No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying a Basic ACL

Configuring and Applying a Basic ACL

(Optional) Creating a Time Range in Which an ACL Takes Effect

Context

By default, an ACL takes effect immediately after it is applied to a service module. If you want the ACL rules to take effect only in a certain period so that you can use time-based ACL to control services, you can define a time range and associate the time range with the ACL rules. By using a time-based ACL, an enterprise can forbid employees to access the Internet in work hours and restrict bandwidth for the bandwidth-consuming services such as P2P and downloading services in peak hours to avoid network congestion.

You can associate a time range with ACL rules in either of the following modes:

  • Mode 1 - Periodic time range: defines a time range based on weeks. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday.

  • Mode 2 - Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period.

NOTE:

If the system time of a device is not synchronized with the network, the ACL rules cannot take effect in the associated time range. Therefore, it is recommended that you configure the Network Time Protocol (NTP) protocol on the device to synchronize system time. NTP ensures clock consistency on all devices on a network. For the NTP configuration, see Configuring Basic NTP Functions in the Huawei AR Series IOT Gateway Configuration Guide - Device Management.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

    A time range is created.

    By default, no time range is configured on a device.

    You can specify multiple time ranges in the same time-name parameter. The device obtains the intersection of the configured periodic or absolute time ranges.

    To delete a time range, see Deleting a time range.

Follow-up Procedure

After a time range is created, you need to create an ACL and configure the ACL rules to be associated with the time range. For the configuration of a basic ACL, see Configuring a Basic ACL.

Configuration Tips
Deleting a time range

Before deleting a time range, you must delete the ACL rules associated with the time range or delete the ACL to which the ACL rules belong.

For example, ACL 2001 contains rule 5 and is associated with time range time1.
#  
time-range time1 from 00:00 2014/1/1 to 23:59 2014/12/31
#                                                                               
acl number 2001                                                                 
 rule 5 permit time-range time1                                                  
#   
Before deleting time1, delete rule 5 or ACL 2001.
  • Delete rule 5, and then time1.

    <Huawei> system-view
    [Huawei] acl 2001
    [Huawei-acl-basic-2001] undo rule 5
    [Huawei-acl-basic-2001] quit
    [Huawei] undo time-range time1
  • Delete ACL 2001, and then time1.

    <Huawei> system-view
    [Huawei] undo acl 2001
    [Huawei] undo time-range time1

(Optional) Configuring the Port Set

Context

When configuring an advanced ACL with TCP or UDP protocol specified, you can bind a port set to the ACL to match the source and destination port numbers of packets. Specifying the source and destination port numbers in an advanced ACL is complex. You can specify the port-set port-set-name parameter in the rule (advanced ACL view) command to bind a port set to the ACL. This method is easier than specifying the eq port, gt port, lt port, or range port-start port-end parameter in the rule (advanced ACL view) command. In addition, you can use this method to specify the same port set for different ACL rules.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip port-set port-set-name protocol { tcp | udp }

    A port set is created and the port set view is displayed.

    By default, no port set is created.

  3. Run port [ port-rule-id ] { eq port | gt port | lt port | range port-start port-end }

    Port rules are configured for the port set.

    By default, no port rule is configured.

Follow-up Procedure

After a port set is configured, you need to create an advanced ACL and configure the ACL rules associated with the port set. For details about the advanced ACL configuration, see Configuring an Advanced ACL.

Configuring a Basic ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges.

If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Create a basic ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered basic ACL (2000-2999) and enter the basic ACL view.

    • Run the acl name acl-name { basic | acl-number } [ match-order { auto | config } ] command to create a named basic ACL and enter the basic ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL.

  3. (Optional) Run:

    description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run:

    rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | logging | time-range time-name ] *

    Rules are configured in the basic ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    For details about the time range, source IP address and its wildcard mask, and IP fragment information, see Matching Conditions. Configuring rules for a basic ACL provides a rule configuration example.

  5. (Optional) Run:

    rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule. If an ACL rule for which a description has been configured is deleted, the description is also deleted.

Configuration Tips
Deleting an ACL

To delete an ACL, run the undo acl { [ number ] acl-number | all } or undo acl name acl-name command in the system view. This command can delete an ACL.

Configuring rules for a basic ACL
  • Configuring a packet filtering rule based on the source IP address (host address)

    To allow the packets from a host to pass, add a rule to an ACL. For example, to allow packets from host 192.168.1.3 to pass, create the following rule in ACL 2001.
    <Huawei> system-view
    [Huawei] acl 2001
    [Huawei-acl-basic-2001] rule permit source 192.168.1.3 0
    
  • Configuring a packet filtering rule based on the source IP address segment

    To allow the packets from a host to pass and reject the packets from other hosts on the same network segment, configure rules in an ACL. For example, to allow the packets from host 192.168.1.3 to pass and reject the packets from other hosts on network segment 192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL 2001 to Permit only 192.168.1.3 through.
    <Huawei> system-view
    [Huawei] acl 2001
    [Huawei-acl-basic-2001] rule permit source 192.168.1.3 0
    [Huawei-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
    [Huawei-acl-basic-2001] description Permit only 192.168.1.3 through
    
  • Configuring a time-based ACL rule

    Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the set working-time.
    <Huawei> system-view
    [Huawei] time-range working-time 8:00 to 18:00 working-day
    [Huawei] acl name work-acl basic
    [Huawei-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time
  • Configuring a packet filtering rule based on the IP fragment information and source IP address segment

    To reject the non-initial fragments from a network segment, configure a rule in an ACL. For example, to reject the non-initial fragments from network segment 192.168.1.0/24, configure the following rule in ACL 2001.
    <Huawei> system-view
    [Huawei] acl 2001
    [Huawei-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 none-first-fragment
    

Applying a Basic ACL

Context

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

Usually, an ACL is applied to a traffic policy or simplified traffic policy so that the device can deliver ACL rules globally, or on an interface to filter packets to be forwarded. In addition, an ACL can be applied to the service modules such as Telnet, FTP, and routing.

Procedure

  1. Apply a basic ACL

    Table 4-15 describes the application of a basic ACL.

    Table 4-15  Applying a basic ACL
    Service Category Usage Scenario How ACLs Are Used

    Filtering packets to be forwarded

    The device filters received packets globally, or on an interface, and then discards, modifies priorities of, or redirects the filtered packets.

    For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

    • Simplified traffic policy: See ACL-based Simplified Traffic Policy Configuration in Huawei AR Series IOT Gateway Configuration Guide - QoS.

    • Traffic policy: See MQC Configuration in Huawei AR Series IOT Gateway Configuration Guide - QoS.

    • Packet filtering firewall: See Configuring the Packet Filtering Firewall in Huawei AR Series IOT Gateway Configuration Guide - Firewall.
    • Dynamic NAT: See Configuring Dynamic NAT in the Huawei AR Series IOT Gateway Configuration Guide - IP Services.
    • NAT server: See Configuring an Internal NAT Server in the Huawei AR Series IOT Gateway Configuration Guide - IP Services.

    Filtering packets to be sent to the CPU

    If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance degrades. The device restricts the packets to be sent to the CPU.

    For example, when a user sends a large number of ARP attack packets to the device, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

    Login control

    The device controls access permission of users. Only authorized users can log in to the device, and other users cannot log in without permission. This ensures network security.

    • Telnet: See Enabling the Telnet Server Function in Huawei AR Series IOT Gateway Configuration Guide - Basic Configuration.

    • FTP: See Managing Files When the Device Functions as an FTP Server in Huawei AR Series IOT Gateway Configuration Guide - Basic Configuration.

    • SFTP: See Managing Files When the Device Functions as an SFTP Server in Huawei AR Series IOT Gateway Configuration Guide - Basic Configuration.

    • TFTP: See Managing Files When the Device Functions as a TFTP Client in Huawei AR Series IOT Gateway Configuration Guide - Basic Configuration.
    • Web login: See (Optional) Configuring Web System Parameters in Huawei AR Series IOT Gateway Configuration Guide - Basic Configuration.

    • SNMP: See (Optional) Restricting Management Rights of the NMS (SNMPv1 and SNMPv2c) and (Optional) Restricting Management Rights of the NMS (SNMPv3) in Huawei AR Series IOT Gateway Configuration Guide - Network Management and Monitoring.

    Route filtering

    ACLs can be applied to various dynamic routing protocols to filter advertised and received routes and multicast groups.

    For example, you can apply an ACL to a routing policy to prevent the device from sending routes of a network segment to the neighboring router.

    • BGP: See Controlling the Advertisement of BGP Routes and Controlling the Receiving of BGP Routes in Huawei AR Series IOT Gateway Configuration Guide - IP Unicast Routing.

    • IS-IS (IPv4): See Configuring IS-IS to Advertise Specified External Routes to an IS-IS Routing Domain and Adding Specified IS-IS Routes to the IP Routing Table in Huawei AR Series IOT Gateway Configuration Guide - IP Unicast Routing.

    • RIP: See Configuring RIP to Import Routes and Configuring RIP to Filter Received Routes in Huawei AR Series IOT Gateway Configuration Guide - IP Unicast routing.

    • Multicast: See Filtering IGMP Messages Based on Source IP Addresses, Configuring a Multicast Group Policy, (Optional) Configuring the Range of Multicast Groups That an Interface Can Join, and (Optional) Configuring an SSM Group Policy in Huawei AR Series IOT Gateway Configuration Guide - IP Multicast.

Verifying a Basic ACL Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check ACL configuration.
  • Run the display time-range { all | time-name } command to view information about the time range.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95536

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next