No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Step

Step

What Is a Step

A step is an increment between neighboring rule IDs automatically allocated by the system.

If a rule is added to an empty ACL without a rule ID manually specified, the system allocates the step value as the ID to this rule. If an ACL contains rules with manually configured IDs and a new rule is added without an ID manually configured, the system allocates to this new rule the minimum multiple of the step value which is greater than the largest rule ID in the ACL. Rule IDs must be integers. For example, an ACL (basic ACL, advanced ACL, Layer 2 ACL, user ACL, user-defined ACL) contains rule 5 and rule 12, and the default step is 5. When a new rule is added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).

NOTE:

Basic ACL6 and advanced ACL6 do not support step configuration, and use a step of 1.

[HUAWEI-acl-basic-2001] display this
#                                                                               
acl number 2001              //Empty ACL                                             
#                                                                               
return                            
[HUAWEI-acl-basic-2001] rule deny source 10.1.1.0 0.0.0.255 //Configure the first rule without specifying an ID.
[HUAWEI-acl-basic-2001] display this                                                 
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
#                                                                               
return         
[HUAWEI-acl-basic-2001] rule 12 deny source 10.2.2.0 0.0.0.255 //Configure a rule with ID 12.
[HUAWEI-acl-basic-2001] display this                 
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
 rule 12 deny source 10.2.2.0 0.0.0.255                                          
#                                                                               
return                                   
[HUAWEI-acl-basic-2001] rule deny source 10.3.3.0 0.0.0.255 //Configure another rule without specifying an ID.
[HUAWEI-acl-basic-2001] display this             
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
 rule 12 deny source 10.2.2.0 0.0.0.255                                          
 rule 15 deny source 10.3.3.0 0.0.0.255                                          
#                                                                               
return                         

If the step value of an ACL is changed, the system reallocates IDs to rules in the ACL. For example, when the step value is changed to 2, the system allocates 2, 4, 6... to rules. After the step is restored to the default value, the system reallocates IDs to the rules using the default step, that is, 5, 10, 15....

[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 5                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                         
 rule 12 deny source 10.2.2.0 0.0.0.255                       
 rule 15 deny source 10.3.3.0 0.0.0.255 
[HUAWEI-acl-basic-2001] step 2   //Set the step to 2
[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 2 
 rule 2 deny source 10.1.1.0 0.0.0.255                       
 rule 4 deny source 10.2.2.0 0.0.0.255                     
 rule 6 deny source 10.3.3.0 0.0.0.255                        
                                                                 
[HUAWEI-acl-basic-2001] undo step   //Restore the default step.
[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 5
 rule 5 deny source 10.1.1.0 0.0.0.255                       
 rule 10 deny source 10.2.2.0 0.0.0.255                        
 rule 15 deny source 10.3.3.0 0.0.0.255                                                                 
                                                             

How a Step Functions

Setting a step facilitates rule insertion between existing rules of an ACL.

For example, an ACL contains rule 5, rule 10, and rule 15. The network administrator wants to add a rule that denies the packets from source IP address 10.1.1.3. The rules are as follows:

rule 5 deny source 10.1.1.1 0  //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0/24.

The system stops matching packets once the packets match a rule. The packets from source addresses 10.1.1.1 and 10.1.1.2 match rule 5 and rule 10, and are therefore discarded. The packets from source address 10.1.1.3 match rule 15, and are therefore forwarded. To deny the packets from source IP address 10.1.1.3, add a new deny rule. You can add rule 11 before rule 15 so that the packets from source IP address 10.1.1.3 match rule 11 and are discarded. Rule 11 does not affect existing rule IDs in the ACL. The rule IDs are 5, 10, 11, and 15.

rule 5 deny source 10.1.1.1 0  //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 11 deny source 10.1.1.3 0 //Reject the packets from source IP address 10.1.1.3.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0.

To add a rule to an ACL with the step value of 1 (rule 1, rule 2, rule 3...), you must first delete existing rules. Then, add the new rule and reconfigure the deleted rules.

A step resolves the preceding issue and facilitates rule insertion.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136812

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next