No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Basic ACL6

Configuring a Basic ACL6

Prerequisites

If you need to configure a time-based ACL6, create a time range and associate the time range with the ACL6 rules. For details, see (Optional) Creating a Time Range in Which an ACL6 Takes Effect.

Context

A basic ACL6 defines rules to filter IPv6 packets based on information such as source IPv6 addresses, fragment information, and time ranges.

If you only need to filter packets based on source IPv6 addresses, you can configure a basic ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a basic ACL6. You can create a numbered or named ACL.

    • Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to create a numbered basic ACL6 (2000-2999) and enter the basic ACL6 view.

    • Run the acl ipv6 name acl6-name { basic | acl6-number } [ match-order { auto | config } ] command to create a named basic ACL6 and enter the basic ACL6 view.

    By default, no ACL6 exists on the device.

    The functions of numbered and named ACL6 are the same as the functions of numbered and named ACL. For details, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL6, the default match order config is used. The match order of ACL6 is the same as that of ACL. For details, see Matching Order.

    To delete an ACL6 that has taken effect, see Deleting ACL6.

  3. Run rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    Rules are configured in the basic ACL6.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    Configuring rules for the basic ACL6 provides a rule configuration example.

  4. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Deleting ACL6

Run the undo acl ipv6 { all | [ number ] acl6-number } or undo acl ipv6 name acl6-name command in the system view to delete an ACL6. This command can delete an ACL6 no matter whether the ACL6 is applied to a service module. That is, before using this command to delete an ACL6, you do not need to delete the service configurations. However, if a specified rule in an ACL6 is used in a simplified traffic policy, the ACL6 cannot be deleted using this command.

Configuring rules for the basic ACL6
  • Configuring a packet filtering rule based on the source IPv6 address (host address)

    Configure a rule in ACL6 2001 to allow the packets from host fc00:1::1/128 to pass.
    <HUAWEI> system-view
    [HUAWEI] acl ipv6 2001
    [HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128
    
  • Configuring a packet filtering rule based on the source IPv6 address segment

    Configure a rule in ACL6 2001 to allow the packets from host fc00:1::1/128 to pass and reject the packets from other hosts on network segment fc00:1::/64.
    <HUAWEI> system-view
    [HUAWEI] acl ipv6 2001
    [HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128
    [HUAWEI-acl6-basic-2001] rule deny source fc00:1:: 64
    
  • Configuring a time-based ACL6 rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178177

Views: 234548

Downloads: 756

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next