No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying an Advanced ACL

Configuring and Applying an Advanced ACL

(Optional) Creating a Time Range in Which an ACL Takes Effect

Context

For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect in Configuring and Applying a Basic ACL.

Configuring an Advanced ACL

Pre-configuration Tasks

Context

An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create an advanced ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered advanced ACL (3000-3999) and enter the advanced ACL view.

    • Run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run:

    description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Configure rules for the advanced ACL.

    You can configure advanced ACL rules according to the protocols carried by IP. The parameters vary according to the protocol type.

    • When the ICMP protocol is used, run:

      rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] | vni vni-id ] *

    • When the TCP protocol is used, run:

      rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end | port-set port-set-name } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end | port-set port-set-name } | tcp-flag { ack | fin | psh | rst | syn | urg | established } * | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] | vni vni-id ] *

    • When the UDP protocol is used, run:

      rule [ rule-id ] { deny | permit }{ protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end | port-set port-set-name } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end | port-set port-set-name } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] | vni vni-id ] *

    • When GRE, IGMP, IPinIP, or OSPF is used, run:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] | vni vni-id ] *

    NOTE:

    To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

    The dscp dscp and precedence precedence parameters cannot be set simultaneously for the same rule.

    The dscp dscp and tos tos parameters cannot be set simultaneously for the same rule.

    This parameter vni vni-id is valid only in the VXLAN scenario.

    After the first rule is configured in an ACL, the device uses the step value as the number of this rule if the rule-id parameter is not specified. If the rule-id parameter is not specified for the later rules, the device uses the multiples of the next step of the last rule ID to number the rules. For example, if an ACL includes rule 5 and rule 7 and the step is 5, the system assigns 10 to a new rule without rule-id specified.

    When you specify the time-range parameter to reference a validity time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

  5. (Optional) Run:

    rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule. If an ACL rule for which a description has been configured is deleted, the description is also deleted.

Configuration Tips
Configuring rules for an advanced ACL
  • Configuring a packet filtering rule for ICMP protocol packets based on the source IP address (host address) and destination IP address segment

    To allow the ICMP packets from a host that are destined for a network segment to pass, configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3 that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in ACL 3001.
    <Huawei> system-view
    [Huawei] acl 3001
    [Huawei-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
    
  • Configuring a packet filtering rule for TCP protocol packets based on the TCP destination port number, source IP address (host address), and destination IP address segment

    To prohibit Telnet connections between the specified host and the hosts on a network segment, configure a rule in an advanced ACL. For example, to prohibit Telnet connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24, configure the following rule in the advanced ACL deny-telnet.
    <Huawei> system-view
    [Huawei] acl name deny-telnet
    [Huawei-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 
    To prohibit the specified hosts from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), configure rules in an advanced ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the following rules in ACL no-web and set the description for the ACL to Web access restrictions.
    <Huawei> system-view
    [Huawei] acl name no-web
    [Huawei-acl-adv-no-web] description Web access restrictions
    [Huawei-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0
    [Huawei-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0
    
  • Configuring a packet filtering rule for TCP packets based on the source IP address segment and TCP flags

    To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow the RST TCP packets through, and Do not Allow the other TCP packet through.

    To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.
    <Huawei> system-view
    [Huawei] acl 3002
    [Huawei-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
    [Huawei-acl-adv-3002] display this   // If you do not specify an ID for a created rule, you can view the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID.
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack           // The rule ID allocated by the system is 5.      
    #                                                                               
    return 
    [Huawei-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
    [Huawei-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
    [Huawei-acl-adv-3002] display this
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn                
     rule 5 description Allow the ACK TCP packets through                 
     rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst       // The rule ID allocated by the system is 10.        
    #                                                                               
    return   
    [Huawei-acl-adv-3002] rule 10 description Allow the RST TCP packets through
    [Huawei-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
    [Huawei-acl-adv-3002] display this
    #                                                                               
    acl number 3002                                                                 
     rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn                
     rule 5 description Allow the ACK TCP packets through                 
     rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst                
     rule 10 description Allow the RST TCP packets through                
     rule 15 deny tcp source 192.168.2.0 0.0.0.255       //  The rule ID allocated by the system is 15. 
    #                                                                               
    return   
    [Huawei-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
    
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Applying an Advanced ACL

Context

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

Usually, an ACL is applied to a traffic policy or simplified traffic policy so that the device can deliver ACL rules globally, or on an interface to filter packets to be forwarded. In addition, an ACL can be applied to the service modules such as FTP and multicast.

Procedure

  1. Apply an advanced ACL

    Table 5-16 describes the application of an advanced ACL.

    Table 5-16  Applying an advanced ACL
    Service Category Usage Scenario How ACLs Are Used

    Filtering packets to be forwarded

    The device filters received packets globally, or on an interface, and then discards, modifies priorities of, or redirects the filtered packets.

    For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

    • Simplified traffic policy: See ACL-based Simplified Traffic Policy Configuration in Huawei AR Series Access Routers Configuration Guide - QoS.

    • Traffic policy: See MQC Configuration in Huawei AR Series Access Routers Configuration Guide - QoS.

    • Packet filtering firewall: See Configuring the Packet Filtering Firewall in Huawei AR Series Access Routers Configuration Guide - Firewall.
    • Dynamic NAT: See Configuring Dynamic NAT in the Huawei AR Series Access Routers Configuration Guide - IP Services.
    • NAT server: See Configuring an Internal NAT Server in the Huawei AR Series Access Routers Configuration Guide - IP Services.

    Filtering packets to be sent to the CPU

    If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance degrades. The device restricts the packets to be sent to the CPU.

    For example, when a user sends a large number of ARP attack packets to the device, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

    Blacklist: See Configuring a Blacklist in Local Attack Defense Configuration.

    Login control

    The device controls access permission of users. Only authorized users can log in to the device, and other users cannot log in without permission. This ensures network security.

    • Telnet: See Enabling the Telnet Server Function in Huawei AR Series Access Routers Configuration Guide - Basic Configuration.

    • FTP: See Managing Files When the Device Functions as an FTP Server in Huawei AR Series Access Routers Configuration Guide - Basic Configuration.

    • SFTP: See Managing Files When the Device Functions as an SFTP Server in Huawei AR Series Access Routers Configuration Guide - Basic Configuration.

    Route filtering

    An ACL can be applied to the multicast protocol to filter multicast groups.

    For example, the ACL and IGMP snooping functions can be used together to prevent hosts in a VLAN from joining a multicast group.

    Multicast: See Filtering IGMP Messages Based on Source IP Addresses, Configuring a Multicast Group Policy. and (Optional) Configuring the Range of Multicast Groups That an Interface Can Join in Huawei AR Series Access Routers Configuration Guide - IP Multicast.

Verifying an Advanced ACL Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check ACL configuration.
  • Run the display time-range { all | time-name } command to view information about the time range.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137589

Downloads: 248

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next