No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Step

Step

What Is a Step

A step is an increment between neighboring rule IDs automatically allocated by the system.

If a rule is added to an empty ACL without a rule ID manually specified, the system allocates the step value as the ID to this rule. If an ACL contains rules with manually configured IDs and a new rule is added without an ID manually configured, the system allocates to this new rule the minimum multiple of the step value which is greater than the largest rule ID in the ACL. Rule IDs must be integers. For example, an ACL (basic ACL, advanced ACL, Layer 2 ACL, user ACL) contains rule 5 and rule 12, and the default step is 5. When a new rule is added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).

[Huawei-acl-basic-2001] display this
#                                                                               
acl number 2001              //Empty ACL                                             
#                                                                               
return                            
[Huawei-acl-basic-2001] rule deny source 10.1.1.0 0.0.0.255 //Configure the first rule without specifying an ID.
[Huawei-acl-basic-2001] display this                                                 
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
#                                                                               
return         
[Huawei-acl-basic-2001] rule 12 deny source 10.2.2.0 0.0.0.255 //Configure a rule with ID 12.
[Huawei-acl-basic-2001] display this                 
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
 rule 12 deny source 10.2.2.0 0.0.0.255                                          
#                                                                               
return                                   
[Huawei-acl-basic-2001] rule deny source 10.3.3.0 0.0.0.255 //Configure another rule without specifying an ID.
[Huawei-acl-basic-2001] display this             
#                                                                               
acl number 2001                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                                           
 rule 12 deny source 10.2.2.0 0.0.0.255                                          
 rule 15 deny source 10.3.3.0 0.0.0.255                                          
#                                                                               
return                         

If the step value of an ACL is changed, the system reallocates IDs to rules in the ACL. For example, when the step value is changed to 2, the system allocates 2, 4, 6... to rules. After the step is restored to the default value, the system reallocates IDs to the rules using the default step, that is, 5, 10, 15....

[Huawei-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 5                                                                 
 rule 5 deny source 10.1.1.0 0.0.0.255                          
 rule 12 deny source 10.2.2.0 0.0.0.255                         
 rule 15 deny source 10.3.3.0 0.0.0.255   

[Huawei-acl-basic-2001] step 2   //Set the step to 2
[Huawei-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 2 
 rule 2 deny source 10.1.1.0 0.0.0.255                          
 rule 4 deny source 10.2.2.0 0.0.0.255                          
 rule 6 deny source 10.3.3.0 0.0.0.255                          
                                                                 
[Huawei-acl-basic-2001] undo step   //Restore the default step.
[Huawei-acl-basic-2001] display acl 2001
Basic ACL 2001, 3 rules                                                         
Acl's step is 5
 rule 5 deny source 10.1.1.0 0.0.0.255                          
 rule 10 deny source 10.2.2.0 0.0.0.255                         
 rule 15 deny source 10.3.3.0 0.0.0.255                                                                   
                                                             

How a Step Functions

Setting a step facilitates rule insertion between existing rules of an ACL.

For example, an ACL contains rule 5, rule 10, and rule 15. The network administrator wants to add a rule that denies the packets from source IP address 10.1.1.3. The rules are as follows:

rule 5 deny source 10.1.1.1 0  //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0/24.

The system stops matching packets once the packets matching a rule. Therefore, the packets from source addresses 10.1.1.1 and 10.1.1.2 match rule 5 and rule 10, and are discarded; the packets from source address 10.1.1.3 match rule 15, and are forwarded. To deny the packets from source IP address 10.1.1.3, add a new deny rule. You can add rule 11 before rule 15 so that the packets from source IP address 10.1.1.3 match rule 11 and are discarded. Rule 11 does not affect existing rule IDs in the ACL. The rule IDs are 5, 10, 11, and 15.

rule 5 deny source 10.1.1.1 0  //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 11 deny source 10.1.1.3 0 //Reject the packets from source IP address 10.1.1.3.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0.

To add a rule to an ACL with the step value of 1 (rule 1, rule 2, rule 3...), you must delete existing rules, add the new rule, and then reconfigure the deleted rules.

A step resolves the preceding issue and facilitates rule insertion.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95124

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next