Checking Whether Access Rights Control Is Configured for the Web Client

Procedure

  1. Check whether an ACL is configured on the HTTP server.
    1. Run the display current-configuration filter http acl command in any view to check whether there is the configuration of http acl acl-number in the system. If there is the configuration of http acl acl-number in the system, record the ACL number.
    2. Run the display acl acl-number command in any view to check whether the IP address of the web client is denied in the ACL.

      If the IP address of the web client is denied in the ACL, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client.

  2. Check whether traffic-filter is configured to deny access from the web client to the switch.
    1. Run the display current-configuration filter traffic-filter inbound acl command in any view to check whether there is the configuration of traffic-filter inbound acl acl-number.

      If there is the configuration of traffic-filter inbound acl acl-number, record the ACL number.

    2. Run the display acl acl-number command in any view to check whether the IP address of the web client is denied in the ACL.

      If the IP address of the web client is denied in the ACL, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client.

      As shown in the following command output, GE0/0/8 on the switch is directly connected to the PC and denies access from the PC.
      [HUAWEI] display current-configuration filter traffic-filter inbound acl //Check the configuration of traffic-filter inbound acl acl-number.
      #
      GigabitEthernet0/0/8
       traffic-filter inbound acl 3000
      #
      
      [HUAWEI] display acl 3000
      Advanced ACL 3000, 1 rule
      Acl's step is 5
       rule 5 permit ip source 10.1.1.2 0 //Assume that the IP address of the PC is 10.1.1.2. The ACL rule matches all packets with the source IP address 10.1.1.2.
      
      [HUAWEI]undo acl 3000 //Run the undo rule rule-id command to delete the ACL rule and use the corresponding command to modify the ACL to allow the IP address of the web client. Alternatively, run the undo acl 3000 command to directly delete the ACL.
      

  3. Check whether traffic-policy is configured to deny access from the web client to the switch.
    1. Run the display traffic-policy applied-record command in any view to check information about the applied traffic policy.

      {HUAWEI] display traffic-policy applied-record
      -------------------------------------------------
        Policy Name:   http 
        Policy Index:  0
           Classifier:http     Behavior:http  //The traffic classifier http and traffic behavior http are associated with the traffic policy http.
      -------------------------------------------------
       *interface GigabitEthernet0/0/8
          traffic-policy http inbound  //The traffic policy http is applied to the inbound direction of GE0/0/8.
            slot 0   :  success
      -------------------------------------------------
        Policy total applied times: 1.

    2. Run the display traffic behavior user-defined behavior-name command in any view to check whether the traffic behavior associated with the traffic policy contains a deny action.

      [HUAWEI] display traffic behavior user-defined http
        User Defined Behavior Information:
          Behavior: http 
            Deny     //The traffic behavior http contains a deny action.

    3. Run the display traffic classifier user-defined classifier-name command in any view to check the number of the ACL associated with the traffic classifier in the traffic policy.

      [HUAWEI] display traffic classifier user-defined http
        User Defined Classifier Information:
         Classifier: http
          Precedence: 5
          Operator: OR
          Rule(s) : if-match acl 3000  //The ACL associated with the traffic classifier http is ACL 3000.

    4. Run the display acl acl-number command in any view to check the ACL content.

      [HUAWEI] display acl 3000
      Advanced ACL 3000, 1 rule
      Acl's step is 5
       rule 5 permit ip source 10.1.1.2 0 //Assume that the IP address of the PC is 10.1.1.2. The ACL rule matches all packets with the source IP address 10.1.1.2.
      

    If the traffic policy denies access from the web client to the switch, run the undo rule rule-id command in the ACL view to delete the deny rule and use the corresponding command to modify the ACL to allow the IP address of the web client. Alternatively, unbind the traffic policy.

Revelations | Previous | Next