An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.

ACLs classify packets based on a series of match conditions, which can be the source addresses, destination addresses and port numbers carried in the packets.

The packet match rules defined by ACLs can be referenced by other functions that need to differentiate traffic flows, such as the definition of traffic classification rules in QoS.

& Note:

In this manual, IPv4 ACLs refers to ACLs to filter IPv4 packets and IPv6 ACLs refer to ACLs to filter IPv6 packets.

1.2 Time-Based ACL

A time range-based ACL enables you to implement ACL control over packets by differentiating the time ranges.

A time range can be specified in each rule in an ACL. If the time range specified in a rule is not configured, the system will give a prompt message and allow such a rule to be successfully created. However, the rule does not take effect immediately. It takes effect only when the specified time range is configured and the system time is within the time range.

1.3 IPv4 ACL

1.3.1 IPv4 ACL Classification

IPv4 ACLs are numbered ACLs. Depending on the header fields used for filtering, they fall into the following four types:

l Basic ACL (numbered 2000 to 2999), based on source IP address.

l Advanced ACL (numbered 3000 to 3999), based on source IP address, destination IP address, protocol carried on IP, and other Layer 3 or Layer 4 protocol header information.

l Ethernet frame header ACL (numbered 4000 to 4999), based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type.

l User-defined ACL (numbered 5000 to 5999), based on customized information of protocol headers. Using a byte, which is specified through its offset from the packet header, in the packet as the starting point, user-defined ACLs perform logical AND operations on packets and compare the extracted string with the user-defined string to find the matching packets for processing.

1.3.2 IPv4 ACL Match Order

Each ACL is a sequential collection of rules defined with different matching criteria. The order in which a packet is matched against the rules may affect how the packet is handled.

At present, the following two match orders are available:

l config: where packets are compared against ACL rules in the order in which they are configured.

l auto: where depth-first match is performed. The term depth-first match has different meanings for different types of ACLs.

I. Depth-first match for a basic IPv4 ACL

The following shows how your device performs depth-first match in a basic IPv4 ACL:

1) Sort rules by source IP address wildcard first and compare packets against the rule configured with more zeros in the source IP address wildcard prior to other rules.

2) If two rules are present with the same number of zeros in their source IP address wildcards, compare packets against the rule configured first prior to the other.

For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to the rule with the source IP address wildcard 0.0.255.255.

II. Depth-first match for an advanced IPv4 ACL

The following shows how your device performs depth-first match in an advanced IPv4 ACL:

1) Sort rules by source IP address wildcard first and compare packets against the rule configured with more zeros in the source IP address wildcard prior to other rules.

2) If two rules are present with the same number of zeros in their source IP address wildcards, look at the destination IP address wildcards in the rules in addition. Then, compare packets against the rule configured with more zeros in the destination IP address wildcard prior to the other.

3) If the numbers of zeros in the destination IP address wildcards are the same, compare packets against the rule configured first prior to the other.

For example, If the numbers of zeros in the source IP address wildcards are the same, the rule with the destination IP address wildcard 0.0.0.255 is compared prior to the rule with the destination IP address wildcard 0.0.255.255.

III. Depth-first match for an Ethernet frame header IPv4 ACL

The following shows how your device performs depth-first match in an Ethernet frame header ACL:

1) Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask prior to other rules.

2) If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks. Then, compare packets against the rule configured with more ones in the destination MAC address mask prior to the other.

3) If the numbers of ones in the destination MAC address masks are the same, the one configured first is compared prior to the other.

For example, the rule with source MAC address mask FFFF-FFFF-0000 is compared prior to the rule with source MAC address mask FFFF-0000-0000.

& Note:

The match order for a user-defined IPv4 ACL can only be config.

The comparison of a packet against an ACL stops once a match is found. The packet is then processed as per the rule.

1.3.3 IPv4 ACL Creation

An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must first create an IPv4 ACL.

When creating an IPv4 ACL:

l You must specify an ACL number (numeric type), and

l You can optionally specify the match order of the IPv4 ACL.

After an IPv4 ACL is created, the IPv4 ACL view is displayed.

1.3.4 IP Fragments Filtering with IPv4 ACL

Traditional packet filtering does not perform match operation on all IP fragments but first ones. All subsequent non-first fragments are handled the way the first fragments are handled. This causes security risk as attackers may fabricate non-first fragments to attack your network.

ACL rules configured with the fragment keyword apply to non-tail fragments only, and they do not apply to non-fragmented packets and tail fragments, while those configured without the keyword apply to both fragmented and non-fragmented packets.

1.4 IPv6 ACL

1.4.1 IPv6 ACL Classification

IPv6 ACLs are numbered ACLs. Depending on the header fields used for filtering, they fall into the following two types:

l Basic IPv6 ACL (numbered 2000 to 2999), based on source IPv6 address.

l Advanced IPv6 ACL (numbered 3000 to 3999), based on source IPv6 address, destination IPv6 address, protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.

1.4.2 IPv6 ACL Match Order

Similar to IPv4 ACLs, IPv6 ACLs are sequential collections of rules defined with different matching parameters. The order in which a packet is matched against the rules in an IPv6 ACL may affect how the packet is handled.

Like IPv4 ACLs, the following two match orders are available IPv6 ACLs:

l config: where rules are compared against in the order in which they are configured.

l auto: where depth-first match is performed.

The depth-first mechanism performed by IPv6 ACLs is to match packets against the rule that specifies a narrower address range first. This is done by comparing prefix lengths: the smaller the prefix length, the narrower the address range.

Consider two IPv6 addresses, 2050:6070::/96 and 2050:6070::/64. In the auto match approach, packets are matched against the rule with the address of 2050:6070::/96 first, because that address specifies a narrower address range compared with 2050:6070::/64. In case two rules with the same prefix length are defined in an IPv6 ACL, the one configured first is compared prior to the other one.

The comparison of a packet against an ACL stops once a match is found. The packet is then processed as per the rule.

1.4.3 IPv6 ACL Creation

An IPv6 ACL consists of a set of rules. Before you can configure IPv6 ACL rules, you must first create an IPv6 ACL.

When creating an IPv6 ACL:

l You must specify an IPv6 ACL number (numeric type), and

l You can optionally specify the match order of the IPv6 ACL.

After an IPv6 ACL is created, the IPv6 ACL view is displayed.

Chapter 2 IPv4 ACL Configuration

2.1 Creating a Time Range

Three types of time ranges are available:

l Periodic time range, which recurs periodically on the day or days of the week.

l Absolute time range, which takes effect only in a period of time and does not recur.

& Note:

The absolute time range available on H3C S3610 and S5510 Series Ethernet Switches is 1970/1/1 00:00 to 2100/12/31 24:00.

2.1.1 Configuration Procedure

Follow these steps to create a time range:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create a time range	time-range time-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] \| from time1 date1 [ to time2 date2 ] \| to time2 date2 }	Required

Note that:

l Periodic time range created using the time-range time-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.

l Absolute time range created using the time-range time-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l Compound time range created using the time-range time-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.

l If the start time is not specified, the time range starts on the earliest time available from the system and ends on the end date. If the end date is note specified, the time range is from the date of configuration till the largest time available from the system.

l Up to 256 time ranges can be defined.

2.1.2 Configuration Example

# Create a periodic time range that is active from 8:00 to 18:00 every working day.

<Sysname> system-view

[Sysname] time-range test1 8:00 to 18:00 working-day

[Sysname] display time-range test1

Current time is 13:27:32 4/16/2005 Saturday

Time-range : test1 ( Inactive )

08:00 to 18:00 working-day

# Create a absolute time range from 15:00, Jan 28, 2000 to 15:00, Jan 28, 2004.

<Sysname> system-view

[Sysname] time-range test2 from 15:00 2000/1/28 to 15:00 2004/1/28

[Sysname] display time-range test2

Current time is 13:27:32 4/16/2005 Saturday

Time-range : test2 ( Inactive )

from 15:00 1/28/2000 to 15:00 1/28/2004

2.2 Configuring a Basic IPv4 ACL

Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the range 2000 to 2999.

2.2.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

2.2.2 Configuration Procedure

Follow these steps to configure a basic IPv4 ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter basic IPv4 ACL view	acl number acl-number [ match-order { config \| auto } ]	Required The default match order is config.
Create or modify a rule	rule [ rule-id ] { permit \| deny } [ rule-string ]	Required To create multiple rules, repeat this step.
Set a rule numbering step	step step-value	Optional The default step is 5.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

When configuring a rule, note that:

l You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules.

l When defining ACL rules, you are not necessarily to assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Caution:

l You can modify the match order of an IPv4 ACL with the acl number acl-number match-order { config | auto } command but only when it does not contain any rules.

l The rule specified in the rule comment command must have existed.

2.2.3 Configuration Example

# Create IPv4 ACL 2000 to deny the packets with source address 1.1.1.1 to pass.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

# Verify the configuration.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL 2000, 1 rule,

ACL's step is 5

rule 0 deny source 1.1.1.1 0 (0 times matched)

2.3 Configuring an Advanced IPv4 ACL

Advanced IPv4 ACLs filter packets based on source IP address, destination IP address, protocol carried on IP, and other protocol header fields, such as the TCP/UDP source port, TCP/UDP destination port, ICMP message type, and ICMP message code.

In addition, advanced ACLs allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with basic ACLs, they allow of more flexible and accurate filtering.

& Note:

l When you configure both IP priority and ToS priority for a rule, both priorities are valid.

l When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.

2.3.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

2.3.2 Configuration Procedure

Follow these steps to configure an advanced IPv4 ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter advanced IPv4 ACL view	acl number acl-number [ match-order { config \| auto } ]	Required The default match order is config.
Create or modify a rule	rule [ rule-id ] { permit \| deny } protocol [ rule-string ]	Required To create multiple rules, repeat this step.
Set a rule numbering step	step step-value	Optional The default step is 5.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Caution:

l You can modify the match order of an IPv4 ACL with the acl number acl-number match-order { config | auto } command but only when it does not contain any rules.

l The rule specified in the rule comment command must have existed.

2.3.3 Configuration Example

# Create IPv4 ACL 3000, permitting TCP packets with port number 80 sent from 129.9.0.0 to 202.38.160.0 to pass.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

# Verify the configuration.

[Sysname-acl-adv-3000] display acl 3000

Advanced ACL 3000, 1 rule,

ACL's step is 5

rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.2 55 destination-port eq www (0 times matched)

2.4 Configuring an Ethernet Frame Header ACL

Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. They are numbered in the range 4000 to 4999.

2.4.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

2.4.2 Configuration Procedure

Follow these steps to configure an Ethernet frame header ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter an Ethernet frame header ACL view	acl number acl-number [ match-order { config \| auto } ]	Required The default match order is config.
Create or modify a rule	rule [ rule-id ] { permit \| deny } [ rule-string ]	Required To create multiple rules, repeat this step.
Set a rule numbering step	step step-value	Optional The default step is 5.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Caution:

l You can modify the match order of an IPv4 ACL with the acl number acl-number match-order { config | auto } command but only when it does not contain any rules.

l The rule specified in the rule comment command must have existed.

2.4.3 Configuration Example

# Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

# Verify the configuration.

[Sysname-acl-ethernetframe-4000] display acl 4000

Ethernet frame ACL 4000, 1 rule,

ACL's step is 5

rule 0 deny cos excellent-effort(0 times matched)

2.5 Configuring a User-Defined IPv4 ACL

User-defined IPv4 ACLs allow you to customize rules based on information of protocol headers such as IP. When defining a user-defined ACL rule, you need to specify an offset in bytes on which a match operation should start from the beginning of a packet header and in addition, specify a mask. When comparing a packet against the rule, the system ANDs the mask with the corresponding bytes in the packet and compare the result with the rule.

User-defined ACLs are numbered in the range 5000 to 5999.

2.5.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

2.5.2 Configuration Procedure

Follow these steps to configure a user-defined IPv4 ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter user-defined IPv4 ACL view	acl number acl-number	Required
Create a rule	rule [ rule-id ] { permit \| deny } [ { { start \| ipv4 \| ipv6 \| l2 \| l4 } rule-string rule-mask offset }&<1-8> ] [ time-range time-name ]	Required To create multiple rules, repeat this step.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

Note these issues when defining rules:

l If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.

l If the ACL rule identified by the rule-id argument does not exist, you will create a new rule.

l If you do not specify a rule ID, a new rule will be defined and created, and the system will automatically assign the following ID to the rule: the smallest multiple of step-value that is greater than the largest ID of existing rules. For example, suppose the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID when defining a rule, the system will automatically assign ID 30 to the rule.

l For user-defined IPv4 ACLs, the match order can only be config.

Caution:

The rule specified in the rule comment command must have existed.

2.5.3 Configuration Example

# Configure IPv4 ACL 5500, to match ARP packets within the specified time range.

<Sysname> system-view

[Sysname] acl number 5500

[Sysname-acl-user-5500] rule 0 permit l2 0806 ffff 12 time-range t1

# Verify the configuration.

[Sysname-acl-user-5500] display acl 5500

User defined ACL 5500, 1 rule,

ACL's step is 5

rule 0 permit l2 0806 ffff 12 time-range t1 (Active)

2.6 Displaying and Maintaining IPv4 ACLs

To do...	Use the command…	Remarks
Display information about a specified or all IPv4 ACLs	display acl { all \| acl-number }	Available in any view
Display the configuration and state of a specified or all time ranges	display time-range { all \| time-name }	Available in any view
Clear the statistics about the specified or all IPv4 ACLs except for user-defined IPv4 ACLs	reset acl counter { all \| acl-number }	Available in user view

2.7 IPv4 ACL Configuration Example

2.7.1 Network Requirements

The networks of different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The network of the R&D department is connected to Ethernet1/0/1 of the switch. Apply an ACL to deny requests sourced from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

2.7.2 Network Diagram

Figure 2-1 Network diagram for ACL configuration

2.7.3 Configuration Procedure

1) Create a time range for office hours

# Create a periodic time range spanning 8:00 to 18:00 in working days.

<Sysname> system-view

[Sysname] time-range trname 8:00 to 18:00 working-day

2) Define an ACL to control accesses to the salary server

# Create and enter the view of advanced IPv4 ACL 3000.

[Sysname] acl number 3000

# Create a rule to control access of the President’s Office to the salary server.

[Sysname-acl-adv-3000] rule 0 deny ip source any destination 192.168.1.2 0.0.0.0 time-range trname

[Sysname-acl-adv-3000] quit

# Create a rule to control accesses of other departments to the salary server.

[Sysname-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range trname

[Sysname-acl-adv-3000] quit

3) Apply the ACL

# Apply IPv4 ACL 3000 to the inbound direction of interface Ethernet 1/0/1.

[Sysname] traffic classifier test

[Sysname-classifier-test] if-match acl 3000

[Sysname-classifier-test] quit

[Sysname] traffic behavior test

[Sysname-behavior-test] filter deny

[Sysname-behavior-test] quit

[Sysname] qos policy test

[Sysname-qospolicy-test] classifier test behavior test

[Sysname-qospolicy-test] quit

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] qos apply policy test inbound

Chapter 3 IPv6 ACL Configuration

3.1 Creating a Time Range

Refer to section 2.1 Creating a Time Range.

3.2 Configuring a Basic IPv6 ACL

Basic IPv6 ACLs filter packets based on source IPv6 address. They are numbered in the range 2000 to 2999.

3.2.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

3.2.2 Configuration Procedure

Follow these steps to configure an IPv6 ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter basic IPv6 ACL view	acl ipv6 number acl6-number [ match-order { config \| auto } ]	Required The default match order is config.
Create a rule	rule [ rule-id ] { permit \| deny } [ rule-string ]	Required To create multiple rules, repeat this step.
Set a rule numbering step	step step-value	Optional The default step is 5.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Caution:

l You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number match-order { config | auto } command but only when it does not contain any rules.

l The rule specified in the rule comment command must have existed.

3.2.3 Configuration Example

# Create IPv6 ACL 2000 to permit IPv6 packets with source address 2030:5060::9050/64 to pass while denying IPv6 packets with source address fe80:5060::8050/96.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96

# Verify the configuration.

[Sysname-acl6-basic-2000] display acl ipv6 2000

Basic IPv6 ACL 2000, 2 rules,

ACL's step is 5

rule 0 permit source 2030:5060::9050/64 (0 times matched)

rule 5 deny source FE80:5060::8050/96 (0 times matched)

3.3 Configuring an Advanced IPv6 ACL

Advanced ACLs filter packets based on the source IPv6 address, destination IPv6 address, protocol carried on IP, and other protocol header fields such as the TCP/UDP source port, TCP/UDP destination port, ICMP message type, and ICMP message code.

Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering.

3.3.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

3.3.2 Configuration Procedure

Follow these steps to configure an advanced IPv6 ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Create and enter advanced IPv6 ACL view	acl ipv6 number acl6-number [ match-order { config \| auto } ]	Required The default match order is config.
Create a rule	rule [ rule-id ] { permit \| deny } protocol [ rule-string ]	Required To create multiple rules, repeat this step.
Set a rule numbering step	step step-value	Optional The default step is 5.
Create an ACL description	description text	Optional
Create a rule description	rule rule-id comment text	Optional

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Caution:

l The protocol number you specified is only used to match the Next Header field of an IPv6 header instead of the real Layer 4 protocol number.

l You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number match-order { config | auto } command but only when it does not contain any rules.

l The rule specified in the rule comment command must have existed.

3.3.3 Configuration Example

# Create IPv6 ACL 3000 to permit the TCP packets with the source address 2030:5060::9050/64 to pass.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64

# Verify the configuration.

[Sysname-acl6-adv-3000] display acl ipv6 3000

Advanced IPv6 ACL 3000, 1 rule,

Acl's step is 5

rule 0 permit tcp source 2030:5060::9050/64 (0 times matched)

3.4 Displaying and Maintaining IPv6 ACLs

To do…	Use the command…	Remarks
Display information about a specified or all IPv6 ACLs	display acl ipv6 { all \| acl6-number }	Available in any view
Clear the statistics about a specified or all IPv6 ACLs except for simple IPv6 ACLs	reset acl ipv6 counter { all \| acl6-number }	Available in user view

3.5 IPv6 ACL Configuration Example

3.5.1 Network Requirements

Perform packet filtering in the inbound direction of interface Ethernet 1/0/2 to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF.

3.5.2 Configuration Procedure

1) Create IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 4050::9000/120

[Sysname-acl6-basic-2000] rule deny source any

[Sysname-acl6-basic-2000] quit

2) Apply the ACL to the inbound direction of interface Ethernet 1/0/2.

# Permit to receive the traffic classes and behaviors with the source addresses in the range of 4050::9000 to 4050::90FF.

[Sysname] traffic classifier c_permit

[Sysname-classifier-c_permit] if-match acl ipv6 2000

[Sysname-classifier-c_permit] quit

[Sysname] traffic behavior b_permit

[Sysname-behavior-b_permit] filter permit

[Sysname-behavior-b_permit] quit

# Configure to deny traffic classes and behaviors other than those mentioned above.

[Sysname] traffic classifier c_deny

[Sysname-classifier-c_deny] if-match acl ipv6 2001

[Sysname-classifier-c_deny] quit

[Sysname] traffic behavior b_deny

[Sysname-behavior-b_deny] filter deny

[Sysname-behavior-b_deny] quit

# Configure and apply a QoS policy.

[Sysname] qos policy test

[Sysname-qospolicy-test] classifier c_permit behavior b_permit

[Sysname-qospolicy-test] classifier c_deny behavior b_deny

[Sysname-qospolicy-test] quit

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] qos apply policy test inbound

Chapter 4 Flow Template Configuration

4.1 Flow Template Overview

Flow templates are mainly used to limit the information included in the ACL rules. For an ACL rule to be successfully applied on a port, the information in the rule must be a subset of the information defined in the flow template applied on the port. For example, the flow template applied on a port defines source IP address, destination IP address, source TCP port, and destination TCP port. Then only the ACL rules that contain no other information items than the above ones can be applied correctly on the port for packet filtering, QoS and other purposes.

The switch supports both default flow template and user-defined flow templates. And, the user-defined flow templates can be classified into two types: basic and extended. Initially, if you do not reference any flow template on a port, the default one is used.

A flow template is configured globally and applied on a port.

Caution:

The use of flow templates is restricted to hardware-based ACL.

4.2 Configuring a Flow Template

Follow these steps to create a flow template and apply it to an interface:

To do…		Use the command…	Remarks
Enter system view		system-view	––
Create a flow template	Create a basic flow template	flow-template flow-template-name basic { customer-cos \| customer-vlan-id \| dip \| dipv6 \| dmac \| dport \| dscp \| ethernet-protocol \| fragments \| icmp-code \| icmp-type \| icmpv6-code \| icmpv6-type \| ip-precdence \| ip-protocol \| ipv6-dscp \| ipv6-fragment \| ipv6-protocol \| service-cos \| service-vlan-id \| sip \| sipv6 \| smac \| sport \| tcp-flag \| tos }*	Optional Use either command.
Create a flow template	Create an extended flow template	flow-template flow-template-name extend { [ start ] offset-max-value length-max-value \| ipv4 offset-max-value length-max-value \| ipv6 offset-max-value length-max-value \| l2 offset-max-value length-max-value \| l4 offset-max-value length-max-value }*	Optional Use either command.
Enter Ethernet port view or port group view	Enter Ethernet port view	interface interface-type interface-number	Perform either of the two operations. The configuration performed in port view applies to the current port only. Configuration performed in port group view applies to all the ports in the port group.
Enter Ethernet port view or port group view	Enter port group view	port-group { manual port-group-name \| aggregation agg-id }
Apply the flow template to the interface or port group		flow-template flow-template-name	Optional The default one applies by default.

& Note:

l The user-defined ACLs are used in conjunction with the extended user-defined flow template. When a port applies the extended flow template, you cannot apply policies including the basic and advanced ACLs on the port.

l Before applying a user-defined template on a port, make sure the user-defined template is already configured. A port can be configured with only one flow template.

l Before you can apply a flow template on a port, make sure the following functions are disabled on the port: 802.1x, cluster (NDP, NTDP, HABP, and Cluster), DHCP Snooping, port isolation, MAC+IP+port binding, selective Q-in-Q, and voice VLAN. And also, you are not recommended to use these functions after you apply a flow template on the port.

4.3 Displaying Flow Templates

To do…	Use the command…	Remarks
Display the configuration information of a specified or all user-defined flow templates	display flow-template user-defined [ flow-template-name ]	Available in any view
Display information about the flow templates referenced to interfaces.	display flow-template interface [ interface-type interface-number ]	Available in any view

4.4 Flow Template Configuration Example

I. Network requirements

Create flow templates and apply them to interfaces.

II. Configuration procedure

# Create basic flow template aaa.

<Sysname> system-view

[Sysname] flow-template aaa basic customer-cos smac customer-vlan-id

# Reference flow template aaa on interface Ethernet 1/0/1.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] flow-template aaa

[Sysname-Ethernet1/0/1] quit

# Create user-defined ACL 5000, and configure the extended flow template bbb to match ARP packets.

[Sysname] acl number 5000

[Sysname-acl-user-5000] rule deny l2 0806 ffff 12

[Sysname] flow-template bbb extend l2 12 2

# Reference flow template bbb on interface Ethernet 1/0/2.

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] flow-template bbb

[Sysname-Ethernet1/0/2] quit

# Display information about all user-defined flow templates.

[Sysname] display flow-template user-defined

user-defined flow template: extend

name:bbb, index:1, total reference counts:0

fields: l2 12 2

user-defined flow template: basic

name:aaa, index:2, total reference counts:0

fields: smac customer-vlan-id customer-cos

# Display information about the user-defined flow templates referenced to interfaces.

[Sysname] display flow-template interface

Interface: Ethernet1/0/1

user-defined flow template: basic

name:aaa, index:1, total reference counts:1

fields: smac customer-vlan-id customer-cos

Interface: Ethernet1/0/2

user-defined flow template: extend

name:bbb, index:2, total reference counts:1

fields: l2 12 2

# Delete flow template aaa. As it is being referenced by interface Ethernet 1/0/1, remove it from the interface first.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] undo flow-template

[Sysname-Ethernet1/0/1] quit

[Sysname] undo flow-template name aaa

H3C S3610[5510] Series Ethernet Switches Operation Manual-Release 0001-(V1.02)

Chapter 1 ACL Overview

1.3 IPv4 ACL

1.3.1 IPv4 ACL Classification

1.3.2 IPv4 ACL Match Order

I. Depth-first match for a basic IPv4 ACL

II. Depth-first match for an advanced IPv4 ACL

III. Depth-first match for an Ethernet frame header IPv4 ACL

1.3.3 IPv4 ACL Creation

1.4 IPv6 ACL

1.4.1 IPv6 ACL Classification

1.4.2 IPv6 ACL Match Order

Chapter 2 IPv4 ACL Configuration

2.1 Creating a Time Range

2.2 Configuring a Basic IPv4 ACL

2.3 Configuring an Advanced IPv4 ACL

2.4 Configuring an Ethernet Frame Header ACL

2.5 Configuring a User-Defined IPv4 ACL

2.6 Displaying and Maintaining IPv4 ACLs

2.7 IPv4 ACL Configuration Example

Chapter 3 IPv6 ACL Configuration

3.1 Creating a Time Range

3.2 Configuring a Basic IPv6 ACL

3.3 Configuring an Advanced IPv6 ACL

3.4 Displaying and Maintaining IPv6 ACLs

3.5 IPv6 ACL Configuration Example

Chapter 4 Flow Template Configuration

4.1 Flow Template Overview

4.2 Configuring a Flow Template

4.3 Displaying Flow Templates

4.4 Flow Template Configuration Example

I. Network requirements

II. Configuration procedure

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us