Access control list (ACL) is used mainly to
identify traffic. A series of matching rules are required for a network device
to identify the packets to be filtered. Packets are identified first before
they are permitted or denied according to previously defined policy.
ACL classifies packets according to a
series of matching rules. Packets can be classified by source address,
destination address and port number, and so on.
Matching rules defined in ACL can also be used
in some other cases requiring traffic classification, such as QoS traffic
classification.
ACL falls into the following categories
depending on their applications:
l
Basic ACL, where rules are defined on the basis
of Layer 3 source IP address.
l
Advanced ACL, where rules are defined on the
basis of Layers 3 and 4 information, such as source IP address, destination IP
address, the types and features of the protocols carried by IP.
l
Layer 2 ACL, where rules are defined on the
basis of Layer 2 information, such as source MAC address, destination MAC
address, VLAN priority, and Layer 2 protocol type.
l
User-defined ACL. An ACL of this type matches
packets by comparing specific strings retrieved from the packets with specified
strings.
I. Implemented by hardware
ACL can be delivered to hardware directly
for packets to be filtered and classified. In this case, the matching order of
ACL rules is determined by hardware instead of the customized one.
An ACL operates in this mode when it is
used for implementing QoS or is used to filter the packets to be forwarded.
II. Implemented by upper layer
modules
ACL can also be used to filter or classify
the packets processed by the software running on switch. In this case, ACL
rules can be matched in the order the rules are defined or in the order
determined by the system (that is, in depth-first order).
The matching order of the existing rules of
an ACL cannot be modified. To enable the rules to be matched in a new order, you
can remove all the rules and define them again in the desired order.
An ACL operates in this mode when it is
used to control logon users.
An ACL may contain a number of rules, and
each rule specifies a different packet range. This brings about the issue of
match order when packets are matched.
An ACL supports the following four types of
match orders:
l
Configured order: ACL rules are matched
according to the configured order.
l
Automatic ordering: ACL rules are matched
according to “depth-first” order.
”Depth-first” order is
described as follows:
l
The “depth-first” ordering of rules
in IP ACLs (basic and advanced ACLs) is implemented based on the lengths of the
source IP address masks and the destination IP address masks. The rule with the
longest masks is first matched, and then comes the rule with the second longest
masks, and so on. In the ordering, the lengths of the source IP address masks
are compared first; if the source IP address masks have the same length, the
lengths of the destination IP address masks are compared. For example, the rule
of which the source IP address mask is 255.255.255.0 precedes the rule of which
the source IP address mask is 255.255.0.0 in the match order.
A time range-based ACL enables you to
implement ACL control over packets by differentiating the time ranges.
A time range can be specified in each rule
in an ACL. If the time range specified in a rule is not configured, the system
will give a prompt message and allow such a rule to be successfully created.
However, the rule does not take effect immediately. It takes effect only when
the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes
invalid the next time the ACL rule timer refreshes.
The following table lists the ACLs
supported by S3100-SI series switches.
Table 1-1 ACLs supported by the S3100-SI series
switches
|
ACL
|
ACL number range
|
|
Basic ACLs identified by numbers
|
2000 to 2999
|
|
Advanced ACLs identified by numbers
|
3000 to 3999
|
The ACLs defined on S3100-SI series
switches cannot be delivered to hardware, they can only be used by upper layer
module.
A time section can be periodic or absolute.
A periodic time section is defined by specifying days of a week, while an
absolute time section is defined by specifying the start time and the end time.
An absolute time
range on an H3C S3100-SI switch can be within the range 1970/1/1 00:00 to
2100/12/31 24:00.
Table 1-2 Configure time range
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure a time range
|
time-range time-name { start-time to end-time
days-of-the-week [ from start-time start-date ] [ to
end-time end-date ] | from start-time start-date [ to
end-time end-date ] | to end-time end-date }
|
Required
|
Note that:
If only a periodic time section is defined
in a time range, the time range is active only when the system time within the
defined periodic time section. If multiple periodic time sections are defined
in a time range, the time range is active only when the system time is within
one of the periodic time sections.
If only an absolute time section is defined
in a time range, the time range is active only when the system time within the
defined absolute time section. If multiple absolute
time sections are defined in a time range, the time range is active only when
the system time is within one of the absolute time sections.
If both a periodic time section and an absolute
time section are defined in a time range, the time range is active only when
the periodic time range and the absolute time range are both matched. Assume
that a time range contains an absolute time section ranging from 00:00 January
1, 2004 to 23:59 December 31, 2004, and a periodic time section ranging from
12:00 to 14:00 on every Wednesday. This time range is active only when the
system time within the range from 12:00 to 14:00 on every Wednesday in 2004.
If the start time is not specified, the time
section starts on the earliest date available in the system and ends on the specified
end date. If the end date is not specified, the time section starts from the
specified start date to 2100/12/31 23:59.
# Define a periodic time range that will be
active from 8:00 to 18:00 on Monday through Friday.
<H3C> system-view
[H3C] time-range test 8:00 to 18:00
working-day
[H3C] display time-range test
Current time is 13:27:32 4/16/2005
Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Define an absolute time range from 15:00
1/28/2000 to 15:00 1/28/2004.
<H3C> system-view
[H3C] time-range test from 15:00
1/28/2000 to 15:00 1/28/2004
[H3C] display time-range test
Current time is 13:30:32 4/16/2005
Saturday
Time-range : test ( Inactive )
From 15:00 Jan/28/2000 to 15:00
Jan/28/2004
A basic ACL defines
rules only based on the L3 source IP addresses to analyze and process data
packets.
The value range for basic ACL numbers is
2,000 to 2,999.
Before configuring an ACL rule containing
time range arguments, you need to configure define the corresponding time
ranges. For the configuration of time ranges, refer to 1.2
Time Range Configuration.
The value of the
source IP address information in the rule has been defined.
Table 1-3 Define
a basic ACL rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter basic ACL view
|
acl number
acl-number [ match-order { config | auto } ]
|
By the default, the match order is config
|
|
Define an rule
|
rule [ rule-id
] { permit | deny } [ fragment | source {
sour-addr sour-wildcard | any } | time-range time-name ]
|
Required
|
|
Define the description information of the
ACL
|
description text
|
Optional
|
In the case that you specify the rule ID
when defining a rule:
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules of the ACL cannot be edited. In this case, the system prompts errors when
you execute the rule command.
l
If the rule corresponding to the specified rule
ID does not exists, you will create and define a new rule.
l
The content of a modified or created rule must
not be identical with the content of any existing rule; otherwise the rule
modification or creation will fail, and the system will prompt that the rule
already exists.
If you do not specify a rule ID, you will
create and define a new rule, and the system will assign an ID for the rule
automatically.
# Configure ACL 2000 to prohibit the user
with source address 1.1.1.1 from logging into the switch. For detailed information
about login user control, refer to the “Login” module in this
manual.
<H3C> system-view
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source
1.1.1.1 0
[H3C-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 1.1.1.1 0 (0
times matched)
Advanced ACLs define classification rules
according to the source and destination IP addresses of packets, the type of
protocol over IP, and protocol-specific features such as TCP/UDP source and
destination ports, TCP flag bit, ICMP protocol type, code, and so on.
The value range for advanced ACL numbers is
3,000 to 3,999. Note that ACL 3998 and ACL 3999 cannot be configured because
they are reserved for the cluster management.
Advanced ACLs
support analysis and processing of three packet priority levels: type of
service (ToS) priority, IP priority and differentiated services codepoint
Priority (DSCP).
Using advanced ACLs, you can define
classification rules that are more accurate, more abundant, and more flexible
than those defined with basic ACLs.
Before configuring
an ACL rule containing time range arguments, you need to configure define the
corresponding time ranges. For the configuration of time ranges, refer to section
1.2 Time Range Configuration.
The values of source and destination IP
addresses, the type of the protocols carried by IP, and protocol-specific
features in the rule have been defined.
Table 1-4 Define
an advanced ACL rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create or enter advanced ACL view
|
acl number
acl-number [ match-order { config | auto } ]
|
By the default, the match order is config.
|
|
Define an rule
|
rule [ rule-id
] { permit | deny } rule-string
|
Required
|
|
Define the comment string of the ACL rule
|
rule rule-id
comment text
|
Optional
|
|
Define the description information of the
ACL
|
description text
|
Optional
|
rule-string:
rule information, which can be combination of the parameters described in Table 1-5. You must configure the protocol argument in the rule information before you can configure other arguments.
Table 1-5 Rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
protocol
|
Protocol type
|
Type of protocol over IP
|
When expressed in numerals, the value range
is 1 to 255.
When expressed with a name, the value can
be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP.
|
|
source { sour-addr
sour-wildcard | any }
|
Source address information
|
Specifies the source address information
in the rule
|
sour-addr sour-wildcard is used to specify the source address of the packet, expressed in
dotted decimal notation. sour-wildcard can be 0, which represents a
host address.
any
represents any source address.
|
|
destination { dest-addr dest-wildcard | any }
|
Destination address information
|
Specifies the destination address
information in the rule
|
dest-addr dest-wildcard is used to specify the destination address of the packet,
expressed in dotted decimal notation. dest-wildcard can be 0, which
represents a host address.
any represents
any destination address.
|
|
precedence
precedence
|
Packet precedence
|
Packet priority
|
Value range: 0 to 7
|
|
tos tos
|
Packet precedence
|
ToS priority
|
Value range: 0 to 15
|
|
dscp dscp
|
Packet precedence
|
DSCP priority
|
Value range: 0 to 63
|
|
fragment
|
Fragment information
|
Specifies that the rule is effective for
non-initial fragment packets
|
—
|
|
time-range
time-name
|
Time range information
|
Specifies the time range in which the
rule is active
|
—
|
sour-wildcard/dest-wildcard is the complement of the wildcard mask
of the source/destination subnet mask. For example, you need to input
0.0.255.255 to specify the subnet mask 255.255.0.0. The arguments can be set as
0 to represent the host IP address.
To define DSCP priority, you can directly
input a value ranging from 0 to 63, or input a keyword listed in Table 1-6.
Table 1-6 Description of DSCP values
|
Keyword
|
DSCP value in decimal
|
DSCP value in binary
|
|
ef
|
46
|
101110
|
|
af11
|
10
|
001010
|
|
af12
|
12
|
001100
|
|
af13
|
14
|
001110
|
|
af21
|
18
|
010010
|
|
af22
|
20
|
010100
|
|
af23
|
22
|
010110
|
|
af31
|
26
|
011010
|
|
af32
|
28
|
011100
|
|
af33
|
30
|
011110
|
|
af41
|
34
|
100010
|
|
af42
|
36
|
100100
|
|
af43
|
38
|
100110
|
|
cs1
|
8
|
001000
|
|
cs2
|
16
|
010000
|
|
cs3
|
24
|
011000
|
|
cs4
|
32
|
100000
|
|
cs5
|
40
|
101000
|
|
cs6
|
48
|
110000
|
|
cs7
|
56
|
111000
|
|
be (default)
|
0
|
000000
|
To define IP
precedence, you can directly input a value ranging from 0 to 7, or input a
keyword listed in Table
1-7.
Table 1-7 Description
of IP precedence values
|
Keyword
|
IP Precedence value in decimal
|
IP Precedence value in binary
|
|
routine
|
0
|
000
|
|
priority
|
1
|
001
|
|
immediate
|
2
|
010
|
|
flash
|
3
|
011
|
|
flash-override
|
4
|
100
|
|
critical
|
5
|
101
|
|
internet
|
6
|
110
|
|
network
|
7
|
111
|
To define ToS priority, you can directly
input a value ranging from 0 to 15, or input a keyword listed in Table 1-8.
Table 1-8 Description
of ToS values
|
Keyword
|
ToS value in decimal
|
ToS value in binary
|
|
normal
|
0
|
0000
|
|
min-monetary-cost
|
1
|
0001
|
|
max-reliability
|
2
|
0010
|
|
max-throughput
|
4
|
0100
|
|
min-delay
|
8
|
1000
|
If the protocol type is TCP or UDP, you can
also define the following information:
Table 1-9 TCP/UDP-specific
rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
source-port operator port1 [ port2 ]
|
Source port(s)
|
Defines the source port information of
UDP/TCP packets
|
The value of operator can be lt (less
than), gt (greater than), eq (equal to), neq (not equal to) or range (within
the specified range) Only the “range” operator requires two port
numbers as the operands, and other operators require only one port number as
the operand
port1 and port2:
TCP/UDP port number(s), expressed with name(s) or numerals; when expressed
with numerals, the value range is 0 to 65,535
|
|
destination-port operator port1 [ port2 ]
|
Destination port(s)
|
Defines the destination port information
of UDP/TCP packets
|
|
established
|
“TCP connection established”
flag
|
Specifies that the rule is applicable
only to the first SYN segment for establishing a TCP connection
|
TCP-specific argument
|
When using port name to specify TCP/UDP
ports, you can define the following information.
Table 1-10 TCP/UDP port values
|
Protocol type
|
Value
|
|
TCP
|
CHARgen
(19), bgp (179), cmd (514), daytime (13), discard
(9), domain (53), echo (7), exec (512), finger
(79), ftp (21), ftp-data (20), gopher (70), hostname
(101), irc (194), klogin (543), kshell (544), login
(513), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (111), tacacs (49), talk
(517), telnet (23), time (37), uucp (540), whois
(43), www (80)
|
|
UDP
|
biff (512),
bootpc (68), bootps (67), discard (9), dns (53), dnsix
(90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver
(42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139),
ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (65), talk
(517), tftp (69), time (37), who (513), xdmcp (177)
|
If the protocol
type is ICMP, you can also define the following information:
Table 1-11 ICMP-specific rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
icmp-type icmp-type
icmp-code
|
Type and message code information of ICMP
packets
|
Specifies the type and message code
information of ICMP packets in the rule
|
icmp-type: ICMP
message type, ranging 0 to 255
icmp-code: ICMP
message code, ranging 0 to 255
|
If the protocol
type is ICMP, you can also directly input the ICMP message name after the icmp-type
argument. The following table describes some common ICMP messages.
Table 1-12 ICMP messages
|
Name
|
ICMP TYPE
|
ICMP CODE
|
|
echo
|
Type=8
|
Code=0
|
|
echo-reply
|
Type=0
|
Code=0
|
|
fragmentneed-DFset
|
Type=3
|
Code=4
|
|
host-redirect
|
Type=5
|
Code=1
|
|
host-tos-redirect
|
Type=5
|
Code=3
|
|
host-unreachable
|
Type=3
|
Code=1
|
|
information-reply
|
Type=16
|
Code=0
|
|
information-request
|
Type=15
|
Code=0
|
|
net-redirect
|
Type=5
|
Code=0
|
|
net-tos-redirect
|
Type=5
|
Code=2
|
|
net-unreachable
|
Type=3
|
Code=0
|
|
parameter-problem
|
Type=12
|
Code=0
|
|
port-unreachable
|
Type=3
|
Code=3
|
|
protocol-unreachable
|
Type=3
|
Code=2
|
|
reassembly-timeout
|
Type=11
|
Code=1
|
|
source-quench
|
Type=4
|
Code=0
|
|
source-route-failed
|
Type=3
|
Code=5
|
|
timestamp-reply
|
Type=14
|
Code=0
|
|
timestamp-request
|
Type=13
|
Code=0
|
|
ttl-exceeded
|
Type=11
|
Code=0
|
In the case that you specify the rule ID
when defining a rule:
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules of the ACL cannot be edited. In this case, the system prompts errors when
you execute the rule command.
l
If the rule corresponding to the specified rule
ID does not exists, you will create and define a new rule.
l
The content of a modified or created rule must
not be identical with the content of any existing rule; otherwise the rule
modification or creation will fail, and the system will prompt that the rule already
exists.
If you do not
specify a rule ID, you will create and define a new rule, and the system will
assign an ID for the rule automatically.
# Configure ACL 3000 to prohibit users
logged into this device from telneting to a Telnet server on subnet
202.38.160.0. For detailed information about login user control, refer to the “Login”
module in this manual.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule deny tcp
destination 202.38.160.0 0.0.0.255 destination-port eq 23
[H3C-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 1
rule 0 deny tcp destination
202.38.160.0 0.0.0.255 destination-port eq telnet (0 times matched)
After the above configuration, you can use
the display command in any view to view the mirroring running
information, so as to verify the configurations you made.
Table 1-13 Configure time range
|
Operation
|
Command
|
Description
|
|
Display a
configured ACL or all the ACLs
|
display acl { all | acl-number }
|
You can
Use the display command in any view.
|
|
Display a
time range or all the time ranges
|
display time-range { all | time-name }
|
