Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ACL configuration | 252.70 KB |
Contents
Comments and remarks for rules
Configuration restrictions and guidelines
Configuring an IPv4 advanced ACL
Configuring an IPv6 advanced ACL
Configuring a user-defined ACL
Configuring the QoS and ACL resource sharing mode
Configuring the QoS and ACL resource hardware mode
Configuring packet filtering with ACLs
Applying an ACL to an interface for packet filtering
Applying an ACL to filter packets globally
Applying an ACL to a list of VLAN interfaces for packet filtering
Configuring the applicable scope of packet filtering on a VLAN interface
Configuring logging and SNMP notifications for packet filtering
Setting the packet filtering default action
Displaying and maintaining ACLs
Interface-based packet filtering configuration example
Configuring ACLs
Overview
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The packet drop or forwarding decisions depend on the modules that use ACLs.
ACL types
|
Type |
ACL number |
IP version |
Match criteria |
|
Basic ACLs |
2000 to 2999 |
IPv4 |
Source IPv4 address. |
|
IPv6 |
Source IPv6 address. |
||
|
Advanced ACLs |
3000 to 3999 |
IPv4 |
Source IPv4 address, destination IPv4 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields. |
|
IPv6 |
Source IPv6 address, destination IPv6 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields. |
||
|
Layer 2 ACLs |
4000 to 4999 |
IPv4 and IPv6 |
Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type. |
|
User-defined ACLs |
5000 to 5999 |
IPv4 and IPv6 |
User specified matching patterns in protocol headers. |
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2 or user-defined ACL, its number or name must be globally unique.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
· config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this method, check the rules and their order carefully.
|
|
NOTE: The match order of user-defined ACLs can only be config. |
· auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
|
ACL type |
Sequence of tie breakers |
|
IPv4 basic ACL |
1. VPN instance. 2. More 0s in the source IPv4 address wildcard (more 0s means a narrower IPv4 address range). 3. Rule configured earlier. |
|
IPv4 advanced ACL |
1. VPN instance. 2. Specific protocol number. 3. More 0s in the source IPv4 address wildcard mask. 4. More 0s in the destination IPv4 address wildcard. 5. Narrower TCP/UDP service port number range. 6. Rule configured earlier. |
|
IPv6 basic ACL |
1. VPN instance. 2. Longer prefix for the source IPv6 address (a longer prefix means a narrower IPv6 address range). 3. Rule configured earlier. |
|
IPv6 advanced ACL |
1. VPN instance. 2. Specific protocol number. 3. Longer prefix for the source IPv6 address. 4. Longer prefix for the destination IPv6 address. 5. Narrower TCP/UDP service port number range. 6. Rule configured earlier. |
|
Layer 2 ACL |
1. More 1s in the source MAC address mask (more 1s means a smaller MAC address). 2. More 1s in the destination MAC address mask. 3. Rule configured earlier. |
A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
Comments and remarks for rules
An ACL can have multiple rules. To identify rules, you can add a comment for each rule one by one, or add the same remark for multiple rules.
· For rules requiring different identification, you can add a comment for a particular rule or add a different comment for each rule.
· For a range of rules requiring the same identification, you can insesrt a remark before the start rule and a remark after the end rule. This configuration mode eliminates the need for configuring a comment for each rule one by one and improves configuration efficiency.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.
For an ACL of the match order auto, rules are sorted in depth-first order, and are renumbered based on the match order. For example, rules are in the match order of 0, 10, and 5. Changing the numbering step to 2 renumbers rules 0, 10, and 5 (not 0, 5, and 10) as rules 0, 2, 4.
Fragment filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
· Filters all fragments by default, including non-first fragments.
· Allows for matching criteria modification for efficiency. For example, you can configure the ACL to filter only non-first fragments.
Configuration restrictions and guidelines
Follow these restrictions and guidelines when you configure an ACL:
· If you create a numbered ACL, you can enter the view of the ACL by using either of the following commands:
¡ acl [ ipv6 ] name acl-name (only for basic and advanced ACLs).
¡ acl [ ipv6 ] number acl-number.
¡ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number.
· If you create a named ACL by using the acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name command, you can enter the view of the ACL by using either of the following commands:
¡ acl [ ipv6 ] name acl-name (only for basic and advanced ACLs).
¡ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
Configuration task list
|
Tasks at a glance |
|
(Required.) Configure ACLs according to the characteristics of the packets to be matched: ¡ Configuring an IPv4 basic ACL ¡ Configuring an IPv6 basic ACL ¡ Configuring an IPv4 advanced ACL |
|
(Optional.) Copying an ACL |
|
(Optional.) Configuring the QoS and ACL resource sharing mode |
|
(Optional.) Configuring the QoS and ACL resource hardware mode |
|
(Optional.) Configuring packet filtering with ACLs |
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
About basic ACLs
Basic ACLs match packets based only on source IP addresses.
Basic ACLs can be used in the following scenarios:
· To improve security when the device acts as an FTP or TFTP server, you can use basic ACLs to allow only matching clients to access the server. For more information, see FTP and TFTP configuration in Fundamentals Configuration Guide.
· In a multicast scenario, you can use basic ACLs in a multicast source policy to receive or forward only matching multicast packets. For more information about multicast source policy, see PIM configuration and IPv6 PIM configuration in IP Multicast Configuration Guide.
· To filter routes in a routing policy, you can use basic ACLs to receive or send matching routes. For more information about routing policy, see Layer 3—IP Routing Configuration Guide.
· To take different QoS actions on different traffic types, you can use basic ACLs to classify traffic. For more information about traffic classes, see "Configuring QoS."
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv4 basic ACL and enter its view. |
acl basic { acl-number | name acl-name } [ match-order { auto | config } ] acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACLs exist. The value range for a numbered IPv4 basic ACL is 2000 to 2999. Use the acl number acl-number or acl basic acl-number command to create a numbered IPv4 basic ACL. Use the acl name acl-name or acl basic name acl-name command to enter the view of a named IPv4 basic ACL. The acl name acl-name command can be used to enter the view of only an IPv4 basic or advanced ACL. Use the acl number acl-number or acl basic acl-number command to enter the view of a numbered IPv4 basic ACL. |
|
3. (Optional.) Configure a description for the IPv4 basic ACL. |
description text |
By default, an IPv4 basic ACL does not have a description. |
|
4. (Optional.) Set the rule numbering step. |
step step-value |
The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ counting | fragment | [ flow-logging | logging ] | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * |
By default, no IPv4 basic ACL rules exist. The flow-logging and logging keywords take effect only when the module (for example, packet filtering) that uses the ACL supports logging. The vpn-instance vpn-instance-name option is not supported in the outbound direction. |
|
6. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
7. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv6 basic ACL view and enter its view. |
acl ipv6 basic { acl-number | name acl-name } [ match-order { auto | config } ] acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACLs exist. The value range for a numbered IPv6 basic ACL is 2000 to 2999. Use the acl ipv6 number acl-number or acl ipv6 basic acl-number command to create a numbered IPv6 basic ACL. Use the acl ipv6 name acl-name or acl ipv6 basic name acl-name command to enter the view of a named IPv6 basic ACL. The acl ipv6 name acl-name command can be used to enter the view of only an IPv6 basic or advanced ACL. Use the acl ipv6 number acl-number or acl ipv6 basic acl-number command to enter the view of a numbered IPv6 basic ACL. |
|
3. (Optional.) Configure a description for the IPv6 basic ACL. |
description text |
By default, an IPv6 basic ACL does not have a description. |
|
4. (Optional.) Set the rule numbering step. |
step step-value |
The default setting is 5. |
|
5. Create or edit a rule. |
rule [ rule-id ] { deny | permit } [ counting | [ flow-logging | logging ] | routing | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * |
By default, no IPv6 basic ACL rules exist. The flow-logging and logging keywords take effect only when the module (for example, packet filtering) that uses the ACL supports logging. If an IPv6 basic ACL is used for outbound QoS traffic classification or outbound packet filtering, do not specify the routing keyword. The vpn-instance vpn-instance-name option is not supported in the outbound direction. |
|
6. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
7. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
About advanced ACLs
Advanced ACLs can be used in the following scenarios:
· When the device acts as an FTP or TFTP server, you can use advanced ACLs to allow only matching clients to access the server. For more information, see FTP and TFTP configuration in Fundamentals Configuration Guide.
· In a multicast scenario, you can use advanced ACLs in a multicast source policy to receive or forward only matching multicast packets. For more information about multicast source policy, see PIM configuration and IPv6 PIM configuration in IP Multicast Configuration Guide.
· To filter routes in a routing policy, you can use advanced ACLs to receive or send matching routes. For more information about routing policy, see Layer 3—IP Routing Configuration Guide.
· To take different QoS actions on different traffic types, you can use advanced ACLs to classify traffic. For more information about traffic classification see "Configuring QoS."
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
· Source IP addresses.
· Destination IP addresses.
· Packet priorities.
· Protocol numbers.
· Other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv4 advanced ACL and enter its view. |
acl advanced { acl-number | name acl-name } [ match-order { auto | config } ] acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACLs exist. The value range for a numbered IPv4 advanced ACL is 3000 to 3999. Use the acl number acl-number or acl advanced acl-number command to create a numbered IPv4 advanced ACL. Use the acl name acl-name or acl advanced name acl-name command to enter the view of a named IPv4 advanced ACL. The acl name acl-name command can be used to enter the view of only an IPv4 basic or advanced ACL. Use the acl number acl-number or acl advanced acl-number command to enter the view of a numbered IPv4 advanced ACL. |
|
3. (Optional.) Configure a description for the IPv4 advanced ACL. |
description text |
By default, an IPv4 advanced ACL does not have a description. |
|
4. (Optional.) Set the rule numbering step. |
step step-value |
The default setting is 5. |
|
5. Create or edit a rule. |
· Create or edit a rule for matching non-VXLAN
packets: · Create or edit a rule for matching VXLAN
packets: |
By default, no IPv4 advanced ACL rules exist. The flow-logging and logging keywords take effect only when the module (for example, packet filtering) that uses the ACL supports logging. If an IPv4 advanced ACL is used for outbound QoS traffic classification or outbound packet filtering, do not specify the qos-local-id local-id-value option. The vpn-instance vpn-instance-name option is not supported in the outbound direction. The inner header information of VXLAN packets can be matched only in the inbound direction. When the rule [ rule-id ] { deny | permit } command is used in a VXLAN network, an edge device matches the outer header information only if no inner header information is matched on other interface modules. A core device supports only matching the outer header information. |
|
6. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
7. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the following criteria:
· Source IPv6 addresses.
· Destination IPv6 addresses.
· Packet priorities.
· Protocol numbers.
· Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
The following modules do not support applying an ACL rule that matches both the 5-tuple and port number (with the eq operator) of IPv6 packets. To solve this problem, you can match the port number of IPv6 packets with the range operator.
· EC interface modules
· SA interface modules: LSQM2GP24SA0, LSQM2GP24TSSA0, LSQM2GP48SA0, LSQM2GT48SA0, LSQM4GV48SA0, LSQM1TGS16GPSA0
· SC interface modules: LSQM2GP24TSSC0, LSQM2GP44TSSC0, LSQM2GT24PTSSC0, LSQM2GT24TSSC0, LSQM2GT48SC0, LSQM3GP44TSSC0, LSQM4GV48SC0
To configure an IPv6 advanced ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv6 advanced ACL and enter its view. |
acl ipv6 advanced { acl-number | name acl-name } [ match-order { auto | config } ] acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACLs exist. The value range for a numbered IPv6 advanced ACL is 3000 to 3999. Use the acl ipv6 number acl-number or acl ipv6 advanced acl-number command to create a numbered IPv6 advanced ACL. Use the acl ipv6 name acl-name or acl ipv6 advanced name acl-name command to enter the view of a named IPv6 advanced ACL. The acl ipv6 name acl-name command can be used to enter the view of only an IPv6 basic or advanced ACL. Use the acl ipv6 number acl-number or acl ipv6 advanced acl-number command to enter the view of a numbered IPv6 advanced ACL. |
|
3. (Optional.) Configure a description for the IPv6 advanced ACL. |
description text |
By default, an IPv6 advanced ACL does not have a description. |
|
4. (Optional.) Set the rule numbering step. |
step step-value |
The default setting is 5. |
|
5. Create or edit a rule. |
Choose the options to configure as needed: · Create or edit a rule for matching non-encapsulated
packets. · Create or edit a rule for matching IPv4 VXLAN
packets. · Create or edit a rule for matching IPv6 VXLAN
packets. |
By default, no IPv6 advanced ACL rules exist. The flow-logging and logging keywords take effect only when the module (for example, packet filtering) that uses the ACL supports logging. If an IPv6 advanced ACL is used for outbound QoS traffic classification or outbound packet filtering, do not specify the qos-local-id local-id-value, routing, or hop-by-hop parameter. The vpn-instance vpn-instance-name option is not supported in the outbound direction. The following outer header information is not supported for matching IPv4 VXLAN packets: · Outer source IP address. · Outer destination IP address. · Outer source port number. · Outer destination port number. Both outer and inner packet information is supported for matching IPv6 VXLAN packets. |
|
6. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
7. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Configuring a Layer 2 ACL
Layer 2 ACLs can be used in the following scenarios:
· To improve security when the device acts as a Telnet server, you can use basic ACLs to allow only matching clients to access the server. For more information, see login management in Fundamentals Configuration Guide.
· To take different QoS actions on different traffic types, you can use basic ACLs to classify traffic. For more information about traffic classes, see "Configuring QoS."
Layer 2 ACLs, also called Ethernet frame header ACLs, match packets based on Layer 2 Ethernet header fields, such as:
· Source MAC address.
· Destination MAC address.
· 802.1p priority (VLAN priority).
· Link layer protocol type.
To configure a Layer 2 ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a Layer 2 ACL and enter its view. |
acl mac { acl-number | name acl-name } [ match-order { auto | config } ] acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
By default, no ACLs exist. The value range for a numbered Layer 2 ACL is 4000 to 4999. Use the acl number acl-number or acl mac acl-number command to create a numbered Layer 2 ACL. Use the acl number acl-number or acl mac acl-number command to enter the view of a numbered Layer 2 ACL. Use the acl mac name acl-name command to enter the view of a named Layer 2 ACL. |
|
3. (Optional.) Configure a description for the Layer 2 ACL. |
description text |
By default, a Layer 2 ACL does not have a description. |
|
4. (Optional.) Set the rule numbering step. |
step step-value |
The default setting is 5. |
|
5. Create or edit a rule. |
· Create or edit a rule for matching non-VXLAN
packets: · Create or edit a rule for matching VXLAN
packets: |
By default, no Layer 2 ACL rules exist. When the rule [ rule-id ] { deny | permit } command is used in a VXLAN network, an edge device matches the outer header information only if no inner header information is matched on other interface modules. A core device supports only matching the outer header information. Both outer and inner packet information is supported for matching VXLAN packets. |
|
6. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
7. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Configuring a user-defined ACL
User-defined ACLs allow you to customize rules based on information in protocol headers. You can define a user-defined ACL to match packets. A specific number of bytes after an offset (relative to the specified header) are compared against a match pattern after being ANDed with a match pattern mask.
To configure a user-defined ACL:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a user-defined ACL and enter its view. |
acl user-defined { acl-number | name acl-name } acl number acl-number [ name acl-name ] |
By default, no ACLs exist. The value range for a numbered user-defined ACL is 5000 to 5999. Use the acl number acl-number or acl user-defined acl-number command to create a numbered user-defined ACL. Use the acl number acl-number or acl user-defined acl-number command to enter the view of a numbered user-defined ACL. Use the acl user-defined name acl-name command to enter the view of a named user-defined ACL. |
|
3. (Optional.) Configure a description for the user-defined ACL. |
description text |
By default, a user-defined ACL does not have a description. |
|
4. Create or edit a rule. |
Execute at least one of the following commands; · rule [ rule-id ] { deny | permit } [{ l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] * · rule [ rule-id ] { deny | permit } [ ipv6-protocol ] protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | destination-port { operator port1 [ port2 ] } | { { precedence precedence | tos tos } * | { precedence precedence | ecn ecn } * | { dscp dscp | ecn ecn } * } | source { source-address source-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | source-port { operator port1 [ port2 ] } | vpn-instance vpn-instance-name ] * [ { l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] * · rule [ rule-id ] { deny | permit } dual-stack { tcp | udp } [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { any | microsegment microsegment-id [ mask-length mask-length ] } | destination-port { operator port1 [ port2 ] } | source { any | microsegment microsegment-id [ mask-length mask-length ] } | source-port { operator port1 [ port2 ] } | vpn-instance vpn-instance-name ] * [ counting | time-range time-range-name ] * |
By default, no user-defined ACL rules exist. Only the LSQM1SRP4Y06A0 MPU supports the l4 keyword. The Layer 4 header offsetting does not support matching packets with an IP header followed by a TCP, UDP, GRE, or IPv6 extension header. |
|
5. (Optional.) Add or edit a rule comment. |
rule rule-id comment text |
By default, no rule comment is configured. |
|
6. (Optional.) Add a rule remark. |
rule [ rule-id ] remark text |
By default, no rule remark is configured. |
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the same properties and content as the source ACL, but uses a different number or name than the source ACL.
To successfully copy an ACL, make sure:
· The destination ACL number is from the same type as the source ACL number.
· The source ACL already exists, but the destination ACL does not.
To copy an ACL:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Copy an existing ACL to create a new ACL. |
acl [ ipv6 | mac | user-defined ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } |
Configuring the QoS and ACL resource sharing mode
About this task
The sharing mode (specified by the share-mode keyword when a QoS policy is applied to an interface) allows multiple interfaces in the same port group to share one QoS and ACL resource if they are applied with the same QoS policy. In non-sharing mode, each interface occupies one QoS and ACL resource even if multiple interfaces are applied with the same QoS policy.
To identify which interfaces are in the same port group, use the display qos-acl resource command. Interfaces listed in the same Interfaces: field belong to the same port group.
Only the preemption sharing mode is supported. In this mode, for all interfaces applied with the same QoS policy to take effect in sharing mode, you must specify the share-mode keyword.
Restrictions and guidelines
If you do not perform this task, only one QoS policy can be applied to the same direction of interfaces in sharing mode. For more information about QoS polices and the sharing mode, see ACL and QoS Command Reference.
Only the preemption mode is supported in the current software version. In this mode, for all QoS policies applied to interfaces to take effect in sharing mode, you must specify the share-mode keyword when applying each QoS policy.
The preemption sharing mode takes effect only on QoS policies applied after it is specified. For this sharing mode to take effect on QoS policies applied before it is applied, perform one of the following tasks:
· Save the running configuration by using the save command and reboot the device.
· Remove the QoS policies applied before specifying the preemption sharing mode, and reapply them after specifying this sharing mode.
Procedure
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the QoS and ACL resource sharing mode. |
qos-acl resource share-mode inbound share-mode |
By default, no QoS and ACL resource sharing mode is configured. |
Configuring the QoS and ACL resource hardware mode
Different chips produce different packet matching results for QoS and ACL resources. Perform this task to enhance matching capabilities of QoS and ACL resources.
The inbound-portrange-enhanced mode takes effect only on ACLs applied after it is configured. For the mode to take effect on existing ACLs, perform one of the following tasks:
· Save the running configuration and reboot the device after configuring the mode.
· Remove applied ACLs before configuring the mode and reapply them after configuring the mode.
The inbound-portrange-enhanced mode enables the device to split a range of port numbers by using masks to save QoS and ACL resources.
Only the following interface modules support this feature:
· FD interface modules.
· FE interface modules.
· SG interface modules.
· 25-GE ports on the LSQM1SRP4Y06A0 interface module.
To configure the QoS and ACL resource hardware mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Cconfigure the QoS and ACL resource hardware mode. |
qos-acl resource hardware-mode hardware-mode-value |
By default, no QoS and ACL resource hardware mode is configured. |
Configuring packet filtering with ACLs
This section describes procedures for using an ACL to filter packets. For example, you can apply an ACL to an interface to filter incoming or outgoing packets.
Applying an ACL to an interface for packet filtering
To the same direction of an interface, you can apply a maximum of four ACLs: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.
The switch does not support applying an ACL to an OLT port for packet filtering. For more information about OLT ports, see OLT configuration in EPON Configuration Guide.
You cannot apply an ACL to the outbound direction of a Layer 2 aggregate interface, Layer 3 aggregate interface, or Layer 3 aggregate subinterface.
To apply an ACL to an interface for packet filtering:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Apply an ACL to the interface to filter packets. |
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] |
By default, an interface does not filter packets. |
Applying an ACL to filter packets globally
If an ACL fails to be applied globally for packet filtering, packet filtering fails on all cards.
You can apply a maximum of four ACLs to the same direction globally: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.
To apply an ACL to filter packets globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL globally to filter packets on all interfaces. |
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound } [ hardware-count ] |
By default, global packet filtering is not configured. |
Applying an ACL to a list of VLAN interfaces for packet filtering
You can apply a maximum of four ACLs to the same direction of VLAN interfaces: one IPv4 ACL (basic or advanced), one IPv6 ACL (basic or advanced), one Layer 2 ACL, and one user-defined ACL.
You can use the packet-filter command in VLAN interface view or use the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in the same direction of a VLAN interface.
An ACL applied to VLAN interfaces takes effect only on Layer 3 packets.
If you modify a rule in an ACL applied to VLAN interfaces, the ACL might deny or permit packets mistakenly.
Repeating this command with one ACL for the same direction adds new VLAN interfaces to the list of VLAN interfaces:
· If you specify the hardware-count keyword the first time you configure this command, you must specify this keyword when repeating this command.
· If you do not specify the hardware-count keyword the first time you configure this command, do not specify this keyword when repeating this command.
To apply an ACL to a list of VLAN interfaces for packet filtering:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL to a list of VLAN interfaces to filter packets. |
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound } [ hardware-count ] |
By default, the system does not filter packets on a VLAN interface. |
Configuring the applicable scope of packet filtering on a VLAN interface
You can configure the packet filtering on a VLAN interface to filter the following packets:
· Packets forwarded at Layer 3 by the VLAN interface.
· All packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.
To configure the applicable scope of packet filtering on a VLAN interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a VLAN interface and enter its view. |
interface vlan-interface vlan-interface-id |
If the VLAN interface already exists, you directly enter its view. By default, no VLAN interface exists. |
|
3. Specify the applicable scope of packet filtering on the VLAN interface. |
packet-filter filter { route | all } |
By default, the packet filtering filters packets forwarded at Layer 3. |
Configuring logging and SNMP notifications for packet filtering
You can configure the ACL module to generate log entries or SNMP notifications for packet filtering and output them to the information center or SNMP module at the output interval. The log entry or notification records the number of matching packets and the matched ACL rules. If an ACL is matched for the first time, the device immediately outputs a log entry or notification to record the matching packet.
For more information about the information center and SNMP, see Network Management and Monitoring Configuration Guide.
To configure logging and SNMP notifications for packet filtering:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the interval for outputting packet filtering logs or notifications. |
acl { logging | trap } interval interval |
The default setting is 0 minutes. By default, the device does not generate log entries or SNMP notifications for packet filtering. |
Setting the packet filtering default action
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the packet filtering default action to deny. |
packet-filter default deny |
By default, the packet filter permits packets that do not match any ACL rule to pass. |
Displaying and maintaining ACLs
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display ACL configuration and match statistics. |
display acl [ ipv6 | mac | user-defined ] { acl-number | all | name acl-name } |
|
Display ACL application information for packet filtering (in standalone mode). |
display packet-filter { global | interface [ interface-type interface-number ] | vlan-interface } [ inbound | outbound ] [ slot slot-number ] |
|
Display ACL application information for packet filtering (in IRF mode). |
display packet-filter { global | interface [ interface-type interface-number ] | vlan-interface } [ inbound | outbound ] [ chassis chassis-number slot slot-number ] |
|
Display match statistics and default action statistics for packet filtering ACLs. |
display packet-filter statistics { global | interface interface-type interface-number | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ brief ] |
|
Display the accumulated statistics for packet filtering ACLs. |
display packet-filter statistics sum { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name } [ brief ] |
|
Display detailed ACL packet filtering information (in standalone mode). |
display packet-filter verbose { global | interface interface-type interface-number | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ slot slot-number ] |
|
Display detailed ACL packet filtering information (in IRF mode). |
display packet-filter verbose { global | interface interface-type interface-number | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ chassis chassis-number slot slot-number ] |
|
Display QoS and ACL resource usage (in standalone mode). |
display qos-acl resource [ advanced-mode ] [ slot slot-number ] |
|
Display QoS and ACL resource usage (in IRF mode). |
display qos-acl resource [ advanced-mode ] [ chassis chassis-number slot slot-number ] |
|
Clear ACL statistics. |
reset acl [ ipv6 | mac | user-defined ] counter { acl-number | all | name acl-name } |
|
Clear match statistics, accumulated match statistics, and default action statistics for packet filtering ACLs. |
reset packet-filter statistics { global | interface [ interface-type interface-number ] | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] |
ACL configuration examples
Interface-based packet filtering configuration example
Network requirements
A company interconnects its departments through the device. Configure packet filtering to:
· Permit access from the President's office at any time to the financial database server.
· Permit access from the Finance department to the financial database server only during working hours (from 8:00 to 18:00) on working days.
· Deny access from any other department to the financial database server.
Figure 1 Network diagram
Configuration procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<Device> system-view
[Device] time-range work 08:0 to 18:00 working-day
# Create an IPv4 advanced ACL numbered 3000.
[Device] acl advanced 3000
# Configure a rule to permit access from the President's office to the financial database server.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
# Configure a rule to permit access from the Finance department to the financial database server during working hours.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
# Configure a rule to deny access to the financial database server.
[Device-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0
[Device-acl-ipv4-adv-3000] quit
# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] packet-filter 3000 outbound
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that a PC in the Finance department can ping the financial database server during working hours. (All PCs in this example use Windows XP).
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
# Verify that a PC in the Marketing department cannot ping the financial database server during working hours.
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
# Display configuration and match statistics for IPv4 advanced ACL 3000 on the device during working hours.
[Device] display acl 3000
Advanced IPv4 ACL 3000, 3 rules,
ACL's step is 5
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work (Active)
rule 10 deny ip destination 192.168.0.100 0
The output shows that rule 5 is active.
