No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL6

Configuring an Advanced ACL6

An advanced ACL6 defines rules to filter packets.

Usage Scenario

Figure 11-5 Configuring an advanced ACL6

As shown in Figure 11-5, an advanced ACL6 is created on Device D to allow Device D to permit all ICMPv6 packets sent from Network B to Network C and deny all ICMPv6 packets sent from Network A to the Network C.

Configuration Procedures

Figure 11-6 Flowchart for configuring an advanced ACL6

(Optional) Creating a Validity Period in Which an ACL6 Rule Takes Effect

You can create a validity period for an ACL6 rule to control network traffic in a specified period.

Context

To control certain types of traffic in a specified period, you can configure the validity period of an ACL6 rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, you need to limit the volume of traffic for common online users.

After this configuration task is performed, a time range is created. Then, you can specify the time range as the validity period when creating an ACL6 rule.

The validity period of an ACL6 rule can be either of the following types:

  • Absolute time range: The validity period is fixed.

  • Relative time range: The validity period is a periodic period, for example, each Monday.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }

    A validity period is created.

    • You can configure up to 256 time ranges.
    • Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.

  3. Run commit

    The configuration is committed.

Creating an Advanced ACL6

You can create an advanced ACL6 and configure parameters for the ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl ipv6 { name advance-acl6-name [ advance ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]

    An advanced ACL6 is created.

    The advanced ACL6 number ranges from 3000 to 3999.

  3. (Optional) Run step step

    An ACL6 step is set.

    You can use an ACL6 step to maintain ACL6 rules and add new ACL6 rules conveniently.
    NOTE:
    Assume that a user has created four rules numbered from 1 to 4 in an ACL6. The user can reconfigure the ACL6 step, for example, to 2 by running the step 2 command in the ACL6 view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 xxxx command to add a rule numbered 3 between the renumbered rules 2 and 4.

  4. (Optional) Run description text

    The ACL6 description is configured.

    The description command configures a description for an ACL6 in any of the following situations:

    • A large number of ACL6s are configured, and their functions are difficult to identify.
    • An ACL6 is used at a long interval, and its function may be left forgotten.
    • Names of named ACL6s cannot fully explain the ACL6s' functions.

  5. Run commit

    The configuration is committed.

(Optional) Configuring An ACL IPv6 Address Pool

This section describes how to configure an ACL IPv6 address pool to filter packets based on the source IPv6 addresses of BGP peers.

Context

In typical ACL6 usage scenarios such as QoS or security service, to filter traffic based on the source IPv6 addresses of BGP peers, run the acl ipv6-pool command to creates an ACL IPv6 address pool and run the apply bgp-peer command to associate the IPv6 addresses of BGP peers with the ACL IPv6 address pools. Then, reference the ACL6 address pool in QoS or security service to filter packets based on the source IP addresses of BGP peers.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl ipv6-pool pool-name

    An ACL IPv6 address pool is created, and the ACL IPv6 address pool view is displayed.

  3. Run apply bgp-peer [ public-vpn | all-private-vpn | vpn-instance vpn-instance-name ]

    The IPv6 addresses of BGP peers are associated with the ACL IPv6 address pool.

    NOTE:

    This command is applicable only to QoS or device security services.

  4. Run commit

    The configuration is committed.

Configuring an Advanced ACL6 Rule

Advanced ACL6 rules are defined based on the source IPv6 address, destination IPv6 address, protocol type carried over IPv6, source port, and destination port to filter packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl ipv6 { name advance-acl6-name [ advance ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]

    The advanced ACL6 view is displayed.

  3. Run any of the following commands to create an advanced ACL rule:

    • When protocol is specified as UDP, run:

      rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    • When protocol is specified as TCP, run:

      rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    • When protocol is specified as ICMPv6, run:

      rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    • When protocol is specified as a protocol other than TCP, UDP, and ICMPv6, run:

      rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | gre | ipv6 | ipv6-ah | ipv6-esp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    Adding new rules to an ACL6 will not affect the existing rules.

    When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.

    NOTE:

    When you configure an advanced ACL6:

    • If a destination IPv6 address is specified by configuring destination, a destination port number is specified by configuring destination-port, a source IPv6 address is specified by configuring source, and a source port number is specified by configuring source-port, the system filters only packets with the specified destination IPv6 address, destination port number, source IPv6 address, and source port number.

    • If all destination IPv6 addresses, destination port numbers, source IPv6 addresses, and source port numbers are specified by configuring any, the system does not check packets' destination IPv6 addresses, destination port numbers, source IPv6 addresses, and source port numbers, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.

    • If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the configuration does not take effect.

  4. (Optional) Run rule description text

    The description for an ACL6 rule is configured.

    The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:
    • A large number of ACL6s are configured, and their functions are difficult to identify.
    • An ACL6 is used at a long interval, and its function may be left forgotten.

  5. Run commit

    The configuration is committed.

Applying an Advanced ACL6

Advanced ACL6s can be used in device management, QoS services, multicast packet filtering, and routing policies.

Context

Table 11-4 describes the typical applications of advanced ACL6s.

Table 11-4 Typical applications of advanced ACL6s

Typical Application

Usage Scenario

Operation

Multicast packet filtering

To filter multicast packets, configure an advanced ACL6 to receive or forward only the multicast packets that match the ACL6 rules.

For details on how to filter multicast packets, see
  • Setting a Multicast Source Address Range
  • Setting a Legal C-RP Address Range
  • Setting a Legal BSR Address Range
  • Setting an SSM Group Address Range

Routing policies

To control the reception and advertisement of routing information on a device, configure an advanced ACL6 on the device to allow the device to receive or advertise only the routes that match the ACL6 rules.

For details on how to control the reception and advertisement of routing information on a device, see
  • Configuring OSPFv3 to Filter Received Routes
  • Configuring OSPFv3 to Filter the Routes to Be Advertised
  • Filtering IPv6 IS-IS Routes
  • Configuring IPv6 IS-IS to Import External Routes
  • Configuring a Policy for Advertising BGP4+ Routes
  • Configuring a Policy for Receiving BGP4+ Routes

QoS services

To process different types of traffic, configure an advanced ACL6 to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL6 rules.

For details on how to process different types of traffic, see Configuring the Traffic Policing Policy, Configuring Traffic Shaping, and Configuring Traffic Behaviors.

Verifying the Configuration of an Advanced ACL6

After configuring an advanced ACL6, verify the configuration.

Prerequisites

An advanced ACL6 has been configured.

Procedure

  • Run the display acl ipv6 { acl6-number | name acl6-name | all } command to check advanced ACL6 configurations.
  • Run the display time-range { time-name | all } command to check the configuration of a specified or all validity periods.

Example

Run the display acl ipv6 command. The command output shows the ACL6 number, ACL6 rule number, and rule contents.

<HUAWEI> display acl ipv6 3000
Advanced IPv6 ACL 3000, 3 rules
IPv6 ACL's step is 5
 rule 1 permit icmp (0 times matched)
 rule 5 permit ipv6 source 2001:DB8:100::/48 destination 2001:DB8:200::/48 (2 times matched)
 rule 10 permit tcp source 2001:DB8:1::/64 (1 times matched)

Run the display time-range command. The command output shows validity period configurations.

<HUAWEI> display time-range time1
Current time is 2006-3-15 14:19:16 Wednesday

Time-range : time1 ( Inactive )
 10:00 to 12:00 daily
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 18040

Downloads: 35

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next