09-ACL and QoS

HomeSupportResource CenterH3C Access Controllers Configuration Guides(E5208P03 E5215P01 R5215P01)-6W10209-ACL and QoS
01-ACL configuration
Title Size Download
01-ACL configuration 226.52 KB

Configuring ACLs

Overview

An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements.

ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The packet drop or forwarding decisions depend on the modules that use ACLs.

ACL types

Type

ACL number

IP version

Match criteria

WLAN client ACL

100 to 199

IPv4 and IPv6

SSID.

WLAN AP ACL

200 to 299

IPv4 and IPv6

AP MAC address and AP serial ID.

Basic ACLs

2000 to 2999

IPv4

Source IPv4 address.

IPv6

Source IPv6 address.

Advanced ACLs

3000 to 3999

IPv4

Source IPv4 address, destination IPv4 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields.

IPv6

Source IPv6 address, destination IPv6 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields.

Layer 2 ACLs

4000 to 4999

IPv4 and IPv6

Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type.

 

Numbering and naming ACLs

When creating an ACL, you must assign it a number or name for identification. You can specify an existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.

For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2, WLAN client, or WLAN AP ACL, its number or name must be globally unique.

Match order

The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

·     config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this method, check the rules and their order carefully.

 

 

NOTE:

The match order of WLAN client ACLs and WLAN AP ACLs can only be config.

 

·     auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.

Table 1 Sort ACL rules in depth-first order

ACL type

Sequence of tie breakers

IPv4 basic ACL

1.     VPN instance.

2.     More 0s in the source IPv4 address wildcard (more 0s means a narrower IPv4 address range).

3.     Rule configured earlier.

IPv4 advanced ACL

1.     VPN instance.

2.     Specific protocol number.

3.     More 0s in the source IPv4 address wildcard mask.

4.     More 0s in the destination IPv4 address wildcard.

5.     Narrower TCP/UDP service port number range.

6.     Rule configured earlier.

IPv6 basic ACL

1.     VPN instance.

2.     Longer prefix for the source IPv6 address (a longer prefix means a narrower IPv6 address range).

3.     Rule configured earlier.

IPv6 advanced ACL

1.     VPN instance.

2.     Specific protocol number.

3.     Longer prefix for the source IPv6 address.

4.     Longer prefix for the destination IPv6 address.

5.     Narrower TCP/UDP service port number range.

6.     Rule configured earlier.

Layer 2 ACL

1.     More 1s in the source MAC address mask (more 1s means a smaller MAC address).

2.     More 1s in the destination MAC address mask.

3.     Rule configured earlier.

 

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

Rule numbering

ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works.

Rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.

For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.

Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoid the risks, the ACL feature is designed as follows:

·     Filters all fragments by default, including non-first fragments.

·     Allows for matching criteria modification for efficiency. For example, you can configure the ACL to filter only non-first fragments.

Compatibility information

Feature and hardware compatibility

Hardware series

Model

ACL compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

Yes

WX2500H series

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

Yes:

·     WX3010H

·     WX3010H-X

·     WX3024H

No:

·     WX3010H-L

·     WX3024H-L

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

 

Command and hardware compatibility

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.

Configuration restrictions and guidelines

Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:

·     Source and destination IP addresses.

·     Source and destination ports.

·     Transport layer protocol.

·     ICMP or ICMPv6 message type, message code, and message name.

·     VPN instance.

·     Logging.

·     Time range.

Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.

Configuration task list

Tasks at a glance

(Required.) Configure ACLs according to the characteristics of the packets to be matched:

·     Configuring a basic ACL

¡     Configuring an IPv4 basic ACL

¡     Configuring an IPv6 basic ACL

·     Configuring an advanced ACL

¡     Configuring an IPv4 advanced ACL

¡     Configuring an IPv6 advanced ACL

·     Configuring a Layer 2 ACL

·     Configuring a WLAN client ACL

·     Configuring a WLAN AP ACL

(Optional.) Copying an ACL

(Optional.) Configuring packet filtering with ACLs

 

Configuring a basic ACL

This section describes procedures for configuring IPv4 and IPv6 basic ACLs.

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.

To configure an IPv4 basic ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv4 basic ACL and enter its view.

acl basic { acl-number | name acl-name } [ match-order { auto | config } ]

By default, no ACL exists.

The value range for a numbered IPv4 basic ACL is 2000 to 2999.

Use the acl basic acl-number command to enter the view of a numbered IPv4 basic ACL.

Use the acl basic name acl-name command to enter the view of a named IPv4 basic ACL.

3.     (Optional.) Configure a description for the IPv4 basic ACL.

description text

By default, an IPv4 basic ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-range-name ] *

By default, an IPv4 basic ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring an IPv6 basic ACL

IPv6 basic ACLs match packets based only on source IP addresses.

To configure an IPv6 basic ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv6 basic ACL view and enter its view.

acl ipv6 basic { acl-number | name acl-name } [ match-order { auto | config } ]

By default, no ACL exists.

The value range for a numbered IPv6 basic ACL is 2000 to 2999.

Use the acl ipv6 basic acl-number command to enter the view of a numbered IPv6 basic ACL.

Use the acl ipv6 basic name acl-name command to enter the view of a named IPv6 basic ACL.

3.     (Optional.) Configure a description for the IPv6 basic ACL.

description text

By default, an IPv6 basic ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ fragment | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] *

By default, an IPv6 basic ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring an advanced ACL

This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.

Configuring an IPv4 advanced ACL

IPv4 advanced ACLs match packets based on the following criteria:

·     Source IP addresses.

·     Destination IP addresses.

·     Packet priorities.

·     Protocol numbers.

·     Other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.

Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv4 advanced ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv4 advanced ACL and enter its view.

acl advanced { acl-number | name acl-name } [ match-order { auto | config } ]

By default, no ACL exists.

The value range for a numbered IPv4 advanced ACL is 3000 to 3999.

Use the acl advanced acl-number command to enter the view of a numbered IPv4 advanced ACL.

Use the acl advanced name acl-name command to enter the view of a named IPv4 advanced ACL.

3.     (Optional.) Configure a description for the IPv4 advanced ACL.

description text

By default, an IPv4 advanced ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *

By default, an IPv4 advanced ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the following criteria:

·     Source IPv6 addresses.

·     Destination IPv6 addresses.

·     Packet priorities.

·     Protocol numbers.

·     Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message code.

Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv6 advanced ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv6 advanced ACL and enter its view.

acl ipv6 advanced { acl-number | name acl-name } [ match-order { auto | config } ]

By default, no ACL exists.

The value range for a numbered IPv6 advanced ACL is 3000 to 3999.

Use the acl ipv6 advanced acl-number command to enter the view of a numbered IPv6 advanced ACL.

Use the acl ipv6 advanced name acl-name command to enter the view of a named IPv6 advanced ACL.

3.     (Optional.) Configure a description for the IPv6 advanced ACL.

description text

By default, an IPv6 advanced ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *

By default, IPv6 advanced ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring a Layer 2 ACL

Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet header fields, such as:

·     Source MAC address.

·     Destination MAC address.

·     802.1p priority (VLAN priority).

·     Link layer protocol type.

To configure a Layer 2 ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a Layer 2 ACL and enter its view.

acl mac { acl-number | name acl-name } [ match-order { auto | config } ]

By default, no ACL exists.

The value range for a numbered Layer 2 ACL is 4000 to 4999.

Use the acl mac acl-number command to enter the view of a numbered Layer 2 ACL.

Use the acl mac name acl-name command to enter the view of a named Layer 2 ACL.

3.     (Optional.) Configure a description for the Layer 2 ACL.

description text

By default, a Layer 2 ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

By default, a Layer 2 ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring a WLAN client ACL

WLAN client ACLs match packets based on the SSID that the WLAN clients use to access the WLAN. You can use WLAN client ACLs to perform access control on WLAN clients.

To configure a WLAN client ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a WLAN client ACL and enter its view.

acl wlan client { acl-number | name acl-name }

By default, no ACL exists.

The value range for a numbered WLAN client ACL is 100 to 199.

Use the acl wlan client acl-number command to enter the view of a numbered WLAN client ACL.

Use the acl wlan client name acl-name command to enter the view of a named WLAN client ACL.

3.     (Optional.) Configure a description for the WLAN client ACL.

description text

By default, a WLAN client ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Configure or edit a rule.

rule [ rule-id ] { deny | permit } [ ssid ssid-name ]

By default, a WLAN client ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Configuring a WLAN AP ACL

WLAN AP ACLs match packets from WLAN APs based on the MAC address or serial ID.

To configure a WLAN AP ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a WLAN AP ACL and enter its view.

acl wlan ap { acl-number | name acl-name }

By default, no ACL exists.

The value range for a numbered WLAN AP ACL is 200 to 299.

Use the acl wlan ap acl-number command to enter the view of a numbered WLAN AP ACL.

Use the acl wlan ap name acl-name command to enter the view of a named WLAN AP ACL.

3.     (Optional.) Configure a description for the WLAN AP ACL.

description text

By default, a WLAN AP ACL does not have a description.

4.     (Optional.) Set the rule numbering step.

step step-value

By default, the rule numbering step is 5 and the start rule ID is 0.

5.     Configure or edit a rule.

rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ]

By default, a WLAN AP ACL does not contain any rules.

6.     (Optional.) Add or edit a rule comment.

rule rule-id comment text

By default, no rule comment is configured.

 

Copying an ACL

You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the same properties and content as the source ACL, but uses a different number or name than the source ACL.

To successfully copy an ACL, make sure:

·     The destination ACL number is from the same type as the source ACL number.

·     The source ACL already exists, but the destination ACL does not.

To copy an ACL:

 

Step

Command

1.     Enter system view.

system-view

2.     Copy an existing ACL to create a new ACL.

acl [ ipv6 | mac ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

 

Configuring packet filtering with ACLs

This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets on the specified interface.

This feature does not take effect on an interface that is an aggregation member port.

Applying an ACL to an interface for packet filtering

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

Feature compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

Yes

WX2500H series

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

 

To apply an ACL to an interface for packet filtering:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Apply an ACL to the interface to filter packets.

packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }

By default, an interface does not filter packets.

You can apply up to 32 ACLs to the same direction of an interface.

 

Configuring SNMP notifications for packet filtering

You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the information center or SNMP module at the output interval. If an ACL is matched for the first time, the device immediately outputs a notification instead of waiting for the next output. The notification records the number of matching packets and the matched ACL rules.

For more information about the information center and SNMP, see Network Management and Monitoring Configuration Guide.

To configure SNMP notifications for packet filtering:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the interval for outputting packet filtering notifications.

acl trap interval interval

The default setting is 0 minutes. By default, the device does not generate SNMP notifications for packet filtering.

 

Setting the packet filtering default action

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

Feature compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

Yes

WX2500H series

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

 

To set the packet filtering default action:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the packet filtering default action to deny.

packet-filter default deny

By default, the packet filter permits packets that do not match any ACL rule to pass.

 

Displaying and maintaining ACLs

Execute display commands in any view.

 

Task

Command

Display ACL configuration and match statistics.

display acl [ ipv6 | mac | wlan ] { acl-number | all | name acl-name }

Display ACL application information for packet filtering.

display packet-filter interface [ interface-type interface-number ] [ inbound | outbound ] [ slot slot-number ]

Display detailed ACL packet filtering information.

display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 | mac ] { acl-number | name acl-name } ] [ slot slot-number ]

 

 

NOTE:

Support for the display packet-filter and display packet-filter verbose commands depends on the device model. For more information, see ACL and QoS Command Reference.

 

ACL configuration example

Network requirements

A company interconnects its departments through the AC. Configure a packet filter to:

·     Permit access from the President's office at any time to the financial database server.

·     Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days.

·     Deny access from any other department to the database server.

Figure 1 Network diagram

 

Configuration procedure

# Create a periodic time range from 8:00 to 18:00 on working days.

<AC> system-view

[AC] time-range work 08:0 to 18:00 working-day

# Create an IPv4 advanced ACL numbered 3000.

[AC] acl advanced 3000

# Configure a rule to permit access from the President's office to the financial database server.

[AC-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

# Configure a rule to permit access from the Financial department to the database server during working hours.

[AC-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work

# Configure a rule to deny access to the financial database server.

[AC-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0

[AC-acl-ipv4-adv-3000] quit

# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] packet-filter 3000 outbound

[AC-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that a wireless client in the Financial department can ping the database server during working hours. (All clients in this example use Windows XP).

C:\> ping 192.168.0.100

 

Pinging 192.168.0.100 with 32 bytes of data:

 

Reply from 192.168.0.100: bytes=32 time=1ms TTL=255

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

 

Ping statistics for 192.168.0.100:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

# Verify that a wireless client in the Marketing department cannot ping the database server during working hours.

C:\> ping 192.168.0.100

 

Pinging 192.168.0.100 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 192.168.0.100:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

# Display configuration and match statistics for IPv4 advanced ACL 3000 on the AC during working hours.

[AC] display acl 3000

Advanced IPv4 ACL 3000, 3 rules,

ACL's step is 5

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work

 rule 10 deny ip destination 192.168.0.100 0

The output shows that rule 5 is active.