S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.

Configuring a Basic ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges.

If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

Procedure

Run system-view
The system view is displayed.
Create a basic ACL. You can create a numbered or named ACL.
- Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered basic ACL (2000-2999) and enter the basic ACL view.
- Run the acl name acl-name { basic | acl-number } [ match-order { auto | config } ] command to create a named basic ACL and enter the basic ACL view.
By default, no ACL exists on the device.

For details about the numbered and named ACLs, see ACL Classification.

If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

To delete an ACL that has taken effect, see Deleting an ACL.
(Optional) Run description text
A description is configured for the ACL.

By default, an ACL does not have a description.

The ACL description helps you understand and remember the functions or purpose of an ACL.
Run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] ^*
Rules are configured in the basic ACL.

In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

For details about the time range, source IP address and its wildcard mask, and IP fragment information, see Matching Conditions. Configuring rules for a basic ACL provides a rule configuration example.
(Optional) Run rule rule-id description description
A description is configured for the ACL rules.

By default, an ACL rule does not have a description.

The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Deleting an ACL

To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name acl-name command in the system view. This command can delete an ACL no matter whether the ACL is applied to a service module; however, if a specified rule in an ACL is used in a simplified traffic policy, the ACL cannot be deleted using this command. Before using this command to delete an ACL, you do not need to delete the service configurations.

Configuring rules for a basic ACL

Configuring a packet filtering rule based on the source IP address (host address)
To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets from host 192.168.1.3 to pass, create the following rule in ACL 2001.
```
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
```
Configuring a packet filtering rule based on the source IP address segment
To allow the packets from a host to pass and reject the packets from other hosts on the same network segment, configure rules in an ACL. For example, to allow the packets from host 192.168.1.3 to pass and reject the packets from other hosts on network segment 192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL 2001 to Permit only 192.168.1.3 through.
```
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] description permit only 192.168.1.3 through
```
Configuring a time-based ACL rule
Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the set working-time.
```
<HUAWEI> system-view
[HUAWEI] time-range working-time 8:00 to 18:00 working-day
[HUAWEI] acl name work-acl basic
[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time
```
Configuring a packet filtering rule based on the IP fragment information and source IP address segment
To reject the non-initial fragments from a network segment, configure a rule in an ACL. For example, to reject the non-initial fragments from network segment 192.168.1.0/24, configure the following rule in ACL 2001.
```
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
```

Translation

Favorite

Download

Update Date：2021-10-22

Document ID：EDOC1000178177

Downloads：2585

Average rating：4.2Points

Related Version

Digital Signature File

digtal sigature tool