Login
- Table of Contents
-
- H3C S3600 Operation Manual-Release 1602(V1.02)
- 00-1Cover
- 00-2Product Overview
- 01-CLI Operation
- 02-Login Operation
- 03-Configuration File Management Operation
- 04-VLAN Operation
- 05-IP Address and Performance Operation
- 06-Voice VLAN Operation
- 07-GVRP Operation
- 08-Port Basic Configuration Operation
- 09-Link Aggregation Operation
- 10-Port Isolation Operation
- 11-Port Security-Port Binding Operation
- 12-DLDP Operation
- 13-MAC Address Table Management Operation
- 14-Auto Detect Operation
- 15-MSTP Operation
- 16-Routing Protocol Operation
- 17-Multicast Operation
- 18-802.1x and System Guard Operation
- 19-AAA Operation
- 20-Web Authentication Operation
- 21-MAC Address Authentication Operation
- 22-VRRP Operation
- 23-ARP Operation
- 24-DHCP Operation
- 25-ACL Operation
- 26-QoS-QoS Profile Operation
- 27-Web Cache Redirection Operation
- 28-Mirroring Operation
- 29-IRF Fabric Operation
- 30-Cluster Operation
- 31-PoE-PoE Profile Operation
- 32-UDP Helper Operation
- 33-SNMP-RMON Operation
- 34-NTP Operation
- 35-SSH Operation
- 36-File System Management Operation
- 37-FTP-SFTP-TFTP Operation
- 38-Information Center Operation
- 39-System Maintenance and Debugging Operation
- 40-VLAN-VPN Operation
- 41-HWPing Operation
- 42-IPv6 Management Operation
- 43-DNS Operation
- 44-Smart Link-Monitor Link Operation
- 45-Access Management Operation
- 46-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 25-ACL Operation | 184.57 KB |
Table of Contents
Ways to Apply an ACL on a Switch
Types of ACLs Supported by S3600 Series Ethernet Switches
Applying ACL Rules to Ports in a VLAN
Displaying and Maintaining ACL Configuration
Examples for Upper-layer Software Referencing ACLs
Example for Controlling Telnet Login Users by Source IP
Example for Controlling Web Login Users by Source IP
Examples for Applying ACLs to Hardware
Basic ACL Configuration Example
Advanced ACL Configuration Example
Layer 2 ACL Configuration Example
User-defined ACL Configuration Example
Example for Applying an ACL to a VLAN
When configuring ACL, go to these sections for information you are interested in:
l Displaying and Maintaining ACL Configuration
l Examples for Upper-layer Software Referencing ACLs
l Examples for Applying ACLs to Hardware
l The feature of applying ACL rules to a VLAN is newly added, which is described in Applying ACL Rules to Ports in a VLAN.
l The feature of configuring VLAN information for Layer 2 ACLs is newly added, which is described in Configuring Layer 2 ACL.
ACL Overview
As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources. Access Control Lists (ACLs) are often used to filter packets with configured matching rules.
Upon receiving a packet, the switch compares the packet with the rules of the ACL applied on the current port to permit or discard the packet.
The rules of an ACL can be referenced by other functions that need traffic classification, such as QoS.
ACLs classify packets using a series of conditions known as rules. The conditions can be based on source addresses, destination addresses and port numbers carried in the packets.
According to their application purposes, ACLs fall into the following four types.
l Basic ACL. Rules are created based on source IP addresses only.
l Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses, type of the protocols carried by IP, protocol-specific features, and so on.
l Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so on.
l User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings. It defines the byte it begins to perform “and” operation with the mask on the basis of packet headers.
ACL Matching Order
An ACL can contain multiple rules, each of which matches specific type of packets. So the order in which the rules of an ACL are matched needs to be determined.
The rules in an ACL can be matched in one of the following two ways:
l config: where rules in an ACL are matched in the order defined by the user.
l auto: where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule (Layer 2 ACLs and user-defined ACLs do not support this feature).
For depth-first rule, there are two cases:
Depth-first match order for rules of a basic ACL
1) Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.
2) Fragment keyword: A rule with the fragment keyword is prior to others.
3) If the above two conditions are identical, the earlier configured rule applies.
Depth-first match order for rules of an advanced ACL
1) Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others.
2) Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.
3) Range of destination IP address. The smaller the destination IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.
4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the range, the higher the match priority.
5) Number of parameters: the more the parameters, the higher the match priority.
If rule A and rule B are still the same after comparison in the above order, the weighting principles will be used in deciding their priority order. Each parameter is given a fixed weighting value. This weighting value and the value of the parameter itself will jointly decide the final matching order. Involved parameters with weighting values from high to low are icmp-type, established, dscp, tos, precedence, fragment. Comparison rules are listed below.
l The smaller the weighting value left, which is a fixed weighting value minus the weighting value of every parameter of the rule, the higher the match priority.
l If the types of parameter are the same for multiple rules, then the sum of parameters’ weighting values of a rule determines its priority. The smaller the sum, the higher the match priority.
Ways to Apply an ACL on a Switch
Being applied to the hardware directly
In the switch, an ACL can be directly applied to hardware for packet filtering and traffic classification. In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL. For S3600 series Ethernet switches, the later the rule applies, the higher the match priority.
ACLs are directly applied to hardware when they are used for:
l Implementing QoS
l Filtering the packets to be forwarded
Being referenced by upper-level software
ACLs can also be used to filter and classify the packets to be processed by software. In this case, the rules in an ACL can be matched in one of the following two ways:
l config, where rules in an ACL are matched in the order defined by the user.
l auto, where the rules in an ACL are matched in the order determined by the system, namely the “depth-first” order (Layer 2 ACLs and user-defined ACLs do not support this feature).
When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined, unless you delete all the rules in the ACL and define the match order.
An ACL can be referenced by upper-layer software:
l Referenced by routing policies
l Used to control Telnet, SNMP and Web login users
l When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL.
l When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.
Types of ACLs Supported by S3600 Series Ethernet Switches
The following types of ACLs are supported by S3600 series Ethernet switches:
l User-defined ACL
In addition, ACLs defined on S3600 series Ethernet switches can be applied to hardware directly or referenced by upper-layer software for packet filtering.
ACL Configuration Task List
Complete the following tasks to configure ACL:
|
Task |
Remarks |
|
Optional |
|
|
Required |
|
|
Required |
|
|
Required |
|
|
Required |
|
|
Required |
|
|
Required |
Configuring Time Range
Time ranges can be used to filter packets. You can specify a time range for each rule in an ACL. A time range-based ACL takes effect only in specified time ranges. Only after a time range is configured and the system time is within the time range, can an ACL rule take effect.
Two types of time ranges are available:
l Periodic time range, which recurs periodically on the day or days of the week.
l Absolute time range, which takes effect only in a period of time and does not recur.
An absolute time range on an H3C S3600 Series Ethernet Switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
Configuration procedure
Follow these steps to configure a time range:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a time range |
time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } |
Required |
Note that:
l If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
l If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.
l If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range contains an absolute time section ranging from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section ranging from 12:00 to 14:00 on every Wednesday. This time range is active only when the system time is within the range from 12:00 to 14:00 on every Wednesday in 2004.
l If the start time is not specified, the time section starts from 1970/1/1 00:00 and ends on the specified end date. If the end date is not specified, the time section starts from the specified start date to 2100/12/31 23:59.
Configuration example
# Define a periodic time range that spans from 8:00 to 18:00 on Monday through Friday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
[Sysname] display time-range test
Current time is 13:27:32 Apr/16/2005 Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008.
<Sysname> system-view
[Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008
[Sysname] display time-range test
Current time is 13:30:32 Apr/16/2005 Saturday
Time-range : test ( Inactive )
From 15:00 Jan/28/2006 to 15:00 Jan/28/2008
Configuring Basic ACL
A basic ACL filters packets based on their source IP addresses.
A basic ACL can be numbered from 2000 to 2999.
Configuration prerequisites
l To configure a time range-based basic ACL rule, you need to create the corresponding time range first. For information about time range configuration, refer to Configuring Time Range.
l The source IP addresses based on which the ACL filters packets are determined.
Configuration procedure
Follow these steps to define a basic ACL rule:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an ACL and enter basic ACL view |
acl number acl-number [ match-order { auto | config } ] |
Required config by default |
|
Define an ACL rule |
rule [ rule-id ] { deny | permit } [ rule-string ] |
Required For information about rule-string, refer to ACL Command. |
|
Configure a description string to the ACL |
description text |
Optional Not configured by default |
Note that:
l With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system prompts error information.
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Configuration example
# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 192.168.0.1 0
# Display the configuration information of ACL 2000.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 192.168.0.1 0
Configuring Advanced ACL
An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message type and message code.
An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for cluster management.
Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS) priority, IP priority and differentiated services codepoint (DSCP).
Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and more flexible than those defined for basic ACLs.
Configuration prerequisites
l To configure a time range-based advanced ACL rule, you need to create the corresponding time ranges first. For information about of time range configuration, refer to Configuring Time Range.
l The settings to be specified in the rule, such as source and destination IP addresses, the protocols carried by IP, and protocol-specific features, are determined.
Configuration procedure
Follow these steps to define an advanced ACL rule:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an advanced ACL and enter advanced ACL view |
acl number acl-number [ match-order { auto | config } ] |
Required config by default |
|
Define an ACL rule |
rule [ rule-id ] { permit | deny } protocol [ rule-string ] |
Required For information about protocol and rule-string, refer to ACL Commands. |
|
Assign a description string to the ACL rule |
rule rule-id comment text |
Optional No description by default |
|
Assign a description string to the ACL |
description text |
Optional No description by default |
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
l If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Configuration example
# Configure ACL 3000 to permit the TCP packets sourced from the network 129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the destination port number being 80.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Display the configuration information of ACL 3000.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 1
rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www
Configuring Layer 2 ACL
A Layer 2 ACL can be numbered from 4000 to 4999.
Configuration prerequisites
l To configure a time range-based Layer 2 ACL rule, you need to create the corresponding time ranges first. For information about time range configuration, refer to Configuring Time Range
Configuration procedure
Follow these steps to define a Layer 2 ACL rule:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a Layer 2 ACL and enter layer 2 ACL view |
acl number acl-number |
Required |
|
Define an ACL rule |
rule [ rule-id ] { permit | deny } rule-string |
Required For information about rule-string, refer to ACL Commands. |
|
Assign a description string to the ACL rule |
rule rule-id comment text |
Optional No description by default |
|
Assign a description string to the ACL |
description text |
Optional No description by default |
Note that:
l You can modify any existent rule of the Layer2 ACL and the unmodified part of the ACL remains.
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Configuration example
# Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
# Display the configuration information of ACL 4000.
[Sysname-acl-ethernetframe-4000] display acl 4000
Ethernet frame ACL 4000, 1 rule
Acl's step is 1
rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
Configuring User-defined ACL
A user-defined ACL filters packets by comparing specific bytes in packet headers with specified string.
A user-defined ACL can be numbered from 5000 to 5999.
Configuration prerequisites
To configure a time range-based user-defined ACL rule, you need to define the corresponding time ranges first. For information about time range configuration, refer to Configuring Time Range.
Configuration procedure
Follow these steps to define a user-defined ACL rule:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a user-defined ACL and enter user-defined ACL view |
acl number acl-number |
Required |
|
Define an ACL rule |
rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] |
Required For information about rule-string, refer to ACL Commands. |
|
Define a comment for the ACL rule |
rule rule-id comment text |
Optional No description by default |
|
Define a description for the ACL |
description text |
Optional No description by default |
When configuring a rule that matches specific fields of packets, take the following two items into account:
l If VLAN-VPN is not enabled, each packet in the switch carries one VLAN tag, which is 4 bytes long.
l If VLAN-VPN is enabled on a port, each packet in the switch carries two VLAN tags, which is 8 bytes long.
Note that:
l You can modify any existent rule of a user-defined ACL. If you modify only the time range and/or action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask offset combinations, however, the new combinations will replace all of the original ones.
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Configuration example
# Configure ACL 5000 to deny all TCP packets, provided that VLAN-VPN is not enabled on any port. In the ACL rule, 06 is the TCP protocol number, ff is the mask of the rule, and 27 is the protocol field offset of an internally processed IP packet.
<Sysname> system-view
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule deny 06 ff 27
# Display the configuration information of ACL 5000.
[Sysname-acl-user-5000] display acl 5000
User defined ACL 5000, 1 rule
Acl's step is 1
rule 0 deny 06 ff 27
Applying ACL Rules on Ports
By applying ACL rules on ports, you can filter packets on the corresponding ports.
Configuration prerequisites
You need to define an ACL before applying it on a port. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced ACL, Configuring Layer 2 ACL, and Configuring User-defined ACL.
Configuration procedure
Follow these steps to apply ACL rules on a port:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Apply ACL rules on the port |
packet-filter { inbound | outbound } acl-rule |
Required For information about acl-rule, refer to ACL Commands. |
Configuration example
# Apply ACL 2000 on Ethernet 1/0/1 to filter inbound packets.
<Sysname> system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000
Applying ACL Rules to Ports in a VLAN
The ACL rules are only applied to ports that are in the VLAN at the time the packet-filter vlan command is executed. In other words:
l A port joining the VLAN later will not use the ACL rules for packet filtering.
l A port leaving the VLAN later will keep using the ACL rules for packet filtering.
Configuration prerequisites
Before applying ACL rules to ports in a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced ACL, Configuring Layer 2 ACL, and Configuring User-defined ACL.
Configuration procedure
Follow these steps to apply ACL rules to ports in a VLAN:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Apply ACL rules to a VLAN |
packet-filter vlan vlan-id { inbound | outbound } acl-rule |
Required For information about acl-rule, refer to ACL Commands. |
Configuration example
# Apply ACL 2000 to all ports of VLAN 1 in the inbound direction to filter packets.
<Sysname> system-view
[Sysname] packet-filter vlan 1 inbound ip-group 2000
Displaying and Maintaining ACL Configuration
|
To do... |
Use the command... |
Remarks |
|
Display a configured ACL or all the ACLs |
display acl { all | acl-number } |
Available in any view |
|
Display a time range or all the time ranges |
display time-range { all | time-name } |
|
|
Display information about packet filtering |
display packet-filter { interface interface-type interface-number | unitid unit-id } |
|
|
Display information about ACL resources |
display drv qacl_resource |
Examples for Upper-layer Software Referencing ACLs
Example for Controlling Telnet Login Users by Source IP
Network requirements
Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switch.
Network diagram
Figure 1-1 Network diagram for controlling Telnet login users by source IP
Configuration procedure
# Define ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 on VTY user interface to control Telnet login users.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
Example for Controlling Web Login Users by Source IP
Network requirements
Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch through HTTP.
Network diagram
Figure 1-2 Network diagram for controlling Web login users by source IP
Configuration procedure
# Define ACL 2001.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0
[Sysname-acl-basic-2001] quit
# Reference ACL 2001 to control users logging in to the Web server.
[Sysname] ip http acl 2001
Examples for Applying ACLs to Hardware
Basic ACL Configuration Example
Network requirements
PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC1’s IP address is 10.1.1.1. Apply an ACL on Ethernet 1/0/1 to deny packets with the source IP address of 10.1.1.1 from 8:00 to 18:00 everyday.
Network diagram
Figure 1-3 Network diagram for basic ACL configuration
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 2000 to filter packets with the source IP address of 10.1.1.1.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test
[Sysname-acl-basic-2000] quit
# Apply ACL 2000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000
Advanced ACL Configuration Example
Network requirements
Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).
Network diagram
Figure 1-4 Network diagram for advanced ACL configuration
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
# Define ACL 3000 to filter packets destined for wage query server.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test
[Sysname-acl-adv-3000] quit
# Apply ACL 3000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 3000
Layer 2 ACL Configuration Example
Network requirements
PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC 1’s MAC address is 0011-0011-0011. Apply an ACL to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to 18:00 everyday.
Network diagram
Figure 1-5 Network diagram for Layer 2 ACL
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012.
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule 1 deny source 0011-0011-0011 ffff-ffff-ffff dest 0011-0011-0012 ffff-ffff-ffff time-range test
[Sysname-acl-ethernetframe-4000] quit
# Apply ACL 4000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound link-group 4000
User-defined ACL Configuration Example
Network requirements
As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through the same gateway, which has an IP address of 192.168.0.1 (the IP address of VLAN-interface 1).
Configure a user-defined ACL to deny all ARP packets from PC 1 that use the gateway IP address as the source address from 8:00 to 18:00 everyday.
Network diagram
Figure 1-6 Network diagram for user-defined ACL
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port). In the ACL rule, 0806 is the ARP protocol number, ffff is the mask of the rule, 16 is the protocol type field offset of the internally processed Ethernet frame, c0a80001 is the hexadecimal form of 192.168.0.1, and 32 is the source IP address field offset of the internally processed ARP packet.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 time-range test
# Apply ACL 5000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5000
Example for Applying an ACL to a VLAN
Network requirements
PC 1, PC 2 and PC 3 belong to VLAN 10 and connect to the switch through Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 respectively. The IP address of the database server is 192.168.1.2. Apply an ACL to deny packets from PCs in VLAN 10 to the database server from 8:00 to 18:00 in working days.
Network diagram
Figure 1-7 Network diagram for applying an ACL to a VLAN
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 in working days.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
# Define an ACL to deny packets destined for the database server.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test
[Sysname-acl-adv-3000] quit
# Apply ACL 3000 to VLAN 10.
[Sysname] packet-filter vlan 10 inbound ip-group 3000
