No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Configuration Guidelines

ACL Configuration Guidelines

When configuring ACL rules, follow these guidelines:

  1. The rules in an ACL may overlap. If packets match the rules with loose conditions, the later ACL rules are not processed. In this case, packets cannot match the rules with strict conditions. Therefore, the rules with strict conditions must be arranged in front lines and those with loose conditions must be arranged towards the end.

  2. The ACL configuration guidelines vary according to the default ACL actions taken by the service modules (for details, see Default ACL Actions and Mechanisms of Different Service Modules). For example, if a service module with the default action of permit must deny the packets from some IP addresses, deny rules only for these IP addresses need to be configured; a permit rule for any IP address is not required. The converse is true for a service module whose default action is deny. Table 2-14 describes the ACL configuration guidelines.

    NOTE:

    The following rules are for reference. Adhere to the command line syntax when configuring ACL rules.

    • rule permit xxx/rule permit xxxx: allows the specified packets to pass. xxx/xxxx indicates packet attributes, such as source IP address, source MAC address, and time range. The range xxxx involves the range xxx. For example, if xxx is an IP address, xxxx is the network segment where the IP address resides or any (any IP address); if xxx is a time range on Saturday, xxxx is all day long on weekends or from Monday to Sunday.

    • rule deny xxx/rule deny xxxx: blocks the specified packets.

    • rule permit: allows all packets to pass.

    • rule deny: blocks all packets.

    Table 2-14  ACL configuration guidelines

    Default ACL Action

    Permit All Packets

    Deny All Packets

    Permit a Few Packets and Deny Most Packets

    Deny a Few Packets and Permit Most Packets

    permit

    No ACL is required.

    Configure rule deny.

    Configure rule permit xxx first, and then rule deny xxxx or rule deny.

    NOTE:

    This guideline applies to packet filtering. When an ACL is applied to traffic policing or traffic statistics collection in a traffic policy, configure rule permit xxx if you only need to count rate or collect statistics on the specified packets.

    Only rule deny xxx is required, and rule permit xxxx or rule permit is not required.

    NOTE:

    If rule permit is configured and ACL is applied to a traffic policy in which the behavior is deny, all packets are rejected and all services are interrupted.

    deny

    • Routing and multicast module: Configure rule permit.
    • Other modules: ACL is not required.
    • Routing and multicast modules: ACL is not required.
    • Other modules: Configure rule deny.

    Only rule permit xxx is required, and rule deny xxxx or rule deny is not required.

    Configure rule deny xxx first, and then rule permit xxxx or rule permit.

    Example:

    • Example 1: Apply an ACL to a traffic policy to filter packets from network segment 192.168.1.0/24. Reject the packets from hosts 192.168.1.2 and 192.168.1.3, and allow the packets from other hosts on network segment 192.168.1.0/24 to pass.

      The default ACL action of the traffic policy module is permit, and a few packets are denied and most packets are permitted. Therefore, you only need to configure rule deny xxx.

      #
      acl number 2000
       rule 5 deny source 192.168.1.2 0
       rule 10 deny source 192.168.1.3 0
      #
    • Example 2: Apply an ACL to a traffic policy to filter packets from network segment 192.168.1.0/24. Allow the packets from hosts 192.168.1.2 and 192.168.1.3 to pass, and reject the packets from other hosts on network segment 192.168.1.0/24.

      The default ACL action of the traffic policy module is permit, and a few packets are permitted and most packets are denied. Therefore, you need to configure rule permit xxx first, and then rule deny xxxx.

      #
      acl number 2000
       rule 5 permit source 192.168.1.2 0
       rule 10 permit source 192.168.1.3 0
       rule 15 deny source 192.168.1.0 0.0.0.255
      #
    • Example 3: Apply an ACL to Telnet, to allow only the administrator's host (172.16.105.2) to Telnet to the device and reject other users.

      The default ACL action of the Telnet module is deny, and a few packets are permitted and most packets are denied. Therefore, you only need to configure rule permit xxx.

      #
      acl number 2000
       rule 5 permit source 172.16.105.2 0
      #
      
    • Example 4: Apply an ACL to Telnet, to forbid two hosts (172.16.105.3 and 172.16.105.4) to Telnet to the device and allow other user hosts to Telnet to the device.

      The default ACL action of the Telnet module is deny, and a few packets are denied and most packets are permitted. Therefore, you need to configure rule deny xxx first, and then rule permit.

      #
      acl number 2000
       rule 5 deny source 172.16.105.3 0
       rule 10 deny source 172.16.105.4 0
       rule 15 permit
      #
      
    • Example 5: Apply an ACL to FTP to prevent users from accessing the FTP server from 00:00-08:00 every Saturday.

      The default ACL action of the FTP module is deny, and a few packets are denied and most packets are permitted. Therefore, you need to configure rule deny xxx first, and then rule permit xxxx.

      #
      time-range t1 00:00 to 08:00 Sat
      time-range t2 00:00 to 23:59 daily
      # 
      acl number 2000  
       rule 5 deny time-range t1
       rule 10 permit time-range t2
      #
      
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231021

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next