As the network scale and network traffic
are increasingly growing, security control and bandwidth assignment play a more
and more important role in network management. Filtering data packets can
prevent a network from being accessed by unauthorized users efficiently while
controlling network traffic and saving network resources. Access control lists
(ACL) are often used to filter packets with configured matching rules.
Upon receiving a packet, the switch compares
the packet with the rules of the ACL applied on the current port to permit or
discard the packet.
The rules of an ACL can be referenced by
other functions that need traffic classification, such as QoS.
ACLs classify packets using a series of
conditions known as rules. The conditions can be based on source addresses,
destination addresses and port numbers carried in the packets.
According to their application purposes,
ACLs fall into the following four types.
l
Basic ACL. Rules are created based on source IP
addresses only.
l
Advanced ACL. Rules are created based on the Layer
3 and Layer 4 information such as the source and destination IP addresses, type
of the protocols carried by IP, protocol-specific features, and so on.
l
Layer 2 ACL. Rules are created based on the
Layer 2 information such as source and destination MAC addresses, VLAN priorities,
type of Layer 2 protocol, and so on.
l
User-defined ACL. An ACL of this type matches
packets by comparing the strings retrieved from the packets with specified
strings. It defines the byte it begins to perform “and” operation
with the mask on the basis of packet headers.
S3100 Series Ethernet
switches match IPv6 packets by user-defined ACLs. In the following sections,
user-defined ACLs are referred to as IPv6 ACLs. For details about IPv6 ACL,
refer to section 1.2.5 Configuring an IPv6 ACL.
An ACL can contain multiple rules, each of which
matches specific type of packets. So the order in which the rules of an ACL are
matched needs to be determined.
The rules in an ACL can be matched in one
of the following two ways:
l
config: where rules in an ACL are matched in the order defined by the user.
l
auto: where rules
in an ACL are matched in the order determined by the system, namely the “depth-first” rule.
For depth-first rule, there are two cases:
I. Depth-first match order for rules
of a basic ACL
1)
Range of source IP address: The smaller the
source IP address range (that is, the more the number of zeros in the wildcard
mask), the higher the match priority.
2)
Fragment keyword: A rule with the fragment keyword
is prior to others.
3)
If the above two conditions are identical, the earlier
configured rule applies.
II. Depth-first match order for rules
of an advanced ACL
1)
Protocol range: A rule which has specified the types
of the protocols carried by IP is prior to others.
2)
Range of source IP address: The smaller the
source IP address range (that is, the more the number of zeros in the wildcard
mask), the higher the match priority.
3)
Range of destination IP address. The smaller the
destination IP address range (that is, the more the number of zeros in the wildcard
mask), the higher the match priority.
4)
Range of Layer 4 port number, that is, TCP/UDP
port number. The smaller the range, the higher the match priority.
5)
Number of parameters: the more the parameters,
the higher the match priority.
If rule A and rule B are still the same
after comparison in the above order, the weighting principles will be used in
deciding their priority order. Each parameter is given a fixed weighting value.
This weighting value and the value of the parameter itself will jointly decide
the final matching order. Involved parameters with weighting values from high to
low are icmp-type, established, dscp, tos, precedence,
fragment. Comparison rules are listed below.
l
The smaller the weighting value left, which is a
fixed weighting value minus the weighting value of every parameter of the rule,
the higher the match priority.
l
If the types of parameter are the same for
multiple rules, then the sum of parameters’ weighting values of a rule
determines its priority. The smaller the sum, the higher the match priority.
The match order of an IPv6 ACL can only be config.
I. Being applied to the hardware
directly
In the switch, an ACL can be directly
applied to hardware for packet filtering and traffic classification. In this
case, the rules in an ACL are matched in the order determined by the hardware
instead of that defined in the ACL. For H3C S3100 series Ethernet switches, the
earlier the rule applies, the higher the match priority.
ACLs are directly applied to hardware when
they are used for:
l
Implementing QoS
l
Filtering the packets to be forwarded
II. Being referenced by upper-level
software
ACLs can also be used to filter and
classify the packets to be processed by software. In this case, the rules in an
ACL can be matched in one of the following two ways:
l
config, where rules in an ACL are matched in the order defined by the user.
l
auto, where the
rules in an ACL are matched in the order determined by the system, namely the “depth-first” order.
When applying an ACL in this way, you can
specify the order in which the rules in the ACL are matched. The match order
cannot be modified once it is determined, unless you delete all the rules in
the ACL and define the match order.
An ACL can be referenced by upper-layer software:
l
Referenced by routing policies
l
Used to control Telnet, SNMP and Web login users
l
When an ACL is directly applied to hardware for
packet filtering, the switch will permit packets if the packets do not match
the ACL.
l
When an ACL is referenced by upper-layer
software to control Telnet, SNMP and Web login users, the switch will deny
packets if the packets do not match the ACL.
S3100 Series Ethernet
switches support the following types of ACLs.
l
Basic ACLs
l
Advanced ACLs
l
Layer 2 ACLs
l
IPv6 ACLs
Note that ACLs defined on S3100 Series
Ethernet switches can be applied to hardware directly or referenced by
upper-layer software for packet filtering.
Time ranges can be used to filter packets. You
can specify a time range for each rule in an ACL. A time range-based ACL takes
effect only in specified time ranges. Only after a time range is configured and
the system time is within the time range, can an ACL rule take effect.
Two types of time ranges are available:
l
Periodic time range, which recurs periodically
on the day or days of the week.
l
Absolute time range, which takes effect only in
a period of time and does not recur.
An absolute time
range on an H3C S3100 Series Ethernet Switches can be within the range 1970/1/1
00:00 to 2100/12/31 24:00.
Table 1-1 Configure a time range
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a time range
|
time-range time-name { start-time to end-time
days-of-the-week [ from start-time start-date ] [ to
end-time end-date ] | from start-time start-date [ to
end-time end-date ] | to end-time end-date }
|
Required
|
Note that:
l
If only a periodic time section is defined in a
time range, the time range is active only when the system time is within the
defined periodic time section. If multiple periodic time sections are defined
in a time range, the time range is active only when the system time is within
one of the periodic time sections.
l
If only an absolute time section is defined in a
time range, the time range is active only when the system time is within the
defined absolute time section. If multiple absolute
time sections are defined in a time range, the time range is active only when
the system time is within one of the absolute time sections.
l
If both a periodic time section and an absolute
time section are defined in a time range, the time range is active only when
the periodic time range and the absolute time range are both matched. Assume
that a time range contains an absolute time section ranging from 00:00 January
1, 2004 to 23:59 December 31, 2004, and a periodic time section ranging from
12:00 to 14:00 on every Wednesday. This time range is active only when the
system time is within the range from 12:00 to 14:00 on every Wednesday in 2004.
l
If the start time is not specified, the time section
starts from 1970/1/1 00:00 and ends on the specified end date. If the end date
is not specified, the time section starts from the specified start date to 2100/12/31
23:59.
# Define a periodic time range that spans
from 8:00 to 18:00 on Monday through Friday.
<Sysname> system-view
[Sysname] time-range test 8:00 to
18:00 working-day
[Sysname] display time-range test
Current time is 13:27:32 Apr/16/2005
Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Define an absolute time range spans from
15:00 1/28/2006 to 15:00 1/28/2008.
<Sysname> system-view
[Sysname] time-range test from 15:00
1/28/2006 to 15:00 1/28/2008
[Sysname] display time-range test
Current time is 13:30:32 Apr/16/2005
Saturday
Time-range : test ( Inactive )
From 15:00 Jan/28/2000 to 15:00
Jan/28/2004
A basic ACL filters
packets based on their source IP addresses.
A basic ACL can be numbered from 2000 to
2999.
I. Configuration prerequisites
l
To configure a time range-based basic ACL rule,
you need to create the corresponding time range first. For information about
time range configuration, refer to section 1.2.1 Configuring Time Range.
l
The source IP addresses based on which the ACL
filters packets are determined.
Table 1-2 Define a basic ACL rule
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Create an
ACL and enter basic ACL view
|
acl
number acl-number [ match-order { auto
| config } ]
|
Required
config by default
|
|
Define an ACL
rule
|
rule [ rule-id ] { deny | permit } [ rule-string
]
|
Required
For
information about rule-string, refer to ACL Command.
|
|
Configure a
description string to the ACL
|
description text
|
Optional
Not
configured by default
|
Note that:
l
With the config match order specified for
the basic ACL, you can modify any existent rule. The unmodified part of the
rule remains. With the auto match order specified for the basic ACL, you
cannot modify any existent rule; otherwise the system prompts error
information.
l
If you do not specify the rule-id
argument when creating an ACL rule, the rule will be numbered automatically. If
the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule
will be the greatest rule number plus one. If the current greatest rule number
is 65534, however, the system will display an error message and you need to
specify a number for the rule.
l
The content of a modified or created rule cannot
be identical with the content of any existing rule; otherwise the rule
modification or creation will fail, and the system prompts that the rule
already exists.
l
With the auto match order specified, the
newly created rules will be inserted in the existent ones by depth-first
principle, but the numbers of the existent rules are unaltered.
# Configure ACL 2000 to deny packets whose
source IP addresses are 192.168.0.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source
192.168.0.1 0
# Display the configuration information of
ACL 2000.
[Sysname-acl-basic-2000] display acl
2000
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 192.168.0.1 0
An advanced ACL can filter packets by their
source and destination IP addresses, the protocols carried by IP, and protocol-specific
features such as TCP/UDP source and destination ports, ICMP message type and
message code.
An advanced ACL can be numbered from 3000
to 3999. Note that ACL 3998 and ACL 3999 cannot be
configured because they are reserved for cluster management.
Advanced ACLs support analysis and
processing of three packet priority levels: type of service (ToS) priority, IP
priority and differentiated services codepoint (DSCP) priority.
Using advanced ACLs, you can define
classification rules that are more accurate, more abundant, and more flexible
than those defined for basic ACLs.
I. Configuration prerequisites
l
To configure a time range-based advanced ACL
rule, you need to create the corresponding time ranges first. For information
about of time range configuration, refer to section 1.2.1 Configuring Time Range.
l
The settings to be specified in the rule, such
as source and destination IP addresses, the protocols carried by IP, and
protocol-specific features, are determined.
Table 1-3 Define an advanced ACL rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create an advanced ACL and enter advanced
ACL view
|
acl number
acl-number [ match-order { auto | config } ]
|
Required
config by
default
|
|
Define an ACL rule
|
rule [ rule-id
] { permit | deny } protocol [ rule-string ]
|
Required
For information about protocol and
rule-string, refer to ACL Commands.
|
|
Assign a description string to the ACL
rule
|
rule rule-id
comment text
|
Optional
No description by default
|
|
Assign a
description string to the ACL
|
description text
|
Optional
No
description by default
|
Note
that:
l
With the config match order specified for
the advanced ACL, you can modify any existent rule. The unmodified part of the
rule remains. With the auto match order specified for the ACL, you
cannot modify any existent rule; otherwise the system prompts error information.
l
If you do not specify the rule-id
argument when creating an ACL rule, the rule will be numbered automatically. If
the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule
will be the greatest rule number plus one. If the current greatest rule number
is 65534, however, the system will display an error message and you need to
specify a number for the rule.
l
The content of a modified or created rule cannot
be identical with the content of any existing rules; otherwise the rule modification
or creation will fail, and the system prompts that the rule already exists.
l
If the ACL is created with the auto
keyword specified, the newly created rules will be inserted in the existent
ones by depth-first principle, but the numbers of the existent rules are
unaltered.
# Configure ACL 3000 to permit the TCP packets
sourced from the network 129.9.0.0/16 and destined for the network 202.38.160.0/24
and with the destination port number being 80.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp
source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255
destination-port eq 80
# Display the configuration information of
ACL 3000.
[Sysname-acl-adv-3000] display acl
3000
Advanced ACL 3000, 1 rule
Acl's step is 1
rule 0 permit
tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255
destination-port eq www
1.2.4 Configuring Layer 2 ACL
Layer 2 ACLs filter
packets according to their Layer 2 information, such as the source and
destination MAC addresses, VLAN priority, and Layer 2 protocol types.
A Layer 2 ACL can be numbered from 4000 to
4999.
I. Configuration prerequisites
l
To configure a time range-based Layer 2 ACL
rule, you need to create the corresponding time ranges first. For information
about time range configuration, refer to section 1.2.1 Configuring Time Range
l
The settings to be specified in the rule, such
as source and destination MAC addresses, VLAN priorities, and Layer 2 protocol
types, are determined.
Table 1-4 Define a Layer 2 ACL rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a Layer 2 ACL and enter Layer 2
ACL view
|
acl number
acl-number
|
Required
|
|
Define an ACL rule
|
rule [ rule-id
] { permit | deny } rule-string
|
Required
For information about rule-string,
refer to ACL Commands.
|
|
Assign a description string to the ACL
rule
|
rule rule-id
comment text
|
Optional
No description by default
|
|
Assign a description string to the ACL
|
description text
|
Optional
No description by default
|
Note that:
l
You can modify any existent rule of the Layer 2
ACL and the unmodified part of the ACL remains.
l
If you do not specify the rule-id
argument when creating an ACL rule, the rule will be numbered automatically. If
the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule
will be the greatest rule number plus one. If the current greatest rule number
is 65534, however, the system will display an error message and you need to
specify a number for the rule.
l
The content of a modified or created rule cannot
be identical with the content of any existing rules; otherwise the rule
modification or creation will fail, and the system prompts that the rule
already exists.
# Configure ACL 4000 to deny packets sourced
from the MAC address 000d-88f5-97ed, destined for the MAC address
0011-4301-991e, and with their 802.1p priority being 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule
deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e
ffff-ffff-ffff
# Display the configuration information of
ACL 4000.
[Sysname-acl-ethernetframe-4000] display
acl 4000
Ethernet frame ACL 4000, 1 rule
Acl's step is 1
rule 0 deny cos excellent-effort
source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
You can match IPv6 packets by IPv6 ACLs to
process IPv6 data flows as required. S3100 Series Ethernet switches support
matching the following fields:
l
dscp: Matches the
traffic class field in IPv6 packets.
l
ip-protocol: Matches
the next header field in IPv6 packets.
l
src-ip: Matches
the source address field in IPv6 packets.
l
dest-ip: Matches
the destination address field in IPv6 packets.
l
src-port: Matches
the TCP/UDP source port field in IPv6 packets.
l
dest-port: Matches
the TCP/UDP destination port field in IPv6 packets.
l
icmpv6-type: Matches
the ICMPv6 type field in IPv6 packets.
l
icmpv6-code: Matches
the ICMPv6 code field in IPv6 packets.
For information
about the IPv6 packet format, refer to IPv6 Management Operation.
Before applying an IPv6 ACL, be sure to
configure an IPv6 ACL template to specify the fields to be matched. Also make
sure that the contents of the IPv6 ACL are a subset of the contents of the
template. Otherwise, you cannot apply the IPv6 ACL to the hardware.
I. Configuration prerequisites
l
To configure time range-based IPv6 ACL rules,
you need to create the corresponding time ranges first. For information about
time range configuration, refer to section 1.2.1 Configuring Time Range.
l
The settings to be specified in the rule are
determined.
II. Configuration procedure
Table 1-5
Define an IPv6 ACL rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure an IPv6 ACL template
|
ipv6-acl-template { dscp | ip-protocol | src-ip | dest-ip |
src-port | dest-port | icmpv6-type | icmpv6-code } *
|
Required
By default, no IPv6 ACL template is
configured.
To specify the src-port, dest-port,
icmpv6-type or icmpv6-code keyword in the command, you need to
specify the ip-protocol keyword at first.
|
|
Create an IPv6 ACL and enter IPv6 ACL
view
|
acl number
acl-number
|
Required
|
|
Define an ACL rule
|
rule [ rule-id
] { permit | deny } [ dscp rule-string rule-mask
] [ ip-protocol rule-string rule-mask ] [
src-ip ipv6-address prefix-length ] [ dest-ip ipv6-address
prefix-length ] [ [ src-port rule-string rule-mask
| dest-port rule-string rule-mask ]
* | [ icmpv6-type rule-string rule-mask
| icmpv6-code rule-string rule-mask ] * ]
[ time-range time-name ]
|
Required
To specify the src-port or dest-port
keyword in the command, you need to specify the ip-protocol rule-string
rule-mask combination as TCP or UDP, that is, 0x06 or 0x11. To specify
the icmpv6-type or icmpv6-code keyword, you need to specify the
ip-protocol rule-string rule-mask combination as ICMPv6, that
is, 0x3a.
|
|
Assign a description string to the ACL
rule
|
rule rule-id
comment text
|
Optional
No description by default
|
|
Assign a description string to the ACL
|
description text
|
Optional
No description by default
|
Note that:
l
You can modify any existent rule of an IPv6 ACL.
If you modify only the action to be taken or the time range, the unmodified
part of the rule remains the same. If you modify the contents of a user-defined
string, the new string overwrites the original one.
l
If you do not specify the rule-id
argument when creating an ACL rule, the rule will be numbered automatically. If
the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule
will be the greatest rule number plus one. If the current greatest rule number
is 65534, however, the system will display an error message and you need to
specify a number for the rule.
l
The content of a modified or created rule cannot
be identical with the content of any existing rule of the ACL; otherwise the
rule modification or creation will fail, and the system prompts that the rule
already exists.
l
IPv6 ACLs do not match IPv6 packets with extension
headers.
l
Do not use IPv6 ACLs with VLAN mapping and
trusted port priority together.
III. Configuration example
# Configure an rule for IPv6 ACL 5000,
denying packets from 3001::1/64 to 3002::1/64.
<Sysname> system-view
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule deny
src-ip 3001::1 64 dest-ip 3002::1 64
# Display the configuration information of
ACL 5000.
[Sysname-acl-user-5000] display acl 5000
User defined ACL 5000, 1 rule
Acl's step is 1
rule 0 deny src-ip 3001::1 64
dest-ip 3002::1 64
1.3 ACL Assignment
On an S3100 Ethernet switch, you can assign
ACLs to the hardware for packet filtering.
As for ACL assignment, the following four
ways are available.
l
Assigning ACLs globally, for filtering the
inbound packets on all the ports.
l
Assigning ACLs to a VLAN, for filtering the
inbound packets on all the ports and belonging to a VLAN.
l
Assigning ACLs to a port group, for filtering
the inbound packets on all the ports in a port group. For information about
port group, refer to Port Basic Configuration.
l
Assigning ACLs to a port, for filtering the
inbound packets on a port.
You can assign ACLs in the above-mentioned
ways as required.
Caution:
In terms of priority, the ACLs assigned globally, ACLs assigned to a
VLAN and ACLs assigned to a port group (or a port) rank in descending order. If
a packet matches multiple rules in these ACLs and is permitted by some rules
but denied by the others, the device permits or denies the packet based on the
rule in the ACL with the highest priority.
Before applying ACL rules to a VLAN, you need
to define the related ACLs. For information about defining an ACL, refer to
section 1.2.2 Configuring Basic ACL, section 1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and section 1.2.5
Configuring an IPv6 ACL.
II. Configure procedure
Table 1-6 Assign
an ACL globally
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Assign an ACL globally
|
packet-filter inbound acl-rule
|
Required
For description on the acl-rule
argument, refer to ACL Command.
|
III. Configuration example
# Apply ACL 2000 globally to filter the
inbound packets on all the ports.
<Sysname> system-view
[Sysname] packet-filter inbound
ip-group 2000
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need
to define the related ACLs. For information about defining an ACL, refer to
section 1.2.2 Configuring Basic ACL, section 1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and section 1.2.5
Configuring an IPv6 ACL.
II. Configuration procedure
Table 1-7
Assign an ACL to a VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Apply an ACL to a VLAN
|
packet-filter vlan vlan-id inbound acl-rule
|
Required
For description on the acl-rule
argument, refer to ACL Command.
|
Caution:
An ACL assigned to
a VLAN takes effect only for the packets tagged with 802.1Q header. For more
information about 802.1Q header, refer to the VLAN part.
III. Configuration example
# Apply ACL 2000 to VLAN 10 to filter the
inbound packets of VLAN 10 on all the ports.
<Sysname> system-view
[Sysname] packet-filter vlan 10
inbound ip-group 2000
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need
to define the related ACLs. For information about defining an ACL, refer to
section 1.2.2 Configuring Basic ACL, section 1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and section 1.2.5
Configuring an IPv6 ACL.
II. Configuration procedure
Table 1-8
Assign an ACL to a port group
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter port group view
|
port-group group-id
|
