No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Basic ACL

Configuring a Basic ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges.

If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a basic ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered basic ACL (2000-2999) and enter the basic ACL view.

    • Run the acl name acl-name { basic | acl-number } [ match-order { auto | config } ] command to create a named basic ACL and enter the basic ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

    Rules are configured in the basic ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    For details about the time range, source IP address and its wildcard mask, and IP fragment information, see Matching Conditions. Configuring rules for a basic ACL provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Deleting an ACL

To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name acl-name command in the system view. This command can delete an ACL no matter whether the ACL is applied to a service module; however, if a specified rule in an ACL is used in a simplified traffic policy, the ACL cannot be deleted using this command. Before using this command to delete an ACL, you do not need to delete the service configurations.

Configuring rules for a basic ACL
  • Configuring a packet filtering rule based on the source IP address (host address)

    To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets from host 192.168.1.3 to pass, create the following rule in ACL 2001.
    <HUAWEI> system-view
    [HUAWEI] acl 2001
    [HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
    
  • Configuring a packet filtering rule based on the source IP address segment

    To allow the packets from a host to pass and reject the packets from other hosts on the same network segment, configure rules in an ACL. For example, to allow the packets from host 192.168.1.3 to pass and reject the packets from other hosts on network segment 192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL 2001 to Permit only 192.168.1.3 through.
    <HUAWEI> system-view
    [HUAWEI] acl 2001
    [HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
    [HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
    [HUAWEI-acl-basic-2001] description permit only 192.168.1.3 through
    
  • Configuring a time-based ACL rule

    Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the set working-time.
    <HUAWEI> system-view
    [HUAWEI] time-range working-time 8:00 to 18:00 working-day
    [HUAWEI] acl name work-acl basic
    [HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time
  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    To reject the non-initial fragments from a network segment, configure a rule in an ACL. For example, to reject the non-initial fragments from network segment 192.168.1.0/24, configure the following rule in ACL 2001.
    <HUAWEI> system-view
    [HUAWEI] acl 2001
    [HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 233008

Downloads: 750

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next