No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL

Configuring ACL

This section describes the procedures for configuring ACL.

Configuring a Basic ACL

A basic ACL classifies IPv4 packets based on information such as source IP addresses.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    To configure multiple time ranges with the same name on the AP, run the preceding command with the same value of time-name repeatedly.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions.

Creating a Basic ACL

Context

Basic ACLs classify IPv4 packets based on source IP addresses, fragment flags, and time ranges in the packets.

Before configuring a basic ACL, you need to create a basic ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered basic ACL is created and the basic ACL view is displayed.

    Or run:
    acl name acl-name { basic | acl-number } [ match-order { auto | config } ]

    A named basic ACL is created and the basic ACL view is displayed.

    acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

Configuring a Basic ACL Rule

Context

A basic ACL classifies packets by matching packet information with its rules. After a basic ACL is created, configure rules in the basic ACL.

Adding new rules to an ACL will not affect the existing rules. If the new rule conflicts with an existing rule, the new rule takes effect. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the matching order. Once the packet matches a rule, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered basic ACL is created and the basic ACL view is displayed.

    Or run:
    acl name acl-name { basic | acl-number } [ match-order { auto | config } ]

    A named basic ACL is created and the basic ACL view is displayed.

    acl-number specifies the number of a basic ACL. The value ranges from 2000 to 2999.

    By default, no ACL is created.

  3. Run:

    rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | time-range time-name ] *

    A basic ACL rule is configured. To configure multiple rules, repeat this step.

    NOTE:

    After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes rule 5 and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.

    When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

  4. (Optional) Run:

    rule rule-id description description

    The description of a basic ACL rule is configured.

    The device only supports the description configured for the rules with rule IDs. You are not allowed to configure the description for a rule that has not been created.

Applying the ACL to the AP

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, advanced ACLs, Layer 2 ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:

    ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring an Advanced ACL

Advanced ACLs classify IPv4 packets based on information such as source and destination IP addresses, source and destination port numbers, packet priorities, and time ranges.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    To configure multiple time ranges with the same name on the AP, run the preceding command with the same value of time-name repeatedly.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions.

Creating an Advanced ACL

Context

Advanced ACLs classify IPv4 packets based on the source IP address, destination IP address, IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination port number, and User Datagram Protocol (UDP) source/destination port.

Before configuring an advanced ACL, you need to create an advanced ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered advanced ACL is created and the advanced ACL view is displayed.

    Or run:
    acl name acl-name { advance | acl-number } [ match-order { auto | config } ]

    A named advanced ACL is created and the advanced ACL view is displayed.

    acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

Configuring an Advanced ACL Rule

Context

An advanced ACL classifies packets by matching packet information with its rules. After an advanced ACL is created, configure rules in the advanced ACL.

Adding new rules to an ACL will not affect the existing rules. If the new rule conflicts with an existing rule, the new rule takes effect. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the matching order. Once the packet matches a rule, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered advanced ACL is created and the advanced ACL view is displayed.

    Or run:
    acl name acl-name { advance | acl-number } [ match-order { auto | config } ]

    A named advanced ACL is created and the advanced ACL view is displayed.

    acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

    By default, no ACL is created.

  3. Configure an advanced ACL rule based on the IP protocol version or the protocol type over IP.

    • Configure an advanced ACL rule based on the IP protocol version. When IPv4 is used, run:

      rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

    • Configure an advanced ACL rule based on the protocol type over IP.

      • When the ICMP protocol is used, run:

        rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the TCP protocol is used, run:

        rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the UDP protocol is used, run:

        rule [ rule-id ] { deny | permit }{ protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:

        rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

    To configure multiple rules, repeat this step.

    NOTE:

    To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

    The dscp dscp and precedence precedence parameters cannot be set simultaneously for the same rule.

    The dscp dscp and tos tos parameters cannot be set simultaneously for the same rule.

    After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes rule 5 and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.

    When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

  4. (Optional) Run:

    rule rule-id description description

    The description of an advanced ACL rule is configured.

Applying the ACL to the AP

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, advanced ACLs, Layer 2 ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:

    ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring a Layer 2 ACL

A Layer 2 ACL classifies data packets according to the link layer information, including the source MAC address, VLAN ID, Layer 2 protocol type, and destination MAC address.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    To configure multiple time ranges with the same name on the AP, run the preceding command with the same value of time-name repeatedly.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions.

Creating a Layer 2 ACL

Context

A Layer 2 ACL classifies packets based on the source MAC address, destination MAC address, and Layer 2 protocol type in the packet.

Before configuring a Layer 2 ACL, you need to create a Layer 2 ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    Or run:

    acl name acl-name { link | acl-number } [ match-order { auto | config } ]

    A named Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

    By default, the step between ACL rule IDs is 5.

  4. (Optional) Run:

    description text

    The ACL description is configured.

    By default, no description is configured for an ACL.

Configuring a Layer 2 ACL Rule

Context

ACLs classify packets by matching packet information with its rules. After an ACL is created, configure rules in the ACL.

Adding new rules to an ACL will not affect the existing rules. If the new rule conflicts with an existing rule, the new rule takes effect. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the matching order. Once the packet matches a rule, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    Or run:

    acl name acl-name { link | acl-number } [ match-order { auto | config } ]

    A named Layer 2 ACL is created and the Layer 2 ACL view is displayed.

    acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.

    By default, no ACL is created.

  3. Run:

    rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | time-range time-name ] *

    A Layer 2 ACL rule is configured.

    To configure multiple rules, repeat this step.

    NOTE:

    After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes rule 5 and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.

    When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

  4. (Optional) Run:

    rule rule-id description description

    The description of a Layer 2 ACL rule is configured.

    The device only supports the description configured for the rules with rule IDs. You are not allowed to configure the description for a rule that has not been created.

Applying the ACL to the AP

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, advanced ACLs, Layer 2 ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:

    ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.

Configuring an User ACL

User ACLs classify IPv4 packets based on information such as source and destination IP addresses or user groups, source and destination port numbers, packet priorities, and time ranges.

(Optional) Configuring the Validity Time Range of a Rule

Context

Some services or functions are restricted within a specified period of time, for example, Quality of Service (QoS) is started only during peak hours. You can create a time range and reference the time range in an ACL applied to these services or functions so that the ACL takes effect only in the time range. The services or functions that reference the ACL is also started in the specified time range.

The deletion of ACL validity time range may cause invalidity of some ACLs. Therefore, use this command with caution.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    To configure multiple time ranges with the same name on the AP, run the preceding command with the same value of time-name repeatedly.

    NOTE:
    If multiple time ranges are configured using the same time-name value, the system takes the union of periodic time ranges and the union of absolute time ranges, and then takes the intersection of the two unions as the final time range. In this example, the name test is used to configure the following time ranges:
    • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
    • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
    • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
    The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in 2010.

    You are advised to configure the Network Time Protocol (NTP) to ensure that devices on the network use the same system time. For the NTP configuration, see Configuring Basic NTP Functions.

(Optional) Configuring a Global Domain Name

Context

ACLs can be configured to control network access rights of users. If an administrator needs to control user access to a certain domain name, the administrator can search for the IP address matching the domain name and control rights of users for access to the IP address. If a domain name matches multiple IP addresses, the maintenance workload of the administrator will be heavy. In this case, you can configure a global domain name and control access rights through the global name in ACLs.

You can only configure global domain names for ACLs 6000 to 6031.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    passthrough-domain name domain-name id domain-id

    A global domain name is configured.

    By default, no global domain name is configured.

    The domain names cannot include each other.

Creating a User ACL

Context

User ACLs classify IPv4 packets based on the source IP address or user group, destination IP address or user group, IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination port number, and User Datagram Protocol (UDP) source/destination port.

Before configuring an user ACL, you need to create an user ACL. acl-number specifies the number of an user ACL. The value ranges from 6000 to 6999.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered user ACL is created and the user ACL view is displayed.

    Or run:
    acl name acl-name { ucl | acl-number } [ match-order { auto | config } ]

    A named user ACL is created and the user ACL view is displayed.

    acl-number specifies the number of an user ACL. The value ranges from 6000 to 6999.

    By default, no ACL is created.

  3. (Optional) Run:

    step step

    The ACL step is configured.

  4. (Optional) Run:

    description text

    The ACL description is configured.

Configuring an User ACL Rule

Context

An user ACL classifies packets by matching packet information with its rules. After an user ACL is created, configure rules in the user ACL.

Adding new rules to an ACL will not affect the existing rules. If the new rule conflicts with an existing rule, the new rule takes effect. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect. If different rules are ANDed or ORed, configure a correct matching order to prevent incorrect configurations.

NOTE:

When the device receives a packet, it matches the packet with ACL rules one by one based on the matching order. Once the packet matches a rule, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    acl [ number ] acl-number [ match-order { auto | config } ]

    A numbered user ACL is created and the user ACL view is displayed.

    Or run:
    acl name acl-name { ucl | acl-number } [ match-order { auto | config } ]

    A named user ACL is created and the user ACL view is displayed.

    acl-number specifies the number of an user ACL. The value ranges from 6000 to 6999.

    By default, no ACL is created.

  3. Configure an user ACL rule based on the IP protocol version or the protocol type over IP.

    • Configure an user ACL rule based on the IP protocol version. When IPv4 is used, run:

      rule [ rule-id ] { deny | permit } ip [ destination { { destination-address destination-wildcard | any } | user-group { name destination-group-name | any } | passthrough-domain domain-name } | source { { source-address source-wildcard | any } | user-group { name source-group-name | any } } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

    • Configure an user ACL rule based on the protocol type over IP.

      • When the ICMP protocol is used, run:

        rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { { destination-address destination-wildcard | any } | user-group { name destination-group-name | any } | passthrough-domain domain-name } | icmp-type { icmp-name | icmp-type icmp-code } | source { { source-address source-wildcard | any } | user-group { name source-group-name | any } } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the TCP protocol is used, run:

        rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { { destination-address destination-wildcard | any } | user-group { name destination-group-name | any } | passthrough-domain domain-name } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { { source-address source-wildcard | any } | user-group { name source-group-name | any } } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the UDP protocol is used, run:

        rule [ rule-id ] { deny | permit }{ protocol-number | udp } [ destination { { destination-address destination-wildcard | any } | user-group { name destination-group-name | any } | passthrough-domain domain-name } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { { source-address source-wildcard | any } | user-group { name source-group-name | any } } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

      • When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:

        rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { { destination-address destination-wildcard | any } | user-group { name destination-group-name | any } | passthrough-domain domain-name } | source { { source-address source-wildcard | any } | user-group { name source-group-name | any } } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

    To configure multiple rules, repeat this step.

    NOTE:

    To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

    The dscp dscp and precedence precedence parameters cannot be set simultaneously for the same rule.

    The dscp dscp and tos tos parameters cannot be set simultaneously for the same rule.

    You can specify passthrough-domain domain-name in the command only when the action is set to permit.

    After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes rule 5 and rule 7, and the step is 5, the system assigns 10 to a new rule without rule-id specified.

    When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

    If the user group information is specified in the rule, you cannot run the acl-id (user group view) command to bind the user group to the ACL. If the user group has been bound to the ACL, the user group information cannot be specified in the rules of user ACLs.

  4. (Optional) Run:

    rule rule-id description description

    The description of a user ACL rule is configured.

Applying the ACL to the AP

Context

An ACL is a set of rules that differentiate packets and determines whether packets are permitted and denied. The device then processes the permitted packets and discards the denied packets.

Procedure

  • Apply the ACL.

    ACL can be applied to many features. For example, to process different types of traffic, you can use basic ACLs, advanced ACLs, Layer 2 ACLs to perform traffic policing, or traffic classification on the traffic that matches the ACL rules.

    NOTE:

    ACL can be applied to different services, and devices running these services process the classified packets according to service requirements. For details about the services referencing ACLs, see the configuration guide.

Checking the Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to view the configuration about a specific ACL or all ACLs.
  • Run the display time-range { all | time-name } command to view information about the time range.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117470

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next