1.1 ACL Configuration Commands
Syntax
acl number
acl-number [ match-order { config | auto } ]
undo acl
{ number acl-number | all }
View
System view
Parameter
number acl-number:
Specifies an access control list (ACL) number, which ranges from 2000 to 3999.
l
An ACL number ranging from 2000 to 2999
identifies a basic ACL.
l
An ACL number ranging from 3000 to 3999
identifies an advanced ACL. Note that ACL 3998 and ACL 3999 cannot be
configured because they are reserved for cluster management.
match-order:
Specifies the matching order for the rules of an ACL.
l
config: ACL rules
are matched in the order they are created.
l
auto: ACL rules
are matched in the order determined by the system (that is, in depth-first
order).
all:
Specifies all ACLs.
Description
Use the acl command to create an ACL
and enter ACL view.
Use the undo acl command to remove a
specified ACL or all ACLs.
After entering the corresponding ACL view,
you can use the rule command to add entries to the ACL.
An ACL supports the following four types of
match orders:
l
Configured order: ACL rules are matched
according to the configured order.
l
Automatic ordering: ACL rules are matched
according to the “depth-first” order
The “depth-first” order is
described as follows:
I. Depth-first match for a basic
IPv4 ACL
The following shows how your device performs
depth-first match in a basic IPv4 ACL:
1)
Sort rules by source IP address wildcard first
and compare packets against the rule configured with more zeros in the source
IP address wildcard prior to other rules.
2)
If two rules are present with the same number of
zeros in their source IP address wildcards, compare packets against the rule
configured first prior to the others.
For example, the rule with the source IP
address wildcard 0.0.0.255 is compared prior to the rule with the source IP
address wildcard 0.0.255.255.
II. Depth-first match for an
advanced IPv4 ACL
The following shows how your device
performs depth-first match in an advanced IPv4 ACL:
1)
Sort rules by source IP address wildcard first
and compare packets against the rule configured with more zeros in the source
IP address wildcard prior to other rules.
2)
If two rules are present with the same number of
zeros in their source IP address wildcards, look at the destination IP address
wildcards in the rules in addition. Then, compare packets against the rule
configured with more zeros in the destination IP address wildcard prior to the
other.
3)
If the numbers of zeros in the destination IP
address wildcards are the same, compare packets against the rule configured
first prior to the other.
For example, the rule with the source IP
address wildcard 0.0.0.255 is compared prior to the rule with the source IP
address wildcard 0.0.255.255.
You can use the match-order keyword
to specify whether to use the configured order or “depth-first”
order (rules with smaller ranges are matched first) to match rules. If neither
match orders are specified, the configured match order will be adopted.
You cannot modify the match order for an
ACL once you have specified it, unless you delete all the entries of the ACL.
The ACL match order feature is effective
only when the ACL is referenced by software for data filtering and traffic
classification.
Related command: rule.
Example
# Create a basic ACL numbered 2000.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000]
Syntax
description text
undo description
View
Basic ACL view, advanced ACL view
Parameter
text: ACL
description to be assigned to an ACL. This argument is a string comprising up
to 127 characters.
Description
Use the description command to
assign a description to an ACL.
Use the undo description command to
remove the descriptions assigned to an ACL.
Example
# Assign a descriptions to ACL3000.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 3000
[H3C-acl-adv-3000] description This acl
is used in eth 0
# Remove the description assigned to ACL 3000.
[H3C-acl-adv-3000] undo description
Syntax
display acl
{ all | acl-number }
View
Any view
Parameter
acl-number:
ACL number ranging from 2000 to 3999.
all:
Specifies all ACLs.
Description
Use the display acl command
to display the information about an ACL or all ACLs, including the following
items:
l
ACL type, ACL number, and the number of rules
l
ACL description. The description of an ACL is
not displayed if you do not assign a description for the ACL.
l
Step length of ACL rule number
l
The content of ACL rule
Example
# Display the information about ACL 2000.
<H3C> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 1.1.1.1 0 (0
times matched)
Table 1-1 Description
on the fields of the display acl command
|
Field
|
Description
|
|
Basic acl 2000
|
The displayed information is about the
basic ACL 2000.
|
|
1 rule
|
The ACL contains one rule.
|
|
Acl's step is 5
|
The rules in this ACL are numbered in
steps of 5.
|
|
0 times matched
|
No match for this rule. Only ACL matches
performed by software are counted.
|
Syntax
display time-range
{ all | time-name }
View
Any view
Parameter
time-name:
Name of a time range, a string that starts with [a-z, A-Z] and contains up to
32 characters.
all:
Specifies all time ranges.
Description
Use the display time-range command
to view the configuration and status of a time range. A time range is labeled
as active (if the current system time is within it) or inactive (if the current
system time is not within it).
The output information includes the
following items:
l
Current system time
l
Name and status of the time range
l
Detailed information about the time range
Related command: time-range.
Example
# Display all the time ranges.
<H3C> display time-range all
Current time is 14:36:36 Apr/2/2003
Thursday
Time-range : hhy ( Active )
12:00 to 18:00 working-day
Time-range : hhy1 ( Inactive )
from 08:30 2/5/2003 to 18:00
2/19/2003
Table 1-2 Description on the fields of the display time-range command
|
Field
|
Description
|
|
Current time is 14:36:36 Apr/3/2003
Thursday
|
Current system time
|
|
Time-range : hhy
|
Name of the time range
|
|
Active
|
The time range is active currently
(inactive means the time range is inactive)
|
|
12:00 to 18:00 working-day
|
The periodic time range is from 12:00 to
18:00 on each working day.
|
|
from 08:30 2/5/2005 to 18:00 2-19-2005
|
The absolute time range is from 08:30
2/5/2005 to 18:00 2-19-2005.
|
Syntax
rule [ rule-id
] { permit | deny } [ fragment | source {
sour-addr sour-wildcard | any } | time-range time-name ]*
undo rule
rule-id [ fragment | source | time-range ]*
View
Basic ACL view
Parameter
rule-id: ACL
rule number, ranging from 0 to 65534.
deny: Denies
the matched packets.
permit:
Permits the matched packets.
fragment:
Specifies that the ACL rule applies to the packets that are not the first
fragments only.
source { sour-addr sour-wildcard | any }: Specifies the
source address information in the rule. sour-addr is used to specify the
source IP address of the packet, expressed in dotted decimal notation. sour-wildcard
is used to specify the wildcard mask for the source subnet mask of the
packet, expressed in dotted decimal notation. For example, you need to input 0.0.255.255
for the subnet mask 255.255.0.0. You can set sour-wildcard to 0 to
represent the host IP address. any is used to represent any arbitrary IP
address.
time-range time-name:
Specifies a time range for the ACL rule to take effect.
Description
Use the rule command to define an
ACL rule.
Use the undo rule command to
remove an ACL rule or the specified settings of an ACL rule.
To remove an ACL rule, you need to specify
the number of the ACL rule. The number of an ACL rule can be obtained by
executing the display acl command.
Note the following when you define an ACL
rule with the rule number specified:
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules of the ACL cannot be edited. In this case, the system prompts errors when
you execute the rule command.
l
If the specified rule number identifies an
existing ACL rule, the existing rule is edited.
l
If the specified rule number identifies no ACL
rule, a new ACL rule is created.
If you define an ACL rule with the rule number
not specified, a new ACL rule is created, and the switch allocates a rule
number for it automatically.
Example
# Configure ACL 2000 to prohibit the user
with source address 1.1.1.1 from logging into the switch. For detailed information
about login user control, refer to the “Login” module in this
manual.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source
1.1.1.1 0
[H3C-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 1.1.1.1 0 (0
times matched)
Syntax
rule [ rule-id
] { permit | deny } rule-string
undo rule
rule-id [ destination | destination-port | dscp |
fragment | icmp-type | precedence | source | source-port
| time-range | tos ]
View
Advanced ACL view
Parameter
rule-id: ACL
rule number, ranging from 0 to 65534.
deny: Denies
the matched packets.
permit:
Permits the matched packets.
rule-string:
Rule information, which can be a combination of the parameters listed in Table 1-3.
Among the parameters, you need to configure
the protocol argument before configuring other arguments.
Table 1-3 Rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
protocol
|
Protocol type
|
Specifies the type of the protocol
carried by IP.
|
This argument can be an integer ranging
from 1 to 255 (when you use a number to identify a protocol) or one of the
following: GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, or UDP.
|
|
source { sour-addr sour-wildcard | any }
|
Source address information
|
Specifies the source address information
for the ACL rule.
|
sour-addr sour-wildcard specifies the source address, in dotted decimal notation.
sour-wildcard can be 0, which represents a host address.
The any keyword represents for any
source address.
|
|
destination { dest-addr dest-wildcard | any }
|
Destination address information
|
Specifies the destination address information
for the ACL rule.
|
dest-addr dest-wildcard specifies the destination address, in dotted
decimal notation. dest-wildcard can be 0, which represents a host
address.
The any keyword represents for any
source address.
|
|
precedence
precedence
|
Packet priority
|
IP priority
|
The precedence argument ranges
from 0 to 7.
|
|
tos tos
|
Packet priority
|
ToS priority
|
The tos argument ranges from 0 to
15.
|
|
dscp dscp
|
Packet priority
|
DSCP priority
|
The dscp argument ranges from 0 to
63.
|
|
fragment
|
Fragment information
|
Specifies that the ACL rule applies to
the packets that are not the first fragments only.
|
—
|
|
time-range
time-name
|
Time range information
|
Specifies a time range for the ACL rule
to take effect.
|
—
|
To define DSCP priority, you can directly
input a value ranging from 0 to 63, or input a keyword listed in Table 1-4.
Table 1-4 Description
of DSCP values
|
Keyword
|
DSCP value in decimal
|
DSCP value in binary
|
|
ef
|
46
|
101110
|
|
af11
|
10
|
001010
|
|
af12
|
12
|
001100
|
|
af13
|
14
|
001110
|
|
af21
|
18
|
010010
|
|
af22
|
20
|
010100
|
|
af23
|
22
|
010110
|
|
af31
|
26
|
011010
|
|
af32
|
28
|
011100
|
|
af33
|
30
|
011110
|
|
af41
|
34
|
100010
|
|
af42
|
36
|
100100
|
|
af43
|
38
|
100110
|
|
cs1
|
8
|
001000
|
|
cs2
|
16
|
010000
|
|
cs3
|
24
|
011000
|
|
cs4
|
32
|
100000
|
|
cs5
|
40
|
101000
|
|
cs6
|
48
|
110000
|
|
cs7
|
56
|
111000
|
|
be
(default)
|
0
|
000000
|
To define IP precedence, you can directly
input a value ranging from 0 to 7, or input a keyword listed in Table 1-5.
Table 1-5 Description of IP precedence values
|
Keyword
|
IP Precedence value in decimal
|
IP Precedence value in binary
|
|
routine
|
0
|
000
|
|
priority
|
1
|
001
|
|
immediate
|
2
|
010
|
|
flash
|
3
|
011
|
|
flash-override
|
4
|
100
|
|
critical
|
5
|
101
|
|
internet
|
6
|
110
|
|
network
|
7
|
111
|
To define ToS priority, you can directly
input a value ranging from 0 to 15, or input a keyword listed in Table 1-6.
Table 1-6 Description of ToS values
|
Keyword
|
ToS value in decimal
|
ToS value in binary
|
|
normal
|
0
|
0000
|
|
min-monetary-cost
|
1
|
0001
|
|
max-reliability
|
2
|
0010
|
|
max-throughput
|
4
|
0100
|
|
min-delay
|
8
|
1000
|
If you specify TCP or UDP as the protocol
type, you can also specify the parameters listed in Table
1-7.
Table 1-7 TCP/UDP-related rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
source-port operator port1 [ port2 ]
|
Source port
|
Specifies the source port information for
TCP/UDP packets
|
The operator argument can be lt
(less than), gt (greater than), eq (equal to), neg (not equal to), or range
(within the range). The port2 argument is required only when the operator
argument is range.
port1, port2:
optional parameter. TCP/UDP port number, which can be port names or numbers
ranging from 0 to 65535.
|
|
destination-port operator port1 [ port2 ]
|
Destination port
|
Defines the destination port information
for TCP/UDP packets
|
|
established
|
The identifier for the establishment of
TCP connection.
|
Specifies that the rule is applicable
only to the first SYN segment for establishing a TCP connection
|
This keyword is for TCP only.
|
When using port name to specify TCP/UDP
ports, you can define the following information.
Table 1-8 TCP/UDP
port values
|
Protocol type
|
Value
|
|
TCP
|
CHARgen
(19), bgp (179), cmd (514), daytime (13), discard
(9), domain (53), echo (7), exec (512), finger
(79), ftp (21), ftp-data (20), gopher (70), hostname
(101), irc (194), klogin (543), kshell (544), login
(513), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (111), tacacs (49), talk
(517), telnet (23), time (37), uucp (540), whois
(43), www (80)
|
|
UDP
|
biff (512),
bootpc (68), bootps (67), discard (9), dns (53), dnsix
(90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver
(42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139),
ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (65), talk
(517), tftp (69), time (37), who (513), xdmcp (177)
|
If you specify ICMP as the protocol type,
you can define the parameters listed in Table 1-9.
Table 1-9 ICMP-related rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
icmp-type icmp-type
icmp-code
|
ICMP packet type and message code
|
Specifies the ICMP packet type and
message code for the rule.
|
icmp-type: ICMP message type, an integer
ranging from 0 to 255.
icmp-code: ICMP message code, an integer
ranging from 0 to 255.
|
Table 1-10 lists common ICMP message types.
Table 1-10 ICMP message types
|
Name
|
ICMP TYPE
|
ICMP CODE
|
|
echo
|
Type=8
|
Code=0
|
|
echo-reply
|
Type=0
|
Code=0
|
|
fragmentneed-DFset
|
Type=3
|
Code=4
|
|
host-redirect
|
Type=5
|
Code=1
|
|
host-tos-redirect
|
Type=5
|
Code=3
|
|
host-unreachable
|
Type=3
|
Code=1
|
|
information-reply
|
Type=16
|
Code=0
|
|
information-request
|
Type=15
|
Code=0
|
|
net-redirect
|
Type=5
|
Code=0
|
|
net-tos-redirect
|
Type=5
|
Code=2
|
|
net-unreachable
|
Type=3
|
Code=0
|
|
parameter-problem
|
Type=12
|
Code=0
|
|
port-unreachable
|
Type=3
|
Code=3
|
|
protocol-unreachable
|
Type=3
|
Code=2
|
|
reassembly-timeout
|
Type=11
|
Code=1
|
|
source-quench
|
Type=4
|
Code=0
|
|
source-route-failed
|
Type=3
|
Code=5
|
|
timestamp-reply
|
Type=14
|
Code=0
|
|
timestamp-request
|
Type=13
|
Code=0
|
|
ttl-exceeded
|
Type=11
|
Code=0
|
Description
Use the rule command to define an
ACL rule.
Use the undo rule command to
remove an ACL rule or the specified settings of a ACL rule.
To remove an ACL rule, you need to specify
the number of the ACL rule. The number of an ACL rule can be obtained by
executing the display acl command.
Note the following when you define an ACL
rule with the rule number specified:
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules of the ACL cannot be edited. In this case, the system prompts errors when
you execute the rule command.
l
If the specified rule number identifies an
existing ACL rule, the existing rule is edited.
l
If the specified rule number identifies no ACL
rule, a new ACL rule is created.
If you define an ACL rule with the rule number
not specified, a new ACL rule is created, and the switch allocates a rule
number for it automatically.
Example
# Configure ACL 3000 to prohibit users
logged into this device from telneting to a Telnet server on subnet
202.38.160.0. For detailed information about login user control, refer to the “Login”
module in this manual.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 3000
[H3C-acl-adv-3000] rule deny tcp
destination 202.38.160.0 0.0.0.255 destination-port eq 23
[H3C-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 1
rule 0 deny tcp destination
202.38.160.0 0.0.0.255 destination-port eq telnet (0 times matched)
Syntax
rule rule-id
comment text
undo rule
rule-id comment
View
Advanced ACL view
Parameter
comment text:
Specifies a comment for an ACL rule. The text argument is a string
comprising up to 127 characters.
Description
Use the rule comment command
to specify a comment for an ACL rule.
Use the undo rule comment command
to remove the comment of an ACL rule.
Make sure the ACL rule identified by the rule-id
argument exists before executing the rule comment command.
Example
# Specify the comment of rule 0 of ACL 3000
to be test.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 0 comment
test
Syntax
time-range time-name { start-time to end-time
days-of-the-week [ from start-time start-date ] [ to
end-time end-date ] | from start-time start-date [ to
end-time end-date ] | to end-time end-date }
undo time-range { name time-name [ start-time to end-time
days-of-the-week [ from start-time start-date ] [ to
end-time end-date ] | from start-time start-date [ to
end-time end-date ] | to end-time end-date ] | all
}
View
System view
Parameter
time-name:
Name of a time range, used as the identifier of a time range.
start-time:
Start time of a periodic time range, in the form of hh:mm.
end-time:
End time of a periodic time range, in the form of hh:mm.
days-of-the-week: Day of the week when the periodic time range is active. You can
provide this argument in one of the following forms.
l
Numeral (0 to 6)
l
Monday, Tuesday, Wednesday, Thursday, Friday,
Saturday, and Sunday
l
Working days (Monday through Friday)
l
Off days (Saturday and Sunday)
l
Daily, namely everyday of the week
from
start-time start-date: Specifies the start date of
an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD.
The start-time start-date and end-time end-date argument jointly
define a period in which the absolute time range takes effect. If the start date
is not specified, the time range starts from the earliest time that the system
can represent.
to end-time
end-date: Specifies the end date of an absolute time range, in the form of hh:mm
MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time
end-date argument jointly define a period in which the absolute time range
takes effect. If the end date is not specified, the time range ends at 2100/12/31
23:59.
all: Removes
all the time ranges.
Description
Use the time-range command to define
a time range.
Use the undo time-range command
to remove a time range.
The time range defined by means of the time-range
command can include absolute time sections and periodic time sections. start-time
and end-time days-of-the-week jointly define a periodic time
section, while start-time start-date and end-time end-date
jointly define an absolute time section.
If only a periodic time section is defined
in a time range, the time range is active only within the defined periodic time
section.
If only an absolute time section is defined
in a time, the time range is active only within the defined absolute time
section.
If both a periodic time section and an
absolute time section are defined in a time range, the time range is active
only when the periodic time range and the absolute time range are both matched.
Assume that a time range defines an absolute time section from 00:00 January 1,
2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to
14:00 every Wednesday. This time range is active only from 12:00 to 14:00 every
Wednesday in 2004.
If you include any argument undo
time-range command, the system will delete only the content defined by the
argument from the time range.
Example
# Configure an absolute time range named
test, which takes effect from 00:00, January 1, 2003.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] time-range test from 0:0 1/1/2003
# Configure a periodic time range named
test, which takes effect from 8:00 to 18:00 Monday through Friday.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] time-range test 8:00 to 18:00
working-day
# Configure a periodic time range named
test, which takes effect from 14:00 to 18:00 on off days.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] time-range test 14:00 to 18:00
off-day
