H3C S7500 Series Ethernet Switches Release 3135 DHCP Configuration Examples

QACL Configuration Examples

H3C S7500 Series Ethernet Switches Release 3135 Chapter 2 QACL Configuration Examples

2-3

2.1.1 Time-Based ACL and Traffic Accounting Configuration Example

I. Network requirements

In the R&D department, the IP address of PC 1 is 192.168.2.1 and that of PC 2 is

192.168.2.2. The gateway IP address is set to 192.168.2.100 (the IP address of

VLAN-interface 2) for both PC 1 and PC 2. Configure time-based ACLs and traffic

accounting to satisfy the following requirements:

z Through advanced ACL configuration, filter the virus packets from the Internet.

z Through user-defined ACL configuration, filter the ARP packets that PC 1 sends

with the gateway IP address as the source IP address within the time range from

8:00 to 18:00 everyday.

z Through traffic accounting configuration, account the HTTP packets that PC 2

sends to the Internet within the time range from 8:00 to 18:00 every day.

II. Network diagram

PC 1

192.168.2.1/24

PC 2

192.168.2.2/24

Internet

GE2/0/1

GE2/0/2

Switch

GE2/0/10

R&D department

VLAN 2

Figure 2-2 Network diagram for time-based ACL and traffic accounting configuration

III. Configuration procedure

# Define a time range trname to cover the time range from 8:00 to 18:00 every day.

<H3C> system-view

[H3C] time-range trname 8:00 to 18:00 daily

# Create advanced ACL 3000 to filter the virus packets from the Internet. You can also

configure other rules in the ACL as required.

[H3C] acl number 3000

[H3C-acl-adv-3000] rule 1 deny icmp

[H3C-acl-adv-3000] rule 2 deny udp destination-port eq 69

[H3C-acl-adv-3000] rule 3 deny tcp destination-port eq 4444

[H3C-acl-adv-3000] rule 4 deny tcp destination-port eq 135

[H3C-acl-adv-3000] rule 5 deny udp destination-port eq 135