No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL

Configuring an Advanced ACL

An advanced ACL defines rules to filter packets.

Usage Scenario

Figure 3-5 Configuring an advanced ACL

As shown in Figure 3-5, an advanced ACL is created on Device D to allow Device D to permit all ICMP packets sent from Network B to Network C and deny all ICMP packets sent from Network A to the Network C.

Configuration Procedures

Figure 3-6 Flowchart for configuring an advanced ACL

(Optional) Creating a Validity Period for an ACL Rule

You can create a validity period for an ACL rule to control network traffic in a specified period.

Context

To control certain types of traffic in a specified period, you can configure the validity period of an ACL rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, limit the volume of traffic for common online users.

After this configuration task is performed, a time range is created. Then you can specify the time range as the validity period when creating an ACL rule.

The validity period of an ACL rule can be either of the following types:

  • Absolute time range: The validity period is fixed.

  • Relative time range: The validity period is a periodic period, for example, each Monday.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }

    A validity period is created.

    • You can configure up to 256 time ranges.
    • Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.

  3. Run commit

    The configuration is committed.

Creating an Advanced ACL

You can create an advanced ACL and configure parameters for the ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name advance-acl-name { advance | [ advance ] number advance-acl-number } | [ number ] advance-acl-number } [ match-order { config | auto } ]

    An advanced ACL is created.

    The advanced ACL number ranges from 3000 to 3999.

  3. (Optional) Run step step

    An ACL step is set.

    You can use an ACL step to maintain ACL rules and add new ACL rules conveniently.
    NOTE:
    Assume that a user has created four rules numbered from 1 to 4 in an ACL. The user can reconfigure the ACL step, for example, to 2 by running the step 2 command in the ACL view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 command to add a rule numbered 3 between the renumbered rules 2 and 4.

  4. (Optional) Run description text

    The ACL description is configured.

    The description command configures a description for an ACL in any of the following situations:

    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.
    • Names of named ACLs cannot fully explain the ACLs' functions.

  5. Run commit

    The configuration is committed.

(Optional) Configuring an ACL IP Address Pool

An ACL IP address pool is applicable to the scenario in which multiple IP addresses need to be matched and reduces the configuration workload.

Context

In typical ACL usage scenarios, for example. in the policy-based routing scenario, both the source and destination IP addresses need to be matched. To implement policy-based routing using ACL rules to match both source and destination IP addresses carried in packets, specify all possible combinations of source IP addresses and destination IP addresses when configuring ACL rules. However, these combinations are over 10 thousands on a large-scale network. It is unreasonable to configure manually all ACL rules that match both source and destination IP addresses carried in packets.

To reduce the configuration workload, configure an ACL IP address pool. After an ACL IP address pool is configured, you only need to configure an ACL rule with a specified IP address pool name (pool-name) to match multiple IP addresses carried in packets.
NOTE:

In scenarios in which ACL rules are used to match both source and destination IP addresses carried in packets, run the acl ip-pool command to create an ACL source IP address pool (which includes all needed IP addresses) and an ACL destination IP address pool (which includes all needed destination IP addresses), respectively.

If you need to filter packets based on the source IP addresses of BGP peers, run the apply bgp-peer command to associate the IP addresses of BGP peers with the ACL/ACL IPv6 address pools to which these addresses belong. Then, reference ACL/ACL6 address pool in QoS or device security service to filter packets based on the source IP addresses of BGP peers.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl ip-pool pool-name

    An ACL IP address pool is created and the IP address pool view is displayed.

  3. The address association of BGP peers and manual IP address configuration are mutually exclusive. Run one of the following command:

    • Run the ip address ip-address { mask | mask-length } command to add IP addresses to the ACL IP address pool.

      If the ip address command is run more than once, all configurations take effect.

    • Run the apply bgp-peer [ public-vpn | all-private-vpn | vpn-instance vpn-instance-name ] command to associate IP addresses of BGP peers with the ACL IP address pool.

      NOTE:

      This command is applicable only to QoS or device security services.

  4. Run commit

    The configuration is committed.

(Optional) Configuring an ACL Port Pool

When multiple port numbers need to be matched to ACL rules, you can configure an ACL port pool to reduce the configuration workload.

Context

In typical ACL usage scenarios, such as QoS traffic policy, a user may need to match multiple port numbers. To implement policy-based routing using advanced ACL rules to match multiple source and destination port numbers, the user needs to specify all possible combinations of source and destination port numbers when configuring ACL rules. On large-scale networks, tens of millions of ACL rules may need to be manually configured to matches the port numbers, which is not viable.

To reduce the configuration workload, configure an ACL port pool. After an ACL port pool is configured, you only need to configure an ACL rule with a specified port pool name (pool-name) to match multiple port numbers.
NOTE:

When an ACL rule needs to match multiple source and destination port numbers, you need to run this command twice to create an ACL source port pool and an ACL destination port pool separately.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl port-pool pool-name

    An ACL port pool is created, and the ACL port pool view is displayed.

  3. Run eq begin-port-number,neq begin-port-number,gt begin-port-number, lt end-port-number, or range begin-port-number end-port-number

    Port numbers are added to the ACL port pool.

  4. Run commit

    The configuration is committed.

Configuring an Advanced ACL Rule

Advanced ACL rules are defined based on packets' source IP address, destination IP address, protocol type carried over IP, source port, and destination port to filter packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name advance-acl-name { advance | [ advance ] number advance-acl-number } | [ number ] advance-acl-number } [ match-order { config | auto } ]

    The advanced ACL view is displayed.

  3. Run any of the following commands to create an ACL rule:

    • Create an advanced ACL rule when protocol is UDP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is TCP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is ICMP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is any protocol except TCP, UDP, and ICMP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    Adding new rules to an ACL will not affect the existing rules.

    When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.

    NOTE:

    When you configure an advanced ACL:

    • If no VPN instance is specified, (that is, vpn-instance is not configured in Step 3), the traffic belongs to the public network.

    • If a destination IP address is specified by configuring destination, a destination port number is specified by configuring destination-port, a source IP address is specified by configuring source, and a source port number is specified by configuring source-port, the system filters only packets with the specified destination IP address, destination port number, source IP address, and source port number.

    • If all destination IP addresses, destination port numbers, source IP addresses, and source port numbers are specified by configuring any, the system does not check packets' destination IP addresses, destination port numbers, source IP addresses, and source port numbers, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.

    • If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the rule configuration fails.

  4. (Optional) Run rule description text

    The description for an ACL rule is configured.

    The description of an ACL rule can contain the functions of the ACL rule. Configuring a description for an ACL rule is recommended to prevent misuse of the rule in the following situations:
    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.

  5. Run commit

    The configuration is committed.

Applying an Advanced ACL

Advanced ACLs can be used in routing policies, multicast packet filtering, and QoS services.

Context

Table 3-4 describes the typical applications of advanced ACLs.

Table 3-4 Typical applications of advanced ACLs

Typical Application

Usage Scenario

Operation

Device management

Configure an advanced ACL to restrict the incoming or outgoing calls on VTY user interfaces.

For details on how to configure the restriction on incoming and outgoing calls on VTY user interfaces, see Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces.

Multicast packet filtering

To filter multicast packets, configure an advanced ACL to receive or forward only the multicast packets that match the ACL rules.

For details on how to filter multicast packets, see
  • Setting a Multicast Source Address Range
  • Setting a Legal C-RP Address Range
  • Setting a Legal BSR Address Range
  • Setting an SSM Group Address Range

Routing policies

To control the reception and advertisement of routing information on a device, configure an advanced ACL on the router to allow the router to receive or advertise only the routes that match the ACL rules.

For details on how to control the reception and advertisement of routing information on a device, see
  • Applying Filters to the Received Routes
  • Controlling BGP to Receive Routes
  • Applying Filters to the Advertised Routes
  • Controlling BGP to Advertise Routes

QoS services

To process different types of traffic, configure an advanced ACL to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL rules.

For details on how to process different types of traffic, see Configuring the Traffic Policing Policy, Configuring Traffic Shaping, and Configuring Traffic Behaviors.

Typical Cases of Applying an Advanced ACL

  • Cases of applying an advanced ACL in device management

    For example, a user configures a device as follows:
    acl number 3001 
     rule 5 permit ip source 192.168.2.100 0 
     rule 10 deny ip source any
    user-interface vty 0 4 
     acl 3001 inbound
    Matching result: Only users with the IP address 192.168.2.100 are allowed to log in to the device using Telnet.
  • Case of applying an advanced ACL in multicast packet filtering

    For example, a user configures a device as follows:
    acl number 3001
     rule 5 permit ip source 10.10.1.2 0
     rule 10 deny ip source 10.10.1.1 0
    pim
     source-policy 3001

    Matching result: The device permits multicast packets containing the source address 10.10.1.2 whereas discarding those containing the source address 10.10.1.1.

  • Cases of applying an advanced ACL in routing policies

    For example, a user configures a device as follows:
    • A routing policy of a routing protocol is used to filter routes.

      ip route-static 1.1.1.0 255.255.255.0 NULL0
      ip route-static 192.168.2.0 255.255.255.0 NULL0
      ip route-static 192.168.2.100 255.255.255.255 NULL0
      bgp 1
       peer 10.1.1.1 as-number 1
       ipv4-family unicast
        undo synchronization
        import-route static route-policy test
      peer 10.1.1.1 enable
      route-policy test permit node 0
       if-match acl advanced-acl
      acl name advanced-acl
       rule 5 permit ip source 192.168.2.100 0
       rule 10 deny ip source 1.1.1.0 0.0.0.255
      

      Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered out, whereas the route 192.168.2.100 is permitted.

      NOTE:
      • Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the ACL rule that the routes match is deny.
      • Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By default, the device matches the routes with the last ACL rule. The action defined in the last ACL rule is deny, and therefore the routes are filtered out.
      • The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the route matches is permit and the action defined in the routing policy is also permit.
      route-policy test permit node 0 
       if-match acl advanced-acl 
       apply cost 100 
      route-policy test permit node 1 
       apply cost 200
      acl name advanced-acl 
       rule 5 permit ip source 192.168.2.100 0 
      

      Matching result: The cost of the route 192.168.2.100 is changed to 100, whereas the costs of other routes are changed to 200.

      NOTE:
      In the preceding route-policy, permit is specified for node 0, the route 192.168.2.100/32 passes the check by the if-match clause, and the device takes the action (apply cost 100) specified in the apply clause. As a result, the cost of the route is changed to 100. The other routes do not pass the check by the if-match clause, and the device takes the action (apply cost 200) specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
      route-policy test deny node 0 
       if-match acl advanced-acl 
       apply cost 100 
      route-policy test permit node 1 
       apply cost 200
      acl name advanced-acl 
       rule 5 permit ip source 192.168.2.100 0 
      
      Matching result: The cost of the route 192.168.2.100/32 is not changed to 100.
      NOTE:
      In the preceding route-policy, deny is specified for node 0, the route 192.168.2.100/32 passes the check by the if-match clause, and the device does not take the action (apply cost 100) specified in the apply clause. As a result, the cost of the route is not changed to 100. The other routes do not pass the check by the if-match clause, and the device takes the action (apply cost 200) specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
    • A filtering policy of a routing protocol is used to filter routes.

      ip route-static 1.1.1.0 255.255.255.0 NULL0
      ip route-static 192.168.2.0 255.255.255.0 NULL0  
      ip route-static 192.168.2.100 255.255.255.255 NULL0 
      bgp 1
       peer 10.1.1.2 as-number 1 
       ipv4-family unicast 
        undo synchronization 
        filter-policy advanced-acl export 
        import-route static  
      peer 10.1.1.2 enable 
      acl name advanced-acl
       rule 5 permit ip source 192.168.2.100 0 
       rule 10 deny ip source 1.1.1.0 0.0.0.255 
      

      Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered out, whereas the route 192.168.2.100 is permitted.

      NOTE:
      • Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the ACL rule that the routes match is deny.
      • Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By default, the device matches the routes with the last ACL rule. The action defined in the last ACL rule is deny, and therefore the routes are filtered out.
      • The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the route matches is permit and the action defined in the filtering policy is export.
  • Cases of applying an advanced ACL in QoS services

    For example, a user configures a device as follows:
    • Configuring an advanced ACL in firewall traffic behavior (packet filtering)
      acl number 3000 
       rule 5 permit tcp destination-port eq domain 
       rule 10 permit udp destination-port eq dns 
       rule 15 permit icmp icmp-type echo 
       rule 20 permit icmp icmp-type echo-reply
      traffic classifier acl 
       if-match acl 3000
      traffic behavior test
       permit
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound

      Matching result: DNS Echo, DNS Echo Reply, ICMP Echo, and ICMP Echo Reply packets are permitted.

      acl number 3000 
       rule 5 permit ip source 10.108.0.0 0.0.0.255
       rule 10 deny ip source 10.108.0.0 0.0.255.255
      traffic classifier acl 
       if-match acl 3000
      traffic behavior test
       permit
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound

      Matching result: IP packets from the network segment 10.108.0.0/24 are permitted, whereas those from the network segment 10.108.0.0/16 are denied.

      acl number 3000 
       rule permit tcp source 10.9.0.0 0.0.255.255 destination 10.8.160.0 0.0.0.255 destination-port eq www
      traffic classifier acl 
       if-match acl 3000
      traffic behavior test
       permit
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound

      Matching result: Hosts in the 10.9.0.0 network segment are permitted to send WWW packets to hosts in the 10.8.160.0 network segment.

      time-range no-http 08:00 to 16:00 working-day 
      acl number 3000 
       rule 5 deny tcp source-port eq www time-range no-http 
       rule 10 deny tcp destination-port eq www time-range no-http
      traffic classifier acl 
       if-match acl 3000
      traffic behavior test
       permit
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound

      Matching result: HTTP packets are denied from 8:00 am to 6:00 pm Monday through Friday.

      acl number 3000 
       rule 5 permit tcp
      traffic classifier acl 
       if-match acl 3000
      traffic behavior test
       permit
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound

      Matching result: TCP packets are permitted.

    • Configuring an advanced ACL in common traffic behavior
      acl number 3001
       rule 5 permit ip source 5.0.0.0 0.255.255.255
       rule 10 deny ip source 6.0.0.0 0.255.255.255
      traffic classifier acl 
       if-match acl 3001
      traffic behavior test
       remark ip-precedence 7
      traffic policy test
       classifier acl behavior test
      interface GigabitEthernet0/1/1
       traffic-policy test inbound
      GE 0/1/1 receives the following packets:
      • Packet 1 with the source IP address 5.0.0.1/24 and IP precedence 0
      • Packet 2 with the source IP address 6.0.0.1/24 and IP precedence 0
      • Packet 3 with the source IP address 7.0.0.1/24 and IP precedence 0

      Matching result: Packet 1 is permitted, and its IP precedence is re-marked 7; packet 3 is permitted, and its IP precedence remains 0; packet 2 is discarded.

Verifying the Configuration of an Advanced ACL

After configuring an advanced ACL, verify the configuration.

Prerequisites

An advanced ACL has been configured.

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check advanced ACL configurations.
  • Run the display time-range { time-name | all } command to check the configuration of a specified or all validity periods.

Example

Run the display acl command. The command output shows the ACL number, ACL rule number, ACL step, and rule contents.

<HUAWEI> display acl 3000
Advanced ACL 3000, 3 rules
ACL's step is 5
 rule 1 permit icmp (0 times matched)
 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (2 times matched)
 rule 10 permit tcp source 10.110.0.0 0.0.255.255 (1 times matched)

Run the display time-range command. The command output shows validity period configurations.

<HUAWEI> display time-range time1
Current time is 2006-3-15 14:19:16 Wednesday

Time-range : time1 ( Inactive )
 10:00 to 12:00 daily
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 21646

Downloads: 48

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next