No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL6 Rule

Configuring an Advanced ACL6 Rule

Context

An ACL6 classifies packets by matching packet information against its rules. After an advanced ACL6 is created, configure rules in the advanced ACL6.

NOTE:

When the device receives a packet, it matches the packet against ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl ipv6 { [ number ] acl6-number | name acl6-name [ advance ] }

    An advanced ACL6 is created, and the advanced ACL6 view is displayed.

    The parameter acl6-number specifies the number of an advanced ACL6. The value ranges from 3000 to 3999.

    By default, no ACL6 is created.

  3. You can configure rules of an advanced ACL6 as follows as required, depending on the protocol type over IPv6.

    • If the value of protocol is UDP, run the following command to create ACL6 rules:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

      NOTE:

      The ACL can match the packets with UDP port number 65535 only when VXLAN is configured. If VXLAN is not configured, the ACL does not take effect.

    • When the TCP protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } * } | time-range time-name | vpn-instance vpn-instance-name ] *

      NOTE:

      CE6880EI and CE5880EI do not support tcp-flag parameter.

    • When the ICMPv6 protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When a protocol other than TCP, UDP, and ICMPv6 is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ dscp dscp | destination { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    NOTE:

    When you configure an advanced ACL6:

    • If all destination IPv6 addresses and source IPv6 addresses are specified (any in Step 3), the system will not check packets' destination IPv6 addresses or source IPv6 addresses.

    • When you specify the parameter time-range to reference a time range to the ACL, the ACL cannot be bound to the specified time range if the specified time-name does not exist.

  4. (Optional) Run rule rule-id description description

    The description of an advanced ACL6 rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23565

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next