No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL

Configuring ACL

This section describes the procedures for configuring ACL.

Configuring a Basic ACL

A basic ACL classifies IPv4 packets based on information such as source IP addresses.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating a Basic ACL

Context

Before configuring a basic ACL, you need to create a basic ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | basic } }

    A basic ACL is created and the basic ACL view is displayed.

    acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

  5. Run:

    commit

    The configuration is committed.

Configuring a Basic ACL Rule

Context

A basic ACL classifies packets by matching packet information with its rules. After a basic ACL is created, configure rules in the basic ACL.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | basic } }

    A basic ACL is created and the basic ACL view is displayed.

    acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

    By default, no ACL is created.

  3. Run:

    rule [ rule-id ] { deny | permit } [ fragment-type fragment | source { source-ip-address { source-wildcard | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    Rules for the basic ACL are configured.

    NOTE:

    When you configure a basic ACL:

    • If a source address is specified for packets (that is, the source parameter is specified in step 3), the device filters IP packets from this source address or filters the ARP packets carrying this source address.

    • If all source IP addresses are specified (any in Step 3), the system will not check packets' source IP addresses.

    • When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

  4. (Optional) Run:

    rule rule-id description description

    The description of a basic ACL rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring an Advanced ACL

Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating an Advanced ACL

Context

Before configuring an advanced ACL, you need to create an advanced ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name [ [ number ] acl-number | advance ] }

    An advanced ACL is created and the advanced ACL view is displayed.

    acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

  5. Run:

    commit

    The configuration is committed.

Configuring an Advanced ACL Rule

Context

An advanced ACL classifies packets by matching packet information with its rules. After an advanced ACL is created, configure rules in the advanced ACL.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name [ [ number ] acl-number | advance ] }

    An advanced ACL is created and the advanced ACL view is displayed.

    acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

    By default, no ACL is created.

  3. Configure an advanced ACL rule based on the protocol type.

    • When the UDP protocol is used, run:

      rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address { destination-wildcard | des-netmask } | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | fragment-type fragment | source { source-ip-address { source-wildcard | src-netmask } | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired ] *

    • When the TCP protocol is used, run:

      rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address { destination-wildcard | des-netmask } | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | fragment-type fragment | source { source-ip-address { source-wildcard | src-netmask } | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag tcp-flag | time-range time-name | vpn-instance vpn-instance-name | ttl-expired ] *

    • When the ICMP protocol is used, run:

      rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address { destination-wildcard | des-netmask } | any } | fragment-type fragment | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-ip-address { source-wildcard | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired ] *

    • When other protocols are used, run:

      rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address { destination-wildcard | des-netmask } | any } | fragment-type fragment | source { source-ip-address { source-wildcard | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired ] *

    NOTE:

    When you configure an advanced ACL rule,

    • If all destination IP addresses, and source IP addresses are specified (any in Step 3), the system will not check packets' destination IP addresses, and source IP addresses.

    • When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

  4. (Optional) Run:

    rule rule-id description description

    The description of an advanced ACL rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring a Layer 2 ACL

A Layer 2 ACL classifies data packets according to the link layer information, including the source MAC address, VLAN ID, Layer 2 protocol type, and destination MAC address.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating a Layer 2 ACL

Context

Before configuring a Layer 2 ACL, you need to create a Layer 2 ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | link } }

    A Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

  5. Run:

    commit

    The configuration is committed.

Configuring a Layer 2 ACL Rule

Context

Layer 2 ACLs classify packets by matching packet information with its rules. After an ACL is created, configure rules in the ACL.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | link } }

    A Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.

    By default, no ACL is created.

  3. Run:

    rule [ rule-id ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | [ ether-ii | 802.3 | snap ] | vlan vlan-id [ vlan-mask ] | 8021p 8021p | inner-vlan inner-vlan-id [ inner-vlan-mask ] | inner-8021p inner-8021p | double-tag | time-range time-name ] *

    A Layer 2 ACL rule is configured.

    NOTE:
    When you configure a Layer 2 ACL rule,
    • If ether-ii | 802.3 | snap is specified, only packets with a specified encapsulation type are filtered.
    • If ether-ii | 802.3 | snap is not specified, all the packets are filtered.
    • When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

  4. (Optional) Run:

    rule rule-id description description

    The description of a Layer 2 ACL rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring a User-defined ACL

You can configure a user-defined ACL to classify data packets based on user-defined rules.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating a User-defined ACL

Context

Before configuring a user-defined ACL, create a user-defined ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | user } }

    A user-defined ACL is created and the user-defined ACL view is displayed.

    acl-number specifies the number of a user-defined ACL. The value ranges from 5000 to 5999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

  5. Run:

    commit

    The configuration is committed.

Configuring a User-defined ACL Rule

Context

User-defined ACLs classify packets by matching packet information with its rules. After a user-defined ACL is created, configure rules in the ACL.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl { [ number ] acl-number | name acl-name { [ number ] acl-number | user } }

    A user-defined ACL is created and the user-defined ACL view is displayed.

    acl-number specifies the number of a user-defined ACL. The value ranges from 5000 to 5999.

    By default, no ACL is created.

  3. Run:

    rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | l4-head ] { rule-string rule-mask offset } &<1-4>
    ] [ time-range time-name ]

    A user-defined ACL rule is configured.

    NOTE:
    When you configure a user-defined ACL rule,
    • If the offset position is not specified, the Ethernet frame header (l2–head) is the default offset position.
    • When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

  4. (Optional) Run:

    rule rule-id description description

    The description of a user-defined ACL rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring a Basic ACL6

Basic ACL6s classify data packets based on the source IPv6 address.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating a Basic ACL6

Context

A basic ACL6s classifies IPv6 packets based on source IPv6 addresses, fragment flags, and time ranges in the packets.

Before configuring a basic ACL6, create a basic ACL6.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl ipv6 { [ number ] acl6-number | name acl6-name basic }

    A basic ACL6 is created and the basic ACL6 view is displayed.

    acl6-number specifies the number of a basic ACL6. The value ranges from 2000 to 2999.

    By default, no ACL6 is created.

  3. (Optional) Run:

    step step

    The ACL6 step is configured.

    By default, the step between ACL6 rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL6 description is configured.

    By default, no description is configured for an ACL6.

  5. Run:

    commit

    The configuration is committed.

Configuring a Basic ACL6 Rule

Context

A basic ACL6 classifies packets by matching packet information with its rules. After a basic ACL6 is created, configure rules in the ACL6.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl ipv6 { [ number ] acl6-number | name acl6-name basic }

    A basic ACL6 is created and the basic ACL6 view is displayed.

    acl6-number specifies the number of a basic ACL6. The value ranges from 2000 to 2999.

    By default, no ACL6 is created.

  3. Run:

    rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    Rules for the basic ACL6 are configured.

    NOTE:

    When you configure a basic ACL6:

    • If all source IPv6 addresses are specified (any in Step 3), the system will not check packets' source IPv6 addresses.

    • When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

  4. (Optional) Run:

    rule rule-id description description

    The description of a basic ACL6 rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl ipv6 { acl6-number | name acl6-name | all } command to view the configuration about a specific ACL6 or all ACL6s.
  • Run the display time-range { all | time-name } command to display information about the time range.

Configuring an Advanced ACL6

Advanced ACL6s classify data packets based on the source IPv6 address, destination IPv6 address, source port number, destination port number, and protocol type.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is set.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Network Management.

  3. Run:

    commit

    The configuration is committed.

Creating an Advanced ACL6

Context

An advanced ACL6 can classify IPv6 packets based on the following attributes:source IPv6 address, destination IPv6 address, protocol type supported by IPv6, and protocol-specific features such as the source and destination TCP port numbers, ICMPv6 protocol type, and ICMPv6 Code.

Before configuring an advanced ACL6, you need to create an advanced ACL6.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl ipv6 { [ number ] acl6-number | name acl6-name [ advance ] }

    An advanced ACL6 is created and the advanced ACL6 view is displayed.

    acl6-number specifies the number of an advanced ACL6. The value ranges from 3000 to 3999.

    By default, no ACL6 is created.

  3. (Optional) Run:

    step step

    The ACL6 step is configured.

    By default, the step between ACL6 rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL6 description is configured.

    By default, no description is configured for an ACL6.

  5. Run:

    commit

    The configuration is committed.

Configuring an Advanced ACL6 Rule

Context

ACL6s classify packets by matching packet information with its rules. After an advanced ACL6 is created, configure rules in the advanced ACL6.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl ipv6 { [ number ] acl6-number | name acl6-name [ advance ] }

    An advanced ACL6 is created and the advanced ACL6 view is displayed.

    acl6-number specifies the number of an advanced ACL6. The value ranges from 3000 to 3999.

    By default, no ACL6 is created.

  3. You can configure rules of an advanced ACL6 as follows as required, depending on the protocol type over IPv6.

    • If the value of protocol is UDP, run the following command to create ACL6 rules:

      rule [ rule-id ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | neq port | range port-start port-end } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | neq port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • If the value of protocol is TCP, run the following command to create ACL6 rules:

      rule [ rule-id ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | neq port | range port-start port-end } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | neq port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • If the value of protocol is ICMPv6, run the following command to create ACL6 rules:

      rule [ rule-id ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    • If the value of protocol is a protocol other than TCP, UDP, and ICMPv6, run the following command to create an ACL6 rule:

      rule [ rule-id ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    NOTE:

    When you configure an advanced ACL6:

    • If all destination IPv6 addresses and source IPv6 addresses are specified (any in Step 3), the system will not check packets' destination IPv6 addresses and source IPv6 addresses.

    • When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

  4. (Optional) Run:

    rule rule-id description description

    The description of an advanced ACL6 rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run:

    commit

    The configuration is committed.

Applying the ACL to the Switch Module

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, or user-defined ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:
    • ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl ipv6 { acl6-number | name acl6-name | all } command to view the configuration about a specific ACL6 or all ACL6s.
  • Run the display time-range { all | time-name } command to display information about the time range.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57269

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next