H3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)

HomeSupportSwitchesH3C S3600 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)
25-ACL Operation
Title Size Download
25-ACL Operation 212 KB

Chapter 1  ACL Configuration

1.1  ACL Overview

An access control list (ACL) is mainly used for traffic classification. To filter data packets, a network device needs to be configured with a series of ACLs to identify the packets to be filtered. A network device can permit/deny specific packets in a predefined way only after the traffic is classified.

ACLs classify packets using a series of conditions known as rules. The conditions can be based on source addresses, destination addresses and port numbers carried in the packets.

The rules of an ACL can be referenced by other functions that need traffic classification, such as QoS.

According to their application purposes, ACLs fall into the following four types.

l           Basic ACL. Rules are created based on Layer 3 source IP addresses only.

l           Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses, the type of the protocols carried by IP, protocol-specific features, and so on.

l           Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, Layer 2 protocols, and so on.

l           User-defined ACL. An ACL of this type matches packets by comparing specific strings retrieved from the packets with specified strings.

1.1.1  Ways to Apply ACL on a Switch

I. Applied to the hardware directly

In the switch, an ACL can be directly applied to the hardware for packet filtering and traffic classification. In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL.

ACLs are directly applied to hardware when they are used for:

l           Implementing QoS

l           Filtering the packets to be forwarded

II. Referenced by upper-level modules

ACL can also be used to filter and classify the packets to be processed by software. In this case, the rules in an ACL can be matched in one of the following two ways:

l           config, where rules in an ACL are matched in the order defined by the user.

l           auto, where the rules in an ACL are matched in the order determined by the system, namely the “depth-first” order.

When applying ACLs in this way, you can specify the order in which the rules in the ACL are matched. The matching order cannot be modified once it is determined unless you delete all the rules in the ACL.

An ACL is referenced by an upper-layer module when it is

l           Referenced by route policies

l           Used to control login users

1.1.2  ACL Matching Order

An ACL can contain multiple rules, each of which matches specific type of packets. So the order in which the rules of an ACL are matched needs to be determined.

The order in which the rules of an ACL are matched can be:

l           The order the rules are created.

l           The order determined by the system. In this case, the rues are matched according to the “depth-first” rule.

With the depth-first rule adopted, the rules of an ACL are matched according to:

1)         Protocol range. The range for IP is 1 to 255 and those of other protocols are their protocol numbers. The smaller the protocol range, the higher the priority.

2)         Range of source IP address. The smaller the source IP address range (that is, the longer the mask), the higher the priority.

3)         Range of destination IP address. The smaller the destination IP address range (that is, the longer the mask), the higher the priority.

4)         Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the range, the higher the priority.

If rule A and rule B are the same in all the four ACEs (access control elements) above, and also in their numbers of other ACEs to be considered in deciding their priority order, the weighting principles will be used in deciding their priority order, as listed below.

l           Each ACE is given a fixed weighting value. This weighting value and the value of the ACE itself will jointly decide the final matching order.

l           The weighting values of ACEs rank in the following descending order: DSCP, ToS, ICMP, established, precedence, fragment.

l           A fixed weighting value is deducted from the weighting value of each ACE of the rule. The smaller the weighting value left, the higher the priority.

l           If the number and type of ACEs are the same for multiple rules, then the sum of ACE values of a rule determines its priority. The smaller the sum, the higher the priority.

1.1.3  Time Range-based ACL

A time range-based ACL takes effect only in specified time ranges.

You can specify a time range for each rule in an ACL. An ACL rule cannot take effect if you do not configure the time range for it. It takes effect only when the time range is configured and the system time is within the time range. If you remove the time range of an ACL rule, the ACL rule becomes invalid after the ACL rule timer refreshes.

1.1.4  Types of ACLs Supported by the Ethernet Switch

The following types of ACLs are supported by the Ethernet switch:

l           Basic ACL

l           Advanced ACL

l           Layer 2 ACL

l           User-defined ACL

1.2  Time Range Configuration

A time section can be periodic or absolute. A periodic time section is defined by specifying days of a week, while an absolute time section is defined by specifying the start time and the end time.

 

&  Note:

An absolute time range on an H3C S3600 switch can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.

 

1.2.1  Configuration Procedure

Table 1-1 Configure a time range

Operation

Command

Description

Enter system view

system-view

Create a time range

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }

Required

 

Note that:

If only a periodic time section is defined in a time range, the time range is active only when the system time within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.

If only an absolute time section is defined in a time range, the time range is active only when the system time within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.

If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range contains an absolute time section ranging from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section ranging from 12:00 to 14:00 on every Wednesday. This time range is active only when the system time within the range from 12:00 to 14:00 on every Wednesday in 2004.

If the start time is not specified, the time section starts on the earliest date available in the system and ends on the specified end date. If the end date is not specified, the time section starts from the specified start date to 2100/12/31 23:59.

1.2.2  Configuration Example

# Define a periodic time range that will be active from 8:00 to 18:00 on Monday through Friday.

<H3C> system-view

[H3C] time-range test 8:00 to 18:00 working-day

[H3C] display time-range test

Current time is 13:27:32 4/16/2005 Saturday

 

Time-range : test ( Inactive )

 08:00 to 18:00 working-day

# Define an absolute time range from 15:00 1/28/2000 to 15:00 1/28/2004.

<H3C> system-view

[H3C] time-range test from 15:00 1/28/2000 to 15:00 1/28/2004

[H3C] display time-range test

Current time is 13:30:32 4/16/2005 Saturday

 

Time-range : test ( Inactive )

 From 15:00 Jan/28/2000 to 15:00 Jan/28/2004

1.3  Basic ACL Configuration

A basic ACL filters packets based on their Layer 3 source IP addresses.

A basic ACL can be numbered from 2000 to 2999.

1.3.1  Configuration Preparation

To configure a time range-based basic ACL rule, you need to create the corresponding time range first. For information about time range configuration, refer to section 1.2  Time Range Configuration”.

The source IP addresses based on which the ACL filters packets are determined.

1.3.2  Configuration Procedure

Table 1-2 Define a basic ACL rule

Operation

Command

Description

Enter system view

system-view

Create an ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

By the default, the matching order is config.

Define an ACL rule

rule [ rule-id ] { permit | deny } [ fragment | source { sour-addr sour-wildcard | any } | time-range time-name ]*

Required

Assign a description string to the ACL

description text

Optional

 

When you define an ACL rule using the rule command with the rule-id argument provided,

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.

l           If the ACL rule identified by the rule-id argument does not exist, you will create a new rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

1.3.3  Configuration Example

# Configure ACL 2000 to deny packets whose source IP addresses are 1.1.1.1.

<H3C> system-view

[H3C] acl number 2000

[H3C-acl-basic-2000] rule deny source 1.1.1.1 0

[H3C-acl-basic-2000] display acl 2000

Basic ACL  2000, 1 rule

Acl's step is 1

rule 0 deny source 1.1.1.1 0

1.4  Advanced ACL Configuration

An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP. The rules in an advanced ACL rule can based on protocol-specific features such as TCP/UDP source and destination ports, ICMP protocol type, code, and so on.

An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for the cluster management.

Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS) priority, IP priority and differentiated services codepoint priority (DSCP).

Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and more flexible than those defined for basic ACLs.

1.4.1  Configuration Preparation

To configure an time range-based advanced ACL rule, you need to create the corresponding time ranges first. For information about of time range configuration, refer to section 1.2  Time Range Configuration”.

The settings to be specified in the rule, such as source and destination IP addresses, the protocols carried by IP, and protocol-specific features, are determined.

1.4.2  Configuration Procedure

Table 1-3 Define an advanced ACL rule

Operation

Command

Description

Enter system view

system-view

Create an advanced VLAN or enter advanced ACL view

acl number acl-number [ match-order { config | auto } ]

By the default, the match order is config.

Define an ACL rule

rule [ rule-id ] { permit | deny } rule-string

Required

Assign a description string to the ACL rule

rule rule-id comment text

Optional

Assign a description string to the ACL

description text

Optional

 

The rule-string argument of the rule command listed in Table 1-3 can be a combination of the argument/keywords described in Table 1-4. Note that the rule-string argument must begin with the protocol argument.

Table 1-4 Description on the argument/keywords used in the rule-string argument

Arguments/Keywords

Type

Function

Description

protocol

Protocol type

Type of the protocols carried by IP

When expressed in numerals, this argument ranges from 1 to 255.

When expressed with a name, the value can be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP.

source { sour-addr sour-wildcard | any }

Source address

Specifies the source address information for the ACL rule

The sour-addr sour-wildcard arguments specify the source address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the source address by providing 0 for the sour-wildcard argument.

any represents any source address.

destination { dest-addr dest-wildcard | any }

Destination address

Specifies the destination address information for the ACL rule

The dest-addr dest-wildcard arguments specify the destination address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the destination address by providing 0 for the dest-wildcard argument.

any represents any destination address.

precedence precedence

Packet priority

IP precedence

The precedence argument ranges from 0 to 7.

tos tos

Packet priority

ToS

The tos argument ranges from 0 to 15.

dscp dscp

Packet priority

DSCP

The dscp argument ranges from 0 to 63.

fragment

Fragment information

Specifies that the rule is effective for the packets that are not the first fragments.

time-range time-name

Time range information

Specifies the time range in which the rule is active.

 

If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input one of the keywords listed in Table 1-5 as the DSCP.

Table 1-5 DSCP values and the corresponding keywords

Keyword

DSCP value in decimal

DSCP value in binary

ef

46

101110

af11

10

001010

af12

12

001100

af13

14

001110

af21

18

010010

af22

20

010100

af23

22

010110

af31

26

011010

af32

28

011100

af33

30

011110

af41

34

100010

af42

36

100100

af43

38

100110

cs1

8

001000

cs2

16

010000

cs3

24

011000

cs4

32

100000

cs5

40

101000

cs6

48

110000

Cs7

56

111000

be (default)

0

000000

 

If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-6 as the IP precedence.

Table 1-6 IP precedence values and the corresponding keywords

Keyword

IP Precedence in decimal

IP Precedence in binary

routine

0

000

priority

1

001

immediate

2

010

flash

3

011

flash-override

4

100

critical

5

101

internet

6

110

network

7

111

 

If you specify the tos keyword, you can directly input a value ranging from 0 to 15 or input one of the keywords listed in Table 1-7 as the ToS value.

Table 1-7 ToS value and the corresponding keywords

Keyword

ToS in decimal

ToS in binary

normal

0

0000

min-monetary-cost

1

0001

max-reliability

2

0010

max-throughput

4

0100

min-delay

8

1000

 

If the protocol type is TCP or UDP, you can also define the information listed in Table 1-8.

Table 1-8 TCP/UDP-specific ACL rule information

Parameter

Type

Function

Description

source-port operator port1 [ port2 ]

Source port

Defines the source port information of UDP/TCP packets

The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the “range” operator requires two port numbers as the operands. Other operators require only one port number as the operand.

port1 and port2: TCP/UDP port numbers, expressed as port names or port numbers. When expressed as numbers, the value range is 0 to 65535.

destination-port operator port1 [ port2 ]

Destination port

Defines the destination port information of UDP/TCP packets

established

TCP connection flag

Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection

TCP-specific argument

 

When using port name to specify TCP/UDP ports, you can define the following information.

Table 1-9 TCP/UDP port values

Protocol type

Value

TCP

CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)

UDP

biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

 

&  Note:

When advanced ACLs are applied to ports of the H3C S3600 series Ethernet switches, only the rules configured with the operator argument specified as eq are valid.

 

If the protocol type is ICMP, you can also define the information listed in Table 1-10.

Table 1-10 ICMP-specific ACL rule information

Parameter

Type

Function

Description

icmp-type icmp-type icmp-code

Type and message code information of ICMP packets

Specifies the type and message code information of ICMP packets in the rule

icmp-type: ICMP message type, ranging from 0 to 255

icmp-code: ICMP message code, ranging from 0 to 255

 

If the protocol type is ICMP, you can also just input the ICMP message name after the icmp-type keyword. Table 1-11 lists some common ICMP messages.

Table 1-11 ICMP messages

Name

ICMP type

ICMP code

echo

Type=8

Code=0

echo-reply

Type=0

Code=0

fragmentneed-DFset

Type=3

Code=4

host-redirect

Type=5

Code=1

host-tos-redirect

Type=5

Code=3

host-unreachable

Type=3

Code=1

information-reply

Type=16

Code=0

information-request

Type=15

Code=0

net-redirect

Type=5

Code=0

net-tos-redirect

Type=5

Code=2

net-unreachable

Type=3

Code=0

parameter-problem

Type=12

Code=0

port-unreachable

Type=3

Code=3

protocol-unreachable

Type=3

Code=2

reassembly-timeout

Type=11

Code=1

source-quench

Type=4

Code=0

source-route-failed

Type=3

Code=5

timestamp-reply

Type=14

Code=0

timestamp-request

Type=13

Code=0

ttl-exceeded

Type=11

Code=0

 

When you define an ACL rule using the rule command with the rule-id argument provided,

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system will prompt errors when you execute the rule command.

l           If the ACL rule identified by the rule-id argument does not exist, you will create a new rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

1.4.3  Configuration Example

# Configure ACL 3000 to permit the TCP packets sourced from the network 129.9.0.0 and destined for the network 202.38.160.0 and with the destination port number being 80.

<H3C> system-view

[H3C] acl number 3000

[H3C-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

[H3C-acl-adv-3000] display acl 3000

Advanced ACL  3000, 1 rule

Acl's step is 1

 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www

1.5  Layer 2 ACL Configuration

Layer 2 ACLs filter packets according to their Layer 2 information, such as the source and destination MAC addresses, VLAN priority, and Layer 2 protocol types.

A Layer 2 ACL can be numbered from 4000 to 4999.

1.5.1  Configuration Preparation

To configure a time range-based Layer 2 ACL rule, you need to create the corresponding time ranges first. For information about time range configuration, refer to section 1.2  Time Range Configuration”.

The settings to be specified in the rule, such as source and destination MAC addresses, VLAN priorities, and Layer 2 protocol types, are determined.

1.5.2  Configuration Procedure

Table 1-12 Define a Layer 2 ACL rule

Operation

Command

Description

Enter system view

system-view

Create a Layer 2 ACL or enter layer 2 ACL view

acl number acl-number

Required

Define an ACL rule

rule [ rule-id ] { permit | deny } rule-string

Required

Assign a description string to the ACL rule

rule rule-id comment text

Optional

Assign a description string to the ACL

description text

Optional

 

The rule-string argument of the rule command can be a combination of the arguments/keywords described in Table 1-13.

Table 1-13 Layer 2 ACL rule information

Parameter

Type

Function

Description

format-type

Link layer encapsulation type

Specifies the link layer encapsulation type for the ACL rule

This argument can be 802.3/802.2, 802.3, ether_ii, or snap.

lsap lsap-code lsap-wildcard

lsap field

Specifies the lsap field for the ACL rule

lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.

lsap-wildcard: Mask of the lsap value, a 16-bit hexadecimal number used to specify the mask bits.

source { source-addr source-mask | vlan-id }*

Source MAC address information

Specifies the source MAC address range for the ACL rule

source-addr: Source MAC address, in the format of H-H-H.

source-mask: Mask of the source MAC address, in the format of H-H-H.

vlan-id: Source VLAN ID, in the range of 1 to 4094.

dest dest-addr dest-mask

Destination MAC address information

Specifies the destination MAC address range for the ACL rule

dest-addr: Destination MAC address, in the format of H-H-H.

dest-mask: Mask of the destination MAC address, in the format of H-H-H.

cos cos

Priority

Specifies the 802.1p priority for the rule

cos: VLAN priority, in the range of 0 to 7.

time-range time-name

Time range information

Specifies the time range in which the ACL rule is active

time-name: Specifies the name of the time range in which the rule is active, a string comprising 1 to 32 characters.

type protocol-type protocol-mask

Protocol type of Ethernet frames

Specifies the protocol type of Ethernet frames for the ACL rule

protocol-type: Protocol type. protocol-mask: Protocol type mask.

 

&  Note:

l      An H3C S3600 Ethernet switch does not support the format-type argument for a layer 2 ACL.

l      A rule with the lsap keyword specified can be applied to a port but does not take effect.

 

If you specify the cos keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-6 as the CoS value.

Table 1-14 CoS value and the corresponding keywords

Keyword

CoS in decimal

CoS in binary

best-effort

0

000

background

1

001

spare

2

010

excellent-effort

3

011

controlled-load

4

100

video

5

101

voice

6

110

network-management

7

111

 

When you define an ACL rule using the rule command with the rule-id argument provided,

l           If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.

l           If the ACL rule identified by the rule-id argument does not exist, you will create a new rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

1.5.3  Configuration Example

# Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.

<H3C> system-view

[H3C] acl number 4000

[H3C-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

[H3C-acl-ethernetframe-4000] display acl 4000

Ethernet frame ACL  4000, 1 rule

Acl's step is 1

 rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

1.6  User-Defined ACL Configuration

A user-defined ACL filters packets by comparing specific bytes in packet headers with specified string.

A user-defined ACL can be numbered from 5000 to 5999.

1.6.1  Configuration Preparation

To configure a time range-based user-defined ACL rule, you need to define the corresponding time ranges first. For information about time range configuration, refer to section 1.2  Time Range Configuration”.

1.6.2  Configuration Procedure

Table 1-15 Define a user-defined ACL rule

Operation

Command

Description

Enter system view

system-view

Create a user-defined ACL or enter user-defined ACL view

acl number acl-number

Required

Define an ACL rule

rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range name ]

Required

Assign a description string to the ACL

description text

Optional

Assign a description string to the ACL rule

rule rule-id comment text

Optional

 

&  Note:

The bytes in packet headers and to be compared with the specified string are determined by the offset from the beginning of the packet headers. You can specify the offset through the offset argument when executing the rule command. Note the following when you specify the offset.

l      Each packet that is processed by a switch internally carries a VLAN tag. A VLAN tag is four bytes in size.

l      A switch with the VLAN VPN function enabled inserts a VLAN tag to each packet it processes no matter whether or not the packet already carries a VLAN tag before being processed. Each packet carries two VLAN tags after being processed by a switch of this type.

 

When you define an ACL rule using the rule command with the rule-id argument provided,

l           If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.

l           If the ACL rule identified by the rule-id argument does not exist, you will create a new rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

1.6.3  Configuration Example

# Configure ACL 5001 to deny all the TCP packets. The ACL is active from 18:00 to 23:00 on each Saturday(The VLAN VPN function not enabled).

<H3C> system-view

[H3C] time-range t1 18:00 to 23:00 sat

[H3C] acl number 5001

[H3C-acl-user-5001] rule 25 deny 06 ff 27 time-range t1

[H3C-acl-user-5001] display acl 5001

User defined ACL  5001, 1 rules

Acl's step is 1

rule 25 deny 06 ff 27 time-range t1 (Inactive)

1.7  Applying ACLs on Ports

By applying ACLs on ports, you can filter outbound or inbound packets on the corresponding ports.

1.7.1  Configuration Preparation

You need to define an ACL before applying it on a port. For information about defining an ACL, refer to section 1.3  Basic ACL Configuration”, section 1.4  Advanced ACL Configuration”, section 1.5  Layer 2 ACL Configuration”, and section 1.6  User-Defined ACL Configuration”.

1.7.2  Configuration Procedure

Table 1-16 Apply an ACL on a port

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Apply an ACL on the port

packet-filter { inbound | outbound } acl-rule

Required

 

You can apply ACLs on a port in different ways, as listed in Table 1-17.

Table 1-17 Ways to apply ACLs on a port

Combination mode

The acl-rule argument

Apply all the rules of an ACL that is of IP type

ip-group acl-number

Apply a rule of an ACL that is of IP type

ip-group acl-number rule rule-id

Apply all the rules of an ACL that is of link type

link-group acl-number

Apply a rule of an ACL that is of link type

link-group acl-number rule rule-id

Apply all the rules of a user-defined ACL

user-group acl-number

Apply a rule of a user-defined ACL

user-group acl-number rule rule-id

Apply a rule of an ACL that is of IP type and a rule of an ACL that is of link type

ip-group acl-number rule rule-id link-group acl-number rule rule-id

 

1.7.3  Configuration Example

# Apply ACL 2100 on GigabitEthernet1/1/1 to filter inbound packets.

<H3C> system-view

[H3C] interface gigabitethernet 1/1/1

[H3C-GigabitEthernet1/1/1] packet-filter inbound ip-group 2100

1.8  Displaying ACL Configuration

After the above configuration, you can execute the display commands in any view to view the ACL running information, so as to verify the configuration.

Table 1-18 Display ACL configuration

Operation

Command

Description

Display a configured ACL or all the ACLs

display acl { all | acl-number }

These commands can be executed in any view.

Display a time range or all the time ranges

display time-range { all | time-name }

Display the information about packet filtering

display packet-filter { interface interface-type interface-number | unitid unit-id }

 

1.9  ACL Configuration Example

1.9.1  Basic ACL Configuration Example

I. Network requirements

Apply an ACL on GigabitEthernet1/1/1 to filter packets sourced from 10.1.1.1 from 8:00 to 18:00 everyday.

II. Network diagram

Figure 1-1 Network diagram for basic ACL configuration

III. Configuration procedure

 

&  Note:

Only the commands related to the ACL configuration are listed below.

 

1)         Define the time range

# Define a periodic time range that is active from 8:00 to 18:00 everyday.

<H3C> system-view

[H3C] time-range test 8:00 to 18:00 daily

2)         Define an ACL for packets with the source IP address of 10.1.1.1.

# Create ACL 2000 or enter ACL 2000 view.

[H3C] acl number 2000

# Define an access rule to deny packets with their source IP addresses being 10.1.1.1, applying the time range to the ACL.

[H3C-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test

[H3C-acl-basic-2000] quit

3)         Apply the ACL on the port

# Apply ACL 2000 on the port.

[H3C] interface gigabitethernet1/1/1

[H3C-GigabitEthernet1/1/1] packet-filter inbound ip-group 2000

1.9.2  Advanced ACL Configuration Example

I. Network requirements

The networks of different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The network of the R&D department is connected to GigabitEthernet1/1/1 of the switch. Apply an ACL to deny requests sourced from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

II. Network diagram

Figure 1-2 Network diagram for advanced ACL configuration

III. Configuration procedure

 

&  Note:

Only the commands related to the ACL configuration are listed below.

 

1)         Define the time range

# Define a periodic time range that is active from 8:00 to 18:00 on each working day.

<H3C> system-view

[H3C] time-range test 8:00 to 18:00 working-day

2)         Define an ACL for filtering requests destined for the wage server.

# Create ACL 3000 or enter ACL 3000 view.

[H3C] acl number 3000

# Define an ACL rule for requests destined for the wage server.

[H3C-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 255.255.255.0 time-range test

[H3C-acl-adv-3000] quit

3)         Apply the ACL on the port.

# Apply ACL 3000 on the port.

[H3C] interface gigabitethernet1/1/1

[H3C-GigabitEthernet1/1/1] packet-filter inbound ip-group 3000

1.9.3  Layer 2 ACL Configuration Example

I. Network requirements

Apply an ACL on GigabitEthernet1/1/1 port to filter packets with their source MAC addresses being 000f-e20f-0101 and destination MAC addresses being 000f-e20f-0303 from 8:00 to 18:00 everyday.

II. Network diagram

Figure 1-3 Network diagram for Layer 2 ACL configuration

III. Configuration procedure

 

&  Note:

Only the commands related to the ACL configuration are listed below.

 

1)         Define the time range

# Define a periodic time range that is active from 8:00 to 18:00 everyday.

<H3C> system-view

[H3C] time-range test 8:00 to 18:00 daily

2)         Define an ACL rule for packets with the source MAC address of 000f-e20f-0101 and destination MAC address of 000f-e20f-0303.

# Create ACL 4000 or enter ACL 4000 view.

[H3C] acl number 4000

# Define an ACL rule to deny packets with the source MAC address of 000f-e20f-0101 and destination MAC address of 000f-e20f-0303, specifying the time range named test for the ACL rule.

[H3C-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101 ffff-ffff-ffff dest 000f-e20f-0303 ffff-ffff-ffff time-range test

[H3C-acl-ethernetframe-4000] quit

3)         Apply the ACL on GigabitEthernet1/1/1.

# Apply the ACL on GigabitEthernet1/1/1.

[H3C] interface GigabitEthernet1/1/1

[H3C-GigabitEthernet1/1/1] packet-filter inbound link-group 4000

1.9.4  User-Defined ACL Configuration Example

I. Network requirements

Apply an ACL on Ethernet1/0/1 to deny all the TCP packets within the time range from 8:00 to 18:00 everyday.

II. Network diagram

Figure 1-4 Network diagram for user-defined ACL configuration

III. Configuration procedure

 

&  Note:

Only the commands related to the ACL configuration are listed below.

 

1)         Define the time range.

# Define a periodic time range that is active from 8:00 to 18:00 everyday.

[H3C] time-range aaa 8:00 to 18:00 daily

2)         Create an ACL rule to filter TCP packets.

# Create ACL 5000 or enter ACL 5000 view.

[H3C] acl number 5000

# Define a rule for TCP packets(The VLAN VPN function not enabled).

[H3C-acl-user-5000] rule 1 deny 06 ff 27 time-range aaa

3)         Apply the ACL on Ethernet1/0/1.

# Apply the ACL 5000 on Ethernet1/0/1.

[H3C] interface Ethernet1/0/1

[H3C-Ethernet1/0/1] packet-filter inbound user-group 5000

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网