No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Reflective ACL Commands

Reflective ACL Commands

NOTE:

X series cards do not support reflective ACL.

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display traffic-reflect

Function

The display traffic-reflect command displays information about a reflective ACL.

Format

display traffic-reflect { inbound | outbound } [ interface interface-type interface-number ] [ acl { adv-acl-name | adv-acl-number } ]

Parameters

Parameter

Description

Value

inbound

Displays information about the reflective ACL on a private interface.

-

outbound

Displays information about the reflective ACL on a public interface.

-

interface interface-type interface-number

Indicates the interface to which the reflective ACL is applied.

  • interface-type specifies the type of an interface.
  • interface-number specifies the number of an interface.

-

acl

Indicates the ACL.

-

adv-acl-name

Specifies the name of an advanced ACL.

The value is a case-sensitive string of 1 to 64 characters without spaces. The name starts with a letter and can contain letters, numbers, and special characters such as #, %, and -.

adv-acl-number

Specifies the number of an advanced ACL.

The value is an integer that ranges from 3000 to 3999.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no interface or ACL is specified in this command, information about all reflective ACLs applied to inbound traffic or outbound traffic on the interfaces is displayed.

Meanings of the fields SP, DP, SIP, and DIP in the command output depend on the inbound and outbound parameters.
  • When inbound is specified, SP and SIP indicate the source port number and IP address on the intranet, and DP and DIP indicates the destination port number and IP address on the extranet.
  • When outbound is specified, SP and SIP indicate the source port number and IP address on the extranet, and DP and DIP indicates the destination port number and IP address on the intranet.

Example

# Display information about the reflective ACL related to ACL 3001.

<HUAWEI> display traffic-reflect outbound acl 3001
Proto  SP   DP   DIP             SIP             Count   Timeout  Interface
------------------------------------------------------------------------------
UDP    2    80   10.1.1.1        10.2.2.2        9       5(s)     Eth-Trunk2
------------------------------------------------------------------------------
* Total <1> flows accord with condition, <1> items was displayed.
------------------------------------------------------------------------------
* Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff,
* SP=Source port,DP=Destination port,Count=Packets count(data).
Table 14-22  Description of the display traffic-reflect command output

Item

Description

Proto

Protocol type, which can be UDP, TCP, or ICMP.

SP

Source port number.

DP

Destination port number.

DIP

Destination IP address.

SIP

Source IP address.

Count

Number of packets matching the reflective ACL.

Timeout

Remaining time before the reflective ACL expires. To configure the remaining time, run the traffic-reflect timeouttime-value command.

Interface

Interface to which a reflective ACL is applied.

traffic-reflect

Function

The traffic-reflect command enables the reflective ACL function and sets the aging time of a reflective ACL on an interface.

The undo traffic-reflect command disables the reflective ACL function.

By default, the reflective ACL function is disabled.

After enabling the reflective ACL function, by default, the aging time of a reflective ACL on an interface is the same as the global aging time of the reflective ACL.

Format

traffic-reflect { inbound | outbound } acl { adv-acl-name | adv-acl-number } [ timeout time-value ]

undo traffic-reflect { inbound | outbound } acl { adv-acl-name | adv-acl-number }

NOTE:

X series cards do not support this command.

Parameters

Parameter

Description

Value

inbound

Indicates the internal interface.

-

outbound

Indicates the external interface.

-

adv-acl-name

Specifies the name of an advanced ACL.

The value is a case-sensitive string of 1 to 64 characters without spaces. The name starts with a letter and can contain letters, numbers, and special characters such as #, %, and -.

adv-acl-number

Specifies the number of an advanced ACL.

The value is an integer that ranges from 3000 to 3999.

timeout time-value

Specifies the aging time of the reflective ACL.

The value is an integer that ranges from 60 to 2147483, in seconds.

Views

40GE interface view, 100GE interface view, GE interface view, XGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Reflective ACL is an application of dynamic ACL. It controls user access according to the upper-layer session information in IP packets. Reflective ACL allows a host on the public network to access a host on the private network only if it has been accessed by that same host. Therefore, reflective ACL protects the internal network of an enterprise against attacks from unauthorized external users.

The traffic-reflect command is applicable only to advanced ACLs. The reflective ACL can be generated for only the packets of TCP, UDP, and ICMP.

According to the matching rule, the reflective ACL is implemented as follows:

  • When the interface configured with the reflective ACL function receives a TCP or UDP packet, the interface automatically creates an ACL entry. In the ACL entry, the source IP address and source port number are the destination IP address and destination port number of the packet; the destination IP address and destination port number are the source IP address and source port number of the packet.
  • When the interface configured with the reflective ACL function receives an ICMP packet matching the advanced ACL, the reflective ACL denies the ICMP Echo Request packets sent from the destination end and permits the ICMP Echo Reply packets sent from the destination end.
  • The protocol type in the reflective ACL is the same as the protocol type of the packet that triggers the reflective ACL.

Prerequisites

An advanced ACL has been configured.

Precautions

If you have run the traffic-reflect command to set the aging time of the reflective ACL on an interface, the aging time on the interface takes effect. Otherwise, the aging time set using the traffic-reflect timeout command in the system view takes effect.

Example

# Configure the reflective ACL function in the outbound direction on GE 1/0/1 so that inbound TCP packets can be sent to the internal network from the external network.

<HUAWEI> system-view 
[HUAWEI] acl 3000 
[HUAWEI-acl-adv-3000] rule permit tcp 
[HUAWEI-acl-adv-3000] quit 
[HUAWEI] interface gigabitethernet 1/0/1 
[HUAWEI-GigabitEthernet1/0/1] traffic-reflect outbound acl 3000

traffic-reflect timeout

Function

The traffic-reflect timeout command sets the global aging time of reflective ACLs.

The undo traffic-reflect timeout command restores the default global aging time of reflective ACLs.

By default, the global aging time of reflective ACLs is 300 seconds.

Format

traffic-reflect timeout time-value

undo traffic-reflect timeout

Parameters

Parameter

Description

Value

time-value

Specifies the global aging time of reflective ACLs.

The value is an integer that ranges from 60 to 2147483, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If you have run the traffic-reflect command to set the aging time of the reflective ACL on an interface, the aging time on the interface takes effect. Otherwise, the aging time set using the traffic-reflect timeout command in the system view takes effect.

If the interface receives packets matching the reflective ACL within the aging time, the reflective ACL is retained. If the interface does not receive any packets matching the reflective ACL within the aging time, the reflective ACL is deleted.

If the traffic volume is large, you can shorten the aging time so that the reflective ACL will be aged out quickly. When the traffic volume is small, you can increase the aging time accordingly so that the reflective ACL will be aged slowly.

Example

# Set the global aging time of the reflective ACL to 600 seconds.

<HUAWEI> system-view 
[HUAWEI] traffic-reflect timeout 600
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 116661

Downloads: 83

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next