No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Basic ACL

Configuring a Basic ACL

A basic ACL defines rules to filter packets.

Usage Scenario

Figure 3-3 Configuring a basic ACL
NOTE:

Interfaces 1 through 2 in this example are GE 0/1/0, GE 0/2/0, respectively.



As shown in Figure 3-3, a basic ACL is created on Device A to allow Device A to permit all packets sent from Network A to the Internet and deny all packets sent from Network B and Network C to the Internet.

Configuration Procedures

Figure 3-4 Flowchart for configuring a basic ACL

(Optional) Creating a Validity Period for an ACL Rule

You can create a validity period for an ACL rule to control network traffic in a specified period.

Context

To control certain types of traffic in a specified period, you can configure the validity period of an ACL rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, limit the volume of traffic for common online users.

After this configuration task is performed, a time range is created. Then you can specify the time range as the validity period when creating an ACL rule.

The validity period of an ACL rule can be either of the following types:

  • Absolute time range: The validity period is fixed.

  • Relative time range: The validity period is a periodic period, for example, each Monday.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }

    A validity period is created.

    • You can configure up to 256 time ranges.
    • Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.

  3. Run commit

    The configuration is committed.

Creating a Basic ACL

You can create a basic ACL and configure parameters for the ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

    A basic ACL is created.

    The basic ACL number ranges from 2000 to 2999.

  3. (Optional) Run step step

    An ACL step is set.

    You can use an ACL step to maintain ACL rules and add new ACL rules conveniently.
    NOTE:
    Assume that a user has created four rules numbered from 1 to 4 in an ACL. The user can reconfigure the ACL step, for example, to 2 by running the step 2 command in the ACL view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 command to add a rule numbered 3 between the renumbered rules 2 and 4.

  4. (Optional) Run description text

    The ACL description is configured.

    The description command configures a description for an ACL in any of the following situations:

    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.
    • Names of named ACLs cannot fully explain the ACLs' functions.

  5. Run commit

    The configuration is committed.

Configuring a Basic ACL Rule

Basic ACL rules are defined based on whether the packets are the first fragments, packets' source IP addresses, and VPN instances to filter packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

    The basic ACL view is displayed.

  3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    A rule is configured for the basic ACL.

    • Adding new rules to an ACL will not affect the existing rules.

    • When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.

    NOTE:

    When you configure a basic ACL:

    • If a source IP address is specified by configuring source, the system filters only packets with this specified source IP address.

    • If all source IP addresses are specified by configuring any, the system does not check packets' source IP addresses and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.

    • If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the rule configuration fails.

  4. (Optional) Run rule description text

    The description for an ACL rule is configured.

    The description of an ACL rule can contain the functions of the ACL rule. Configuring a description for an ACL rule is recommended to prevent misuse of the rule in the following situations:
    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.

  5. Run commit

    The configuration is committed.

Applying a Basic ACL

Basic ACLs can be used in device management, routing policies, multicast packet filtering, and QoS services.

Context

Table 3-3 describes the typical applications of basic ACLs.

Table 3-3 Typical applications of basic ACLs

Typical Application

Usage Scenario

Operation

Device management

When a device functions as an FTP or TFTP server, configure a basic ACL on the device to allow only the clients that match specific ACL rules to access the server.

For details on how to configure rights to access an FTP or TFTP server, see
  • Configuring FTP Access Control
  • Configuring TFTP Access Authority

Configure a basic ACL to restrict the incoming or outgoing calls on VTY user interfaces.

For details on how to configure the restriction on incoming and outgoing calls on VTY user interfaces, see Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces.

Specify an NMS and manageable MIB objects for SNMP-based communication between the NMS and managed device to improve communication security.

For details on how to configure the NMS's right to access devices, see
  • Controlling the NM Station's Access to the Device (SNMPv1)
  • Controlling the NM Station's Access to the Device (SNMPv2)
  • Controlling the NM Station's Access to the Device (SNMPv3)

Multicast packet filtering

To filter multicast packets, configure a basic ACL to receive or forward only the multicast packets that match the ACL rules.

For details on how to filter multicast packets, see
  • Setting a Multicast Source Address Range
  • Setting a Legal C-RP Address Range
  • Setting a Legal BSR Address Range
  • Setting an SSM Group Address Range

Routing policies

To control the reception and advertisement of routing information on a device, configure a basic ACL on the device to allow the device to receive or advertise only the routes that match the ACL rules.

For details on how to control the reception and advertisement of routing information on a device, see
  • Applying Filters to the Received Routes
  • Controlling BGP to Receive Routes
  • Applying Filters to the Advertised Routes
  • Controlling BGP to Advertise Routes

QoS services

To process different types of traffic, configure a basic ACL to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL rules.

For details on how to process different types of traffic, see Configuring the Traffic Policing Policy, Configuring Traffic Shaping, and Configuring Traffic Behaviors.

Typical Cases of Applying a Basic ACL

  • Cases of applying a basic ACL in device management

    For example, a user configures a device as follows:
    • Configuring a basic ACL for FTP login
      acl number 2001 
       rule 5 deny source 192.168.2.100 0 
       rule 10 permit
      ftp acl 2001

      Matching result: Users with the IP address 192.168.2.100 are prohibited from logging in to the device using FTP.

    • Configuring a basic ACL for Telnet login
      acl number 2001 
       rule 5 permit source 192.168.2.100 0 
       rule 10 deny 
      user-interface vty 0 4 
       acl 2001 inbound

      Matching result: Only users with the IP address 192.168.2.100 are allowed to log in to the device using Telnet.

    • Configuring a basic ACL for SNMP login
      acl number 2001 
       rule 5 deny source 192.168.2.100 0 
       rule 10 permit
      snmp-agent community read cipher public acl 2001

      Matching result: Users with the IP address 192.168.2.100 are prohibited from logging in to the device using SNMP.

  • Case of applying a basic ACL in multicast packet filtering

    For example, a user configures a device as follows:
    acl number 2001
     rule 5 permit source 10.10.1.2 0
     rule 10 deny source 10.10.1.1 0
    pim
     source-policy 2001

    Matching result: The device permits multicast packets containing the source address 10.10.1.2 whereas discarding those containing the source address 10.10.1.1.

  • Cases of applying a basic ACL in routing policies

    For example, a user configures a device as follows:
    • A routing policy of a routing protocol is used to filter routes.

      ip route-static 1.1.1.0 255.255.255.0 NULL0
      ip route-static 192.168.2.0 255.255.255.0 NULL0
      ip route-static 192.168.2.100 255.255.255.255 NULL0
      bgp 1
       peer 10.1.1.1 as-number 1
       ipv4-family unicast
        undo synchronization
        import-route static route-policy test
      peer 10.1.1.1 enable
      route-policy test permit node 0
       if-match acl 2001
      acl number 2001
       rule 5 permit source 192.168.2.100 0
       rule 10 deny source 1.1.1.0 0.0.0.255
      

      Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered out, whereas the route 192.168.2.100 is permitted.

      NOTE:
      • Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the ACL rule that the routes match is deny.
      • Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By default, the device matches the routes with the last ACL rule. The action defined in the last ACL rule is deny, and therefore the routes are filtered out.
      • The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the route matches is permit and the action defined in the routing policy is also permit.
      route-policy test permit node 0 
       if-match acl 2001 
       apply cost 100 
      route-policy test permit node 1 
       apply cost 200
      acl number 2001 
       rule 5 permit source 192.168.2.100 0 
      

      Matching result: The cost of the route 192.168.2.100 is changed to 100, whereas the costs of other routes are changed to 200.

      NOTE:
      In the preceding route-policy, permit is specified for node 0, the route 192.168.2.100/32 passes the check by the if-match clause, and the device takes the action (apply cost 100) specified in the apply clause. As a result, the cost of the route is changed to 100. The other routes do not pass the check by the if-match clause, and the device takes the action (apply cost 200) specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
      route-policy test deny node 0 
       if-match acl 2001 
       apply cost 100 
      route-policy test permit node 1 
       apply cost 200
      acl number 2001 
       rule 5 permit source 192.168.2.100 0 
      
      Matching result: The cost of the route 192.168.2.100/32 is not changed to 100.
      NOTE:
      In the preceding route-policy, deny is specified for node 0, the route 192.168.2.100/32 passes the check by the if-match clause, and the device does not take the action (apply cost 100) specified in the apply clause. As a result, the cost of the route is not changed to 100. The other routes do not pass the check by the if-match clause, and the device takes the action (apply cost 200) specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
    • A filtering policy of a routing protocol is used to filter routes.

      ip route-static 1.1.1.0 255.255.255.0 NULL0
      ip route-static 192.168.2.0 255.255.255.0 NULL0  
      ip route-static 192.168.2.100 255.255.255.255 NULL0 
      bgp 1
       peer 10.1.1.2 as-number 1 
       ipv4-family unicast 
        undo synchronization 
        filter-policy 2001 export 
        import-route static  
      peer 10.1.1.2 enable 
      acl number 2001
       rule 5 permit source 192.168.2.100 0 
       rule 10 deny source 1.1.1.0 0.0.0.255 
      

      Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered out, whereas the route 192.168.2.100 is permitted.

      NOTE:
      • Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the ACL rule that the routes match is deny.
      • Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By default, the device matches the routes with the last ACL rule. The action defined in the last ACL rule is deny, and therefore the routes are filtered out.
      • The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the route matches is permit and the action defined in the filtering policy is export.
  • Cases of applying a basic ACL in QoS services

    For example, a user configures a device as follows:
    • Configuring a basic ACL in firewall traffic behavior (packet filtering)
      acl number 2001
       rule 5 permit source 5.0.0.0 0.255.255.255
       rule 10 deny source 6.0.0.0 0.255.255.255
      traffic classifier acl 
       if-match acl 2001
      traffic behavior test
       deny
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound
      GE 0/1/1 receives the following packets:
      • Packet 1 with the source IP address 5.0.0.1/24
      • Packet 2 with the source IP address 6.0.0.1/24
      • Packet 3 with the source IP address 7.0.0.1/24

      Matching result: Packets 1 and 2 are discarded but packet 3 is permitted.

    • Configuring a basic ACL in common traffic behavior
      acl number 2001
       rule 5 permit source 5.0.0.0 0.255.255.255
       rule 10 deny source 6.0.0.0 0.255.255.255
      traffic classifier acl 
       if-match acl 2001
      traffic behavior test
       remark ip-precedence 7
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound
      GE 0/1/1 receives the following packets:
      • Packet 1 with the source IP address 5.0.0.1/24 and IP precedence 0
      • Packet 2 with the source IP address 6.0.0.1/24 and IP precedence 0
      • Packet 3 with the source IP address 7.0.0.1/24 and IP precedence 0

      Matching result: Packet 1 is permitted, and its IP precedence is re-marked 7; packet 3 is permitted, and its IP precedence remains 0; packet 2 is discarded.

Verifying the Configuration of a Basic ACL

After configuring a basic ACL, verify the configuration.

Prerequisites

A basic ACL has been configured.

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check basic ACL configurations.
  • Run the display time-range { time-name | all } command to check the configuration of a specified or all validity periods.

Example

Run the display acl command. The command output shows the ACL number, ACL rule number, ACL step, and rule contents.

<HUAWEI> display acl 2000
Basic ACL 2000, 1 rule
ACL's step is 5
 rule 5 deny source 10.1.1.1 0 (3 times matched)

Run the display time-range command. The command output shows the validity period configurations.

<HUAWEI> display time-range time1
Current time is 2006-3-15 14:19:16 Wednesday

Time-range : time1 ( Inactive )
 10:00 to 12:00 daily
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 15239

Downloads: 33

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next