No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Advanced ACL Rule

Configuring an Advanced ACL Rule

Context

An advanced ACL classifies packets by matching packet information against its rules. After an advanced ACL is created, configure rules in the advanced ACL.

NOTE:

When the device receives a packet, it matches the packet against ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { [ number ] acl-number | name acl-name [ [ number ] acl-number | advance ] }

    An advanced ACL is created, and the advanced ACL view is displayed.

    The parameter acl-number specifies the number of an advanced ACL. The value ranges from 3000 to 3999.

    By default, no ACL is created.

  3. Configure an advanced ACL rule based on the protocol type.

    • When the UDP protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { eq port | gt port | lt port | range port-start port-end } | destination-port-pool destination-port-pool-name } | fragment-type fragment | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { eq port | gt port | lt port | range port-start port-end } | source-port-pool source-port-pool-name } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired | logging ] *

      NOTE:

      The ACL can match the packets with UDP port number 65535 only when VXLAN is configured. If VXLAN is not configured, the ACL does not take effect.

    • When the TCP protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { eq port | gt port | lt port | range port-start port-end } | destination-port-pool destination-port-pool-name } | fragment-type fragment | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { eq port | gt port | lt port | range port-start port-end } | source-port-pool source-port-pool-name } | tcp-flag { tcp-flag [ mask mask-value ] | established } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired | logging ] *

    • When the ICMP protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type fragment | icmp-type { icmp-name | icmp-type [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired | logging ] *

    • When the IGMP protocol is used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type fragment | igmp-type igmp-type | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired | logging ] *

    • When other protocols are used, run:

      rule [ rule-id ] [ name rule-name ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type fragment | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | vpn-instance vpn-instance-name | ttl-expired | logging ] *

    NOTE:

    When you configure an advanced ACL rule:

    • If all destination IP addresses and source IP addresses are specified (any in Step 3), the system will not check packets' destination IP addresses or source IP addresses.

    • When you specify the parameter time-range to reference a time range to the ACL, the ACL cannot be bound to the specified time range if the specified time-name does not exist.

  4. (Optional) Run rule rule-id description description

    The description of an advanced ACL rule is configured.

    By default, no description is configured for an ACL rule.

    You are not allowed to configure the description for a rule that has not been created.

  5. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 27739

Downloads: 96

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next