No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL

Configuring an Advanced ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create an advanced ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered advanced ACL (3000-3999) and enter the advanced ACL view.

    • Run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Configure rules for the advanced ACL.

    You can configure advanced ACL rules according to the protocols carried by IP. The parameters vary according to the protocol type.

    • When the protocol type is ICMP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    • When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    NOTE:

    The LE1D2S04SEC0, LE1D2X32SEC0, and LE1D2H02QEC0 cards, and X series cards do not support ttl-expired.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    For details about the time ranges, types of protocols carried by IP, source/destination IP addresses and their wildcard masks, TCP/UDP port numbers, TCP flaps, and IP fragment information, see Matching Conditions. Configuring rules for an advanced ACL provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Configuring rules for an advanced ACL
  • Configuring a packet filtering rule for ICMP protocol packets based on the source IP address (host address) and destination IP address segment

    To allow the ICMP packets from a host that are destined for a network segment to pass, configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3 that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in ACL 3001.
    <Quidway> system-view
    [Quidway] acl 3001
    [Quidway-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
    
  • Configuring a packet filtering rule for TCP protocol packets based on the TCP destination port number, source IP address (host address), and destination IP address segment

    To prohibit Telnet connections between the specified host and the hosts on a network segment, configure a rule in an advanced ACL. For example, to prohibit Telnet connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24, configure the following rule in the advanced ACL deny-telnet.
    <Quidway> system-view
    [Quidway] acl name deny-telnet
    [Quidway-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 
    To prohibit the specified hosts from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), configure rules in an advanced ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the following rules in ACL no-web and set the description for the ACL to Web access restrictions.
    <Quidway> system-view
    [Quidway] acl name no-web
    [Quidway-acl-adv-no-web] description Web access restrictions
    [Quidway-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0
    [Quidway-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0
    
  • Configuring a packet filtering rule for TCP packets based on the source IP address segment and TCP flags

    To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow the RST TCP packets through, and Do not Allow the other TCP packet through.

    To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.
    <Quidway> system-view
    [Quidway] acl 3002
    [Quidway-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
    [Quidway-acl-adv-3002] display this   // If you do not specify an ID for a created rule, you can view the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID.
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack           // The rule ID allocated by the system is 5.      
    #                                                                               
    return 
    [Quidway-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
    [Quidway-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
    [Quidway-acl-adv-3002] display this
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack                 
     rule 5 description Allow the ACK TCP packets through                 
     rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst       // The rule ID allocated by the system is 10.        
    #                                                                               
    return   
    [Quidway-acl-adv-3002] rule 10 description Allow the RST TCP packets through
    [Quidway-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
    [Quidway-acl-adv-3002] display this
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack                 
     rule 5 description Allow the ACK TCP packets through                 
     rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst                
     rule 10 description Allow the RST TCP packets through                
     rule 15 deny tcp source 192.168.2.0 0.0.0.255       //  The rule ID allocated by the system is 15. 
    #                                                                               
    return   
    [Quidway-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
    
    You can specify the established parameter to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass and configure a deny rule to reject other TCP packets from this subnet.
    <Quidway> system-view
    [Quidway] acl 3002
    [Quidway-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established
    [Quidway-acl-adv-3002] rule 5 description Allow the Established TCP packets through
    [Quidway-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
    [Quidway-acl-adv-3002] rule 10 description Do not Allow the other TCP packet through
    [Quidway-acl-adv-3002] display this
    #                                                                                                                                   
    acl number 3002                                                                                                                     
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established                                                                
     rule 5 description Allow the Established TCP packets through                                                                       
     rule 10 deny tcp source 192.168.2.0 0.0.0.255                                                                                      
     rule 10 description Do not Allow the other TCP packet through                                                                      
    #                                                                                                                                   
    return
    
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178410

Views: 140102

Downloads: 27

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next