

8:00 to 18:00) on working days.

• Deny access from any other department to the database server.

Figure 16 Network diagram

Configuration procedure

# Create a periodic time range from 8:00 to 18:00 on working days.

<Firewall> system-view

[Firewall] time-range work 8:0 to 18:0 working-day

# Create an IPv6 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits

access from the President's office to the financial database server, one rule permits access from the

Financial department to the database server during working hours, and one rule denies access from any

other department to the database server.

[Firewall] acl ipv6 number 3000

[Firewall-acl6-adv-3000] rule permit ipv6 source 1001:: 16 destination 1000::100 128

[Firewall-acl6-adv-3000] rule permit ipv6 source 1002:: 16 destination 1000::100 128

time-range work

[Firewall-acl6-adv-3000] rule deny ipv6 source any destination 1000::100 128

[Firewall-acl6-adv-3000] quit

# Enable IPv6 firewall, and apply IPv6 ACL 3000 to filter outgoing packets on interface GigabitEthernet

0/1.

President’s office

1001::/16

Financial department

1002::/16

Marketing department

1003::/16

Firewall

GE0/1

GE0/4GE0/2

GE0/3

Financial database server

1000::100/16