No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a User ACL

Configuring a User ACL

Prerequisites

  • The NAC mode has been set to the unified mode using the authentication unified-mode command and the device has been restarted to make the NAC mode take effect.

  • A UCL group that identifies user category has been created using the ucl-group command.

  • If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

To filter packets based on UCL groups, configure a user ACL.

NOTE:

Only S5720EI, S5720HI, S6720S-EI, and S6720EI support user ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a user ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered user ACL (6000-9999) and enter the user ACL view.

    • Run the acl name acl-name { ucl | acl-number } [ match-order { auto | config } ] command to create a named user ACL and enter the user ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Configure user ACL rules.

    You can configure the user ACL rules according to the protocol types of IP packets. The parameters vary according to the protocol types.

    • When the protocol type is ICMP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | icmp-type { icmp-name | icmp-type [ icmp-code ] } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    A rule configuration example is provided in Configuring user ACL rules.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Configuring user ACL rules
  • Configuring a packet filtering ACL rule based on the source UCL group and destination IP address

    Configure a rule in ACL 6000 to reject all the IP packets sent from the hosts in source UCL group group1 to network segment 192.168.1.0/24.
    <HUAWEI> system-view
    [HUAWEI] ucl-group 1 name group1
    [HUAWEI] acl 6000
    [HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 192.168.1.0 0.0.0.255
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222445

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next