No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL6

Configuring an Advanced ACL6

Prerequisites

If you need to configure a time-based ACL6, create a time range and associate the time range with the ACL6 rules. For details, see (Optional) Creating a Time Range in Which an ACL6 Takes Effect.

Context

An advanced ACL6 defines rules to filter IPv6 packets based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL6, an advanced ACL6 is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IPv6 addresses, configure an advanced ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create an advanced ACL6. You can create a numbered or named ACL.

    • Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to create a numbered advanced ACL6 (3000-3999) and enter the advanced ACL6 view.

    • Run the acl ipv6 name acl6-name { advance | acl6-number } [ match-order { auto | config } ] command to create a named advanced ACL6 and enter the advanced ACL6 view.

    By default, no ACL exists on the device.

    The functions of numbered and named ACL6 are the same as the functions of numbered and named ACL. For details, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL6, the default match order config is used. The match order of ACL6 is the same as that of ACL. For details, see Matching Order.

    To delete an ACL that has taken effect, see Deleting an ACL6 in Configuring a Basic ACL6.

  3. Configure rules for the advanced ACL6.

    You can configure advanced ACL6 rules according to the protocols carried by IP. The parameters vary according to the protocol types.

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol is ICMPv6, the command format is:

      rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol is others, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    Configuring rules for the advanced ACL6 provides a rule configuration example.

  4. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Configuring rules for the advanced ACL6
  • Configuring a packet filtering rule for ICMPv6 protocol packets based on source IPv6 address (host address) and destination IPv6 address segment

    Configure a rule in ACL6 3001 to allow the ICMPv6 packets from fc00:1::1 and destined for network segment fc00:2::/64 to pass.
    <HUAWEI> system-view
    [HUAWEI] acl ipv6 3001
    [HUAWEI-acl6-adv-3001] rule permit icmpv6 source fc00:1::1 128 destination fc00:2:: 64
  • Configuring a packet filtering rule for TCP protocol packets based on the TCP destination port number, source IPv6 address (host address), and destination IPv6 address segment

    Configure a rule in the advanced ACL6 deny-telnet to forbid Telnet connections between the host fc00:1::3 and hosts on network segment fc00:2::/64.
    <HUAWEI> system-view
    [HUAWEI] acl ipv6 name deny-telnet
    [HUAWEI-acl6-adv-deny-telnet] rule deny tcp destination-port eq telnet source fc00:1::3 128 destination fc00:2:: 64
    Configure a rule in the advanced ACL6 no-web to forbid hosts fc00:1::3 and fc00:1::4 from accessing web pages (HTTP is used to access web pages, and TCP port number is 80).
    <HUAWEI> system-view
    [HUAWEI] acl ipv6 name no-web
    [HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::3 128
    [HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::4 128
  • Configuring a time-based ACL6 rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178319

Views: 149942

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next