No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a User-Defined ACL

Configuring a User-Defined ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A user-defined ACL defines rules based on packet headers, offsets, character string masks, and user-defined character strings. With such a user-defined ACL configured, the system performs an AND operation on the packet bytes from a certain position behind the packet header and the character string mask, compares the extracted character string against the user-defined character string, and then filters IPv4 and IPv6 packets.

Compared with basic ACL, advanced ACL, and Layer 2 ACL, user-defined ACL is more accurate, flexible, and provides more functions. For example, if you want to filter ARP packets based on source IP addresses and ARP packet types, you can configure a user-defined ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure a user-defined ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered user-defined ACL (5000-5999) and enter the user-defined ACL view.

    • Run the acl name acl-name { user | acl-number } [ match-order { auto | config } ] command to create a named user-defined ACL and enter the user-defined ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *

    Rules are configured in the user-defined ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    Configuring a user-defined ACL rule provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Configuring a user-defined ACL rule
  • Configuring packet filtering rules based on Layer 2 headers, offsets, character string masks, and user-defined character strings

    To reject the ARP packets from the specified host, configure a rule in a user-defined ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the following rule in ACL 5001.

    In the following rule:
    • 0x00000806 indicates the ARP protocol.
    • 0x0000ffff is the character string mask.
    • 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
    • c0a80002 is the hexadecimal format of 192.168.0.2.
    • 26 and 30 respectively indicate the offsets of the higher and lower two bytes in the source IP addresses in ARP packets (without VLAN ID). The source IP address in an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer). Therefore, the source IP address is divided into two segments for matching. The lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
    To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
    Figure 1-10  Source IP address field offset in Layer 2 header of an ARP packet

    <HUAWEI> system-view
    [HUAWEI] acl 5001
    [HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26 0x00020000 0xffff0000 30

    To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

    In the following rule:
    • 0x00060000 indicates the TCP protocol.
    • 8 indicates the protocol type offset in the IP packets. (The protocol type field in an IP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4 header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore, the second higher byte among the four bytes behind offset 8 in the IPv4 header is matched.)
    <HUAWEI> system-view
    [HUAWEI] acl name deny-tcp user
    [HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
    Figure 1-11  TCP protocol field offset in IPv4 header

  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137126

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next