22-ACL Configuration
Chapters Download (212.93 KB)
Table of Contents
Effective Period of an IPv4 ACL
IP Fragments Filtering with IPv4 ACL
Effective Period of an IPv6 ACL
Configuring an Advanced IPv4 ACL
Configuring an Ethernet Frame Header ACL
Displaying and Maintaining IPv4 ACLs
IPv4 ACL Configuration Example
Configuring an Advanced IPv6 ACL
Displaying and Maintaining IPv6 ACLs
IPv6 ACL Configuration Example
An access control list (ACL) is a set of rules (that is, a set of permit or deny statements) for identifying traffic based on matching criteria such as source address, destination address, and port number. The selected traffic will then be permitted or rejected by predefined security policies.
ACLs are widely used in technologies where traffic identification is desired, such as packet filtering and QoS.
Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document.
When configuring ACLs, go to these sections for information you are interested in:
This section covers these topics:
l Effective Period of an IPv4 ACL
l IP Fragments Filtering with IPv4 ACL
IPv4 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 1-1.
|
Category |
ACL number |
Matching criteria |
|
Basic IPv4 ACL |
2000 to 2999 |
Source IP address |
|
Advanced IPv4 ACL |
3000 to 3999 |
Source IP address, destination IP address, protocol carried over IP, and other Layer 3 or Layer 4 protocol header information |
|
Ethernet frame header ACL |
4000 to 4999 |
Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type |
When creating an IPv4 ACL, you can specify a unique name for it. Afterwards, you can identify the ACL by its name.
An IPv4 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.
The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.
An ACL may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts. The match order is for determining how packets should be matched against the rules.
Two match orders are available for IPv4 ACLs:
l config: Packets are compared against ACL rules in the order the rules are configured.
l auto: Packets are compared against ACL rules in the depth-first match order.
The term depth-first match has different meanings for different types of ACLs:
The following shows how your device performs depth-first match in a basic IPv4 ACL:
1) Sort rules by source IP address wildcard and compare packets against the rule configured with more zeros in the source IP address wildcard.
2) If two rules are present with the same number of zeros in their source IP address wildcards, compare packets against the rule configured first.
The following shows how your device performs depth-first match in an advanced IPv4 ACL:
1) Sort rules by the protocol carried over IP. A rule with no limit to the protocol type (that is, configured with the ip keyword) has the lowest precedence. Rules each of which has a single specified protocol type are of the same precedence level.
2) If the protocol types have the same precedence, look at the source IP address wildcards. Then, compare packets against the rule configured with more zeros in the source IP address wildcard.
3) If the numbers of zeros in the source IP address wildcards are the same, look at the destination IP address wildcards. Then, compare packets against the rule configured with more zeros in the destination IP address wildcard.
4) If the numbers of zeros in the destination IP address wildcards are the same, look at the Layer 4 port number ranges, namely the TCP/UDP port number ranges. Then compare packets against the rule configured with the smaller port number range.
5) If the port number ranges are the same, compare packets against the rule configured first.
The following shows how your device performs depth-first match in an Ethernet frame header ACL:
1) Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask.
2) If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks. Then, compare packets against the rule configured with more ones in the destination MAC address mask.
3) If the numbers of ones in the destination MAC address masks are the same, compare packets against the one configured first.
The comparison of a packet against ACL rules stops immediately after a match is found. The packet is then processed as per the rule.
The step defines the difference between two neighboring numbers that are automatically assigned to ACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15, and so on. By default, the step is 5.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules are numbered 5, 10, 15, and 20 respectively, changing the step from 5 to 2 will cause the rules to be renumbered 0, 2, 4, and 6.
With the step and rule numbering/renumbering mechanism, you do not need to assign numbers to rules when defining them. The system will assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number. For example, with a step of five, if the biggest number is currently 28, the newly defined rule will get a number of 30. If the ACL has no rule defined already, the first defined rule will get a number of 0.
Another benefit of using the step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, and 15 in an ACL with a step of five, you can insert a rule numbered 1.
You can control when a rule can take effect by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and becomes active.
Traditional packet filtering performs match operation on only the first fragments. All subsequent non-first fragments are handled in the way the first fragments are handled. As attackers may fabricate non-first fragments to attack your network, this results in security risks. To address the risks, the device implements the following packet filtering functions:
As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that the rule applies to non-first fragment packets only, and does not apply to non-fragment packets or the first fragment packets. ACL rules that do not contain this keyword is applicable to both non-fragment packets and fragment packets.
This section covers these topics:
l Effective Period of an IPv6 ACL
IPv6 ACLs, identified by ACL numbers, fall into two categories, as shown in Table 1-2.
|
Category |
ACL number |
Matching criteria |
|
Basic IPv6 ACL |
2000 to 2999 |
Source IPv6 address |
|
Advanced IPv6 ACL |
3000 to 3999 |
Source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other Layer 3 or Layer 4 protocol header information |
When creating an IPv6 ACL, you can specify a unique name for it. Afterwards, you can identify the IPv6 ACL by its name.
An IPv6 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.
The name of an IPv6 ACL must be unique among IPv6 ACLs. However, an IPv6 ACL and an IPv4 ACL can share the same name.
Similar to IPv4 ACLs, an IPv6 ACL consists of multiple rules, each of which specifies different matching criteria. These criteria may have overlapping or conflicting parts. The match order is for determining how a packet should be matched against the rules.
Two match orders are available for IPv6 ACLs:
l config: Packets are compared against ACL rules in the order the rules are configured.
l auto: Packets are compared against ACL rules in the depth-first match order.
The term depth-first match has different meanings for different types of ACLs:
The following shows how your device performs depth-first match in a basic IPv6 ACL:
1) Sort rules by source IPv6 address prefix first and compare packets against the rule configured with a longer prefix for the source IPv6 address.
2) In case of a tie, compare packets against the rule configured first.
The following shows how your device performs depth-first match in an advanced IPv6 ACL:
1) Look at the protocol type field in the rules first. A rule with no limit to the protocol type (that is, configured with the ipv6 keyword) has the lowest precedence. Rules each of which has a single specified protocol type are of the same precedence level. Compare packets against the rule with the highest precedence.
2) In case of a tie, look at the source IPv6 address prefixes. Then, compare packets against the rule configured with a longer prefix for the source IPv6 address.
3) If the prefix lengths for the source IPv6 addresses are the same, look at the destination IPv6 address prefixes. Then, compare packets against the rule configured with a longer prefix for the destination IPv6 address.
4) If the prefix lengths for the destination IPv6 addresses are the same, look at the Layer 4 port number ranges, namely the TCP/UDP port number ranges. Then compare packets against the rule configured with the smaller port number range.
5) If the port number ranges are the same, compare packets against the rule configured first.
The comparison of a packet against an ACL stops immediately after a match is found. The packet is then processed as per the rule.
Refer to IPv4 ACL Step.
Refer to Effective Period of an IPv4 ACL.
When configuring an IPv4 ACL, go to these sections for information you are interested in:
l Configuring a Basic IPv4 ACL
l Configuring an Advanced IPv4 ACL
l Configuring an Ethernet Frame Header ACL
l Displaying and Maintaining IPv4 ACLs
l IPv4 ACL Configuration Example
Two types of time ranges are available:
l Periodic time range, which recurs periodically on the day or days of the week.
l Absolute time range, which takes effect only in a period of time and does not recur.
Follow these steps to create a time range:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create a time range |
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } |
Required |
|
Display the configuration and status of one or all time ranges |
display time-range { time-range-name | all } |
Optional Available in any view |
You may create a maximum of 256 time ranges.
A time range can be one of the following:
l Periodic time range created using the time-range time-range-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week. A periodic time range is active only when the system time falls within it.
l Absolute time range created using the time-range time-range-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.
l Compound time range created using the time-range time-range-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
If you do not specify the start time and date, the time range starts from the earliest time that the system supports, namely 00:00 01/01/1970. If you do not specify the end time and date, the time range ends at the latest time that the system supports, namely 24:00 12/31/2100.
# Create a time range that is active from 8:00 to 18:00 every working day.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
# Verify the configuration.
[Sysname] display time-range test
Current time is 13:27:32 4/16/2005 Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
Basic IPv4 ACLs match packets based on only source IP address. They are numbered from 2000 to 2999.
If you want to reference a time range in a rule, define it with the time-range command first.
Follow these steps to configure a basic IPv4 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create a basic IPv4 ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required The default match order is config. If you specify a name for an IPv4 ACL when creating the ACL, you can use the acl name acl-name command to enter the view of the ACL later. |
|
Create or modify a rule |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * |
Required To create or modify multiple rules, repeat this step. Currently, the logging keyword is not supported on the S3600 series Ethernet PON OLT switches. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Configure a description for the basic IPv4 ACL |
description text |
Optional By default, a basic IPv4 ACL has no ACL description. |
|
Configure a rule description |
rule rule-id comment text |
Optional By default, an IPv4 ACL rule has no rule description. |
Note that:
l After applying a QoS policy that references a basic IPv4 ACL for traffic classification, you cannot modify the rules of the ACL any more.
l You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
l You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
l When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
l You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
l The rule specified in the rule comment command must already exist.
# Configure IPv4 ACL 2000 to deny packets with source address 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
# Verify the configuration.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, named -none-, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0 (5 times matched)
Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP destination port number, TCP flag, ICMP message type, and ICMP message code.
In addition, advanced IPv4 ACLs allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv4 ACLs, they allow of more flexible and accurate filtering.
If you want to reference a time range in a rule, define it with the time-range command first.
Follow these steps to configure an advanced IPv4 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an advanced IPv4 ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required The default match order is config. If you specify a name for an IPv4 ACL when creating the ACL, you can use the acl name acl-name command to enter the view of the ACL later. |
|
Create or modify a rule |
rule [ rule-id ] { deny | permit } protocol [ { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] * |
Required To create or modify multiple rules, repeat this step. Currently, the logging keyword is not supported on the S3600 series Ethernet PON OLT switches. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Configure a description for the advanced IPv4 ACL |
description text |
Optional By default, an advanced IPv4 ACL has no ACL description. |
|
Configure a rule description |
rule rule-id comment text |
Optional By default, an IPv4 ACL rule has no rule description. |
Note that
l For an advanced IPv4 ACL to be referenced by a QoS policy for traffic classification, you cannot configure the neq and reflective keywords.
l After applying a QoS policy that references an advanced IPv4 ACL for traffic classification, you cannot modify the rules of the ACL any more.
l You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
l You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
l When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
l You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
l The rule specified in the rule comment command must already exist.
# Configure IPv4 ACL 3000 to permit TCP packets with the destination port number of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Verify the configuration.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, named -none-, 1 rule,
ACL's step is 5
rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (5 times matched)
Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. They are numbered in the range 4000 to 4999.
If you want to reference a time range in a rule, define it with the time-range command first.
Follow these steps to configure an Ethernet frame header ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an Ethernet frame header ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required The default match order is config. If you specify a name for an IPv4 ACL when creating the ACL, you can use the acl name acl-name command to enter the view of the ACL later. |
|
Create or modify a rule |
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-range-name | type type-code type-wildcard ] * |
Required To create or modify multiple rules, repeat this step. The lsap and type keywords cannot appear in a rule at the same time. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Configure a description for the Ethernet frame header ACL |
description text |
Optional By default, an Ethernet frame header ACL has no ACL description. |
|
Configure a rule description |
rule rule-id comment text |
Optional By default, an Ethernet frame header ACL rule has no rule description. |
Note that:
l For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, you cannot configure the lsap keyword.
l After applying a QoS policy that references an Ethernet frame header ACL for traffic classification, you cannot modify the rules of the ACL any more.
l You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
l You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
l When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
l You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
l The rule specified in the rule comment command must already exist.
# Configure ACL 4000 to deny frames with the 802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3
# Verify the configuration.
[Sysname-acl-ethernetframe-4000] display acl 4000
Ethernet frame ACL 4000, named -none-, 1 rule,
ACL's step is 5
rule 0 deny cos excellent-effort(5 times matched)
This feature allows you to copy an existing IPv4 ACL to generate a new one, which is of the same type and has the same match order, rules, rule numbering step and descriptions as the source IPv4 ACL.
Make sure that the source IPv4 ACL exists while the destination IPv4 ACL does not.
Follow these steps to copy an IPv4 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Copy an existing IPv4 ACL to generate a new one of the same type |
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } |
Required |
l The source IPv4 ACL and the destination IPv4 ACL must be of the same type.
l The destination ACL does not take the name of the source IPv4 ACL.
|
To do... |
Use the command… |
Remarks |
|
Display information about one or all IPv4 ACLs |
display acl { acl-number | all | name acl-name } |
Available in any view |
|
Display the usage of ACL resources |
display acl resource |
Available in any view |
|
Display the configuration and status of one or all time ranges |
display time-range { time-range-name | all } |
Available in any view |
|
Clear statistics on one or all IPv4 ACLs |
reset acl counter { acl-number | all | name acl-name } |
Available in user view |
For QoS policy configuration details and the relevant commands, refer to QoS Configuration.
As shown in Figure 2-1, an S3600 series Ethernet PON OLT switch connects two ONU devices through two interfaces (Onu 1/0/1:1 and Onu 1/0/1:2), and the ONU devices are both for connecting the hosts of end users.
Configure an ACL to forbid users from accessing the server (192.168.4.1) through ONU 1. Users of ONU 2 can access the server at any time.
Figure 2-1 Network diagram for ACL configuration
1) Configure an ACL for restricting access to the server
# Create an ACL and add a rule for restricting access to the server.
<Switch> system-view
[Switch] acl number 3000
[Switch-acl-adv-3000] rule deny ip source any destination 192.168.4.1 0.0.0.0
[Switch-acl-adv-3000] quit
2) Apply the QoS policy
# Create class c_1 and configure it to deal with packets matching ACL 3000.
[Switch] traffic classifier c_1
[Switch-classifier-c_1] if-match acl 3000
[Switch-classifier-c_1] quit
# Create a traffic behavior and configure the traffic filtering action as deny.
[Switch] traffic behavior b_1
[Switch-behavior-b_1] filter deny
[Switch-behavior-b_1] quit
# Create QoS policy p_1 and configure it to use behavior b_1 for class c_1.
[Switch] qos policy p_1
[Switch-qospolicy-p_1] classifier c_1 behavior b_1
[Switch-qospolicy-p_1] quit
# Apply QoS policy p_1 to interface Onu 1/0/1:1.
[Switch] interface Onu 1/0/1:1
[Switch-Onu1/0/1:1] qos apply policy p_1 inbound
If it is required to forbid a certain host from accessing the server, you need to configure an Ethernet frame header ACL, using the MAC address of the host as the source MAC address for matching, configure a QoS policy to deny packets matching the ACL, and apply the QoS policy to the interface of the ONU device connecting the host.
When configuring IPv6 ACLs, go to these sections for information you are interested in:
l Configuring a Basic IPv6 ACL
l Configuring an Advanced IPv6 ACL
l Displaying and Maintaining IPv6 ACLs
l IPv6 ACL Configuration Example
Refer to Creating a Time Range.
Basic IPv6 ACLs match packets based on only source IPv6 address. They are numbered in the range 2000 to 2999.
If you want to reference a time range in a rule, define it with the time-range command first.
Follow these steps to configure an IPv6 ACL:
|
To do… |
Use the command… |
|
|
Enter system view |
system-view |
–– |
|
Create a basic IPv6 ACL view and enter its view |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
Required The default match order is config. If you specify a name for an IPv6 ACL when creating the ACL, you can use the acl ipv6 name acl6-name command to enter the view of the ACL later. |
|
Create or modify a rule |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] * |
Required To create or modify multiple rules, repeat this step. Currently, the logging keyword is not supported on the S3600 series Ethernet PON OLT switches. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Configure a description for the basic IPv6 ACL |
description text |
Optional By default, a basic IPv6 ACL has no ACL description. |
|
Configure a rule description |
rule rule-id comment text |
Optional By default, an IPv6 ACL rule has no rule description. |
Note that:
l For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, you cannot configure the fragment keywords
l After applying a QoS policy that references a basic IPv6 ACL for traffic classification, you cannot modify the rules of the ACL any more.
l You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
l You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
l When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
l You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
l The rule specified in the rule comment command must already exist.
# Configure IPv6 ACL 2000 to permit IPv6 packets with the source address of 2030:5060::9050/64 and deny IPv6 packets with the source address of fe80:5060::8050/96.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96
# Verify the configuration.
[Sysname-acl6-basic-2000] display acl ipv6 2000
Basic IPv6 ACL 2000, named -none-, 2 rules,
ACL's step is 5
rule 0 permit source 2030:5060::9050/64 (4 times matched)
rule 5 deny source FE80:5060::8050/96 (5 times matched)
Advanced IPv6 ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code.
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering.
If you want to reference a time range in a rule, define it with the time-range command first.
Follow these steps to configure an advanced IPv6 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an advanced IPv6 ACL and enter its view |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
Required The default match order is config. If you specify a name for an IPv6 ACL when creating the ACL, you can use the acl ipv6 name acl6-name command to enter the view of the ACL later. |
|
Create or modify a rule |
rule [ rule-id ] { deny | permit } protocol [ { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] * |
Required To create or modify multiple rules, repeat this step. Currently, the logging keyword is not supported on the S3600 series Ethernet PON OLT switches. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Configure a description for the advanced IPv6 ACL |
description text |
Optional By default, an advanced IPv6 ACL has no ACL description. |
|
Configure a rule description |
rule rule-id comment text |
Optional By default, an IPv6 ACL rule has no rule description. |
Note that:
l For an advanced IPv6 ACL to be referenced by a QoS policy for traffic classification, you cannot configure the neq, fragment, and reflective keywords.
l After applying a QoS policy that references an advanced IPv6 ACL for traffic classification, you cannot modify the rules of the ACL any more.
l You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
l You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
l When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
l You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
l The rule specified in the rule comment command must already exist.
# Configure IPv6 ACL 3000 to permit TCP packets with the source address of 2030:5060::9050/64.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64
# Verify the configuration.
[Sysname-acl6-adv-3000] display acl ipv6 3000
Advanced IPv6 ACL 3000, named -none-, 1 rule,
ACL's step is 5
rule 0 permit tcp source 2030:5060::9050/64 (5 times matched)
This feature allows you to copy an existing IPv6 ACL to generate a new one, which is of the same type and has the same match order, rules, rule numbering step, and descriptions as the source IPv6 ACL.
Make sure that the source IPv6 ACL exists while the destination IPv6 ACL does not.
Follow these steps to copy an IPv6 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Copy an existing IPv6 ACL to generate a new one of the same type |
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } |
Required |
l The source IPv6 ACL and the destination IPv6 ACL must be of the same type.
l The destination ACL does not take the name of the source IPv6 ACL.
|
To do… |
Use the command… |
Remarks |
|
Display information about one or all IPv6 ACLs |
display acl ipv6 { acl6-number | all | name acl6-name } |
Available in any view |
|
Display the usage of ACL resources |
display acl resource |
Available in any view |
|
Display the configuration and status of one or all time ranges |
display time-range { time-range-name | all } |
Available in any view |
|
Clear statistics on one or all basic and advanced IPv6 ACLs |
reset acl ipv6 counter { acl6-number | all | name acl6-name } |
Available in user view |
Configure interface Onu 1/0/1:1 to deny IPv6 packets with the source IPv6 address being in the range from 4050::9000 to 4050::90FF and to permit all other packets.
# Configure an IPv6 ACL to match IPv6 packets with the source address being in the range from 4050::9000 to 4050::90FF
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 4050::9000/120
[Sysname-acl6-basic-2000] quit
# Create class c1 and configure it to deal with packets matching ACL 3000.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl ipv6 2000
[Switch-classifier-c1] quit
# Create traffic behavior b1 and configure the traffic filtering action as deny.
[Switch] traffic behavior b1
[Switch-behavior-b1] filter deny
[Switch-behavior-b1] quit
# Create QoS policy p1 and configure it to use behavior b1 for class c1.
[Switch] qos policy p1
[Switch-qospolicy-p1] classifier c1 behavior b1
[Switch-qospolicy-p1] quit
# Apply QoS policy p1 to interface Onu 1/0/1:1.
[Switch] interface Onu1/0/1:1
