Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ACL Configuration | 209.99 KB |
Rule comments and rule range remarks
Implementing time-based ACL rules
Configuring an IPv4 advanced ACL
Configuring an IPv6 advanced ACL
Configuring an Ethernet frame header ACL
Copying a WLAN, WLAN-AP, IPv4 basic, IPv4 advanced, or Ethernet frame header ACL
Copying an IPv6 basic or IPv6 advanced ACL
Displaying and maintaining ACLs
IPv4 ACL configuration examples
IPv6 ACL configuration example
Configuring ACLs
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
Overview
ACLs are primarily used for packet filtering. You can use ACLs in QoS, firewall, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs.
ACL categories
|
Category |
ACL number |
IP version |
Match criteria |
|
WLAN ACLs |
100 to 199 |
IPv4 |
WLAN's SSID |
|
WLAN-AP ACLs |
200 to 299 |
IPv4 |
MAC address and serial ID of a WLAN AP |
|
Basic ACLs |
2000 to 2999 |
IPv4 |
Source IPv4 address |
|
IPv6 |
Source IPv6 address |
||
|
Advanced ACLs |
3000 to 3999 |
IPv4 |
Source IPv4 address, destination IPv4 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields |
|
IPv6 |
Source IPv6 address, destination IPv6 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields |
||
|
Ethernet frame header ACLs |
4000 to 4999 |
IPv4 and IPv6 |
Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type |
Numbering and naming ACLs
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with a name, you cannot rename it or delete its name.
You cannot assign a name to a WLAN or WLAN-AP ACL.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4, and for an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
· config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, carefully check the rules and their order.
The match order of WLAN and WLAN-AP ACLs can only be config.
· auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.
Table 1 Sorting ACL rules in depth-first order
|
ACL category |
Sequence of tie breakers |
|
IPv4 basic ACL |
1. More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 2. Rule configured earlier |
|
IPv4 advanced ACL |
1. Specific protocol number 2. More 0s in the source IP address wildcard mask 3. More 0s in the destination IP address wildcard 4. Narrower TCP/UDP service port number range 5. Rule configured earlier |
|
IPv6 basic ACL |
1. Longer prefix for the source IP address (a longer prefix means a narrower IP address range) 2. Rule configured earlier |
|
IPv6 advanced ACL |
1. Specific protocol number 2. Longer prefix for the source IPv6 address 3. Longer prefix for the destination IPv6 address 4. Narrower TCP/UDP service port number range 5. Rule configured earlier |
|
Ethernet frame header ACL |
1. More 1s in the source MAC address mask (more 1s means a smaller MAC address) 2. More 1s in the destination MAC address mask 3. Rule configured earlier |
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
Rule comments and rule range remarks
Add a comment about an ACL rule to make it easy to understand. The rule comment appears below the rule statement.
In addition, add a rule range remark to indicate the start or end of a range of rules created for the same purpose.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment the system uses to automatically number rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering them, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule only takes effect in any time periods specified by the time range.
The following basic types of time range are available:
· Periodic time range—Recurs periodically on a day or days of the week.
· Absolute time range—Represents only a period of time and does not recur.
You can specify a time range in ACL rules before or after you create it. However, the rules using the time range take effect only after you define the time range.
Configuration task list
|
Task |
Remarks |
|
Optional. Applicable to IPv4 and IPv6. |
|
|
Required. Configure at least one task. WLAN ACL and WLAN-AP ACL are applicable to IPv4. Basic ACL, advanced ACL, and Ethernet frame header ACL are applicable to IPv4 and IPv6. |
|
|
Optional. Applicable to IPv4 and IPv6. |
Configuring a time range
You can create a maximum of 256 time ranges, each having a maximum of 32 periodic statements and 12 absolute statements. If a time range has multiple statements, its active period is calculated as follows:
1. Combining all periodic statements.
2. Combining all absolute statements.
3. Taking the intersection of the two statement sets as the active period of the time range.
To configure a time range:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a time range. |
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } |
By default, no time range exists. Repeat this command with the same time range name to create multiple statements for a time range. |
Configuring a WLAN ACL
WLAN ACLs match packets from WLAN clients based on SSIDs of WLANs.
To configure a WLAN ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a WLAN ACL and enter its view. |
acl number acl-number |
By default, no ACL exists. WLAN ACLs are numbered in the range of 100 to 199. |
|
3. Configure a description for the WLAN ACL. |
description text |
Optional. By default, a WLAN ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ ssid ssid-name ] |
By default, a WLAN ACL does not contain any rule. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Configuring a WLAN-AP ACL
WLAN-AP ACLs match APs based on MAC addresses or serial IDs of APs.
To configure a WLAN-AP ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a WLAN-AP ACL and enter its view. |
acl number acl-number |
By default, no ACL exists. WLAN-AP ACLs are numbered in the range of 200 to 299. |
|
3. Configure a description for the WLAN-AP ACL. |
description text |
Optional. By default, a WLAN-AP ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ] |
By default, a WLAN-AP ACL does not contain any rule. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv4 basic ACL and enter its view. |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACL exists. IPv4 basic ACLs are numbered in the range of 2000 to 2999. You can use the acl name acl-name command to enter the view of a named ACL. |
|
3. Configure a description for the IPv4 basic ACL. |
description text |
Optional. By default, an IPv4 basic ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-range-name ] * |
By default, an IPv4 basic ACL does not contain any rule. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv6 basic ACL view and enter its view. |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
By default, no ACL exists. IPv6 basic ACLs are numbered in the range of 2000 to 2999. You can use the acl ipv6 name acl6-name command to enter the view of a named ACL. |
|
3. Configure a description for the IPv6 basic ACL. |
description text |
Optional. By default, an IPv6 basic ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] * |
By default, an IPv6 basic ACL does not contain any rule. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet priorities, protocol number, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv4 advanced ACL and enter its view. |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACL exists. IPv4 advanced ACLs are numbered in the range of 3000 to 3999. You can use the acl name acl-name command to enter the view of a named ACL. |
|
3. Configure a description for the IPv4 advanced ACL. |
description text |
Optional. By default, an IPv4 advanced ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | icmp-type { icmp-type [ icmp-code ] | icmp-message } | precedence precedence | reflective | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] * |
By default, an IPv4 advanced ACL does not contain any rule. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses, packet priorities, protocol number, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv6 advanced ACL and enter its view. |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
By default, no ACL exists. IPv6 advanced ACLs are numbered in the range of 3000 to 3999. You can use the acl ipv6 name acl6-name command to enter the view of a named ACL. |
|
3. Configure a description for the IPv6 advanced ACL. |
description text |
Optional. By default, an IPv6 advanced ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | icmp6-type { icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name] * |
By default IPv6 advanced ACL does not contain any rule. Support for the flow-label flow-label-value option depends on the device model. For more information, see About the H3C Access Controllers Command References. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type.
To configure an Ethernet frame header ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an Ethernet frame header ACL and enter its view. |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACL exists. Ethernet frame header ACLs are numbered in the range of 4000 to 4999. You can use the acl name acl-name command to enter the view of a named Ethernet frame header ACL. |
|
3. Configure a description for the Ethernet frame header ACL. |
description text |
Optional. By default, an Ethernet frame header ACL has no ACL description. |
|
4. Set the rule numbering step. |
step step-value |
Optional. The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] * |
By default, an Ethernet frame header ACL does not contain any rule. The AC does not support the SNAP frame format. As a result, the lasp keyword configuration does not take effect. |
|
6. Add or edit a rule comment. |
rule rule-id comment text |
Optional. By default, no rule comments are configured. |
|
7. Add or edit a rule range remark. |
rule [ rule-id ] remark text |
Optional. By default, no rule range remarks are configured. |
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the same properties and content as the source ACL, but not the same ACL number and name.
To successfully copy an ACL, make sure:
· The destination ACL number is from the same category as the source ACL number.
· The source ACL already exists, but the destination ACL does not.
Copying a WLAN, WLAN-AP, IPv4 basic, IPv4 advanced, or Ethernet frame header ACL
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Copy an existing WLAN, WLAN-AP, IPv4 basic, IPv4 advanced, or Ethernet frame header ACL to create a new ACL. |
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } |
Copying an IPv6 basic or IPv6 advanced ACL
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Copy an existing IPv6 basic or IPv6 advanced ACL to create a new ACL. |
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } |
Displaying and maintaining ACLs
|
Task |
Command |
Remarks |
|
Display configuration and match statistics for WLAN, WLAN-AP, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs. |
display acl { acl-number | all | name acl-name } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display configuration and match statistics for IPv6 basic and IPv6 advanced ACLs. |
display acl ipv6 { acl6-number | all | name acl6-name } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the configuration and status of one or all time ranges. |
display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
ACL configuration examples
ACs have either 10 GE or GE interfaces. Table 2 identifies the Ethernet interfaces on different types of ACs.
If the AC is an AC module installed on a switch, make sure the internal Ethernet interface that connects the switch to the AC module has correct settings, including in particular VLAN settings.
Table 2 AC Ethernet interfaces
|
Hardware |
AC Ethernet interfaces |
|
AC modules (installed in a switch) |
|
|
LSQM1WCMD0 LSRM1WCM3A1 LSUM3WCMD0 LSUM1WCME0 |
The internal Ethernet interface that connects the AC module to the switch. |
|
Wireless switches |
|
|
WX3024E WX3010E |
The internal Ethernet interface that connects the AC engine to the switching engine. |
|
ACs |
|
|
WX6103 |
The internal Ethernet interface that connects the MPU to the switching module. |
|
WX5002V2 WX5004 WX3510E WX3540E WX5510E |
Any Ethernet interface on the AC. |
|
WX2540E WAC360 WAC361 |
Any LAN or WAN interfaces on the AC. |
|
WX5540E |
The internal Ethernet interface that connects the AC engine to the switching engine. |
IPv4 ACL configuration examples
Network requirements
A company interconnects its wireless users and servers through an access controller (AC). The wireless users connect to the wireless interface WLAN-ESS 1 of the AC to access the network. Configure an ACL to deny wireless users to access the salary server from 8:00 to 18:00 on working days.
Figure 1 Network diagram
Configuration procedure
1. Create a periodic time range from 8:00 to 18:00 on working days.
<AC> system-view
[AC] time-range trname 8:00 to 18:00 working-day
2. Define an ACL to control access to the salary server:
# Create an advanced IPv4 ACL numbered 3000 and enter its view.
[AC] acl number 3000
# Create a rule to permit packets to the salary server in the time range.
[AC-acl-adv-3000] rule 0 permit ip source any destination 192.168.1.2 0.0.0.0 time-range trname
[AC-acl-adv-3000] quit
# Apply IPv4 ACL 3000 to filter incoming packets on interface WLAN-ESS 1.
[AC] traffic classifier test
[AC-classifier-test] if-match acl 3000
[AC-classifier-test] quit
[AC] traffic behavior test
[AC-behavior-test] filter deny
[AC-behavior-test] quit
[AC] qos policy test
[AC-qospolicy-test] classifier test behavior test
[AC-qospolicy-test] quit
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] qos apply policy test inbound
IPv6 ACL configuration example
Network requirements
Perform IPv6 packet filtering in the inbound direction of interface WLAN-ESS 1 on AC to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF.
Figure 2 Network diagram
Configuration procedure
# Create IPv6 ACL 2000, and create a rule for the ACL.
<AC> system-view
[AC] acl ipv6 number 2000
[AC-acl6-basic-2000] rule permit source 4050::9000 120
[AC-acl6-basic-2000] quit
# Configure a traffic classifier.
[AC] traffic classifier ipv6-2000
[AC-classifier-ipv6-2000] if-match acl ipv6 2000
[AC-classifier-ipv6-2000] quit
# Configure a traffic behavior.
[AC] traffic behavior deny
[AC-behavior-deny] filter deny
[AC] quit
# Configure a QoS policy.
[AC] qos policy deny2000
[AC-qospolicy-deny2000] classifier ipv6-2000 behavior deny
[AC-qospolicy-deny2000] quit
# Apply the policy to filter incoming packets on interface WLAN-ESS 1.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] qos apply policy deny2000 inbound
