No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying a User ACL

Configuring and Applying a User ACL

(Optional) Creating a Time Range in Which an ACL Takes Effect

Context

For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect in Configuring and Applying a Basic ACL.

Configuring a User ACL

Context

A user ACL defines rules to filter IPv4 packets based on the source IP addresses, destination IP addresses, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

To configure authentication-free rules for Portal users, configure a user ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a user ACL. Only numbered ACL is supported.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered user ACL (6000-6031) and enter the user ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run:

    description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Configure user ACL rules.

    You can configure the user ACL rules according to the protocol types of IP packets. The parameters vary according to the protocol types.

    • When the protocol is ICMP, run:

      rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
    • When the protocol is TCP, run:

      rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
    • When the protocol is UDP, run:

      rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
    • When the protocol is GRE, IGMP, IP, IPINIP, or OSPF, run:

      rule [ rule-id ]
      { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | source { source-address
      source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    A rule configuration example is provided in Configuring user ACL rules.

  5. (Optional) Run:

    rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule. If an ACL rule for which a description has been configured is deleted, the description is also deleted.

Configuration Tips
Configuring user ACL rules
  • Configuring a packet filtering rule based on the destination IP address

    Configure a rule in ACL 6000 to allow all Portal users to access network segment 10.1.1.1/24 without authentication.

    <Huawei> system-view
    [Huawei] acl 6000
    [Huawei-acl-ucl-6000] rule permit ip destination 10.1.1.1 255.255.255.0
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Applying a User ACL

Context

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

The user ACL can only be applied to the Portal authentication in NAC. After Portal authentication is configured and authentication-free rules are configured for the Portal authentication users, certain users can access the specified network resources without authentication or upon an authentication failure.

Procedure

  1. Apply a user ACL.

    Table 5-18 describes the application of a user ACL.

    Table 5-18  Applying a user ACL
    Service Category Usage Scenario How ACLs Are Used

    Filtering packets to be forwarded

    After a user ACL is bound to the authentication-free rules for Portal authentication users, certain users can access the specified network resources without authentication or upon an authentication failure.

    NAC: See (Optional) Configuring Authentication-Free Authorization Information.

Verifying a User ACL Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check ACL configuration.
  • Run the display time-range { all | time-name } command to view information about the time range.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 113206

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next