ACL Config

S7700 V200R019C10 Web-based Configuration Guide

This document describes how to configure and maintain devices through the web NMS client, including device status statistics, SVF, interface, Ethernet switching, IP service, IP routing, security, ACL, AAA, system management, QoS, WLAN, diagnosis service, and EasyDeploy.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

ACL Config

This node is only available in the NAC unified and non-NETCONF modes.

ACL Config
ACLv6 Config
UCL Config
Validity Time Range
Device Access Control

Procedure

Query an ACL.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
2. Set the search criteria.
3. Click to display all matching records.

Create an ACL.

Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.

Click Create to open the Create ACL page, as shown in Figure 5-144.

Figure 5-144 Create ACL

Table 5-77 describes the parameters on the page.

Table 5-77 Create ACL

Parameter		Description
ACL name		Indicates the name of an ACL. The ACL name must be unique. NOTE: The value is a string starting with a letter, without spaces. Either an ACL number or an ACL name is required to identify an ACL. When you modify an ACL, the ACL name cannot be changed.
ACL number		Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 3000 to 3999. NOTE: When you modify an ACL, the ACL number cannot be changed. Either an ACL number or an ACL name is required to identify an ACL.
ACL description		Indicates the description of an ACL. It is optional.

Click OK.

Modify an ACL.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
2. Select an ACL and click Modify.
  - Table 5-77 describes the parameters on the page.
  - The ACL name and number cannot be changed.
Delete an ACL.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
3. Click OK. If the operation succeeds, the system returns to the ACL Config page; otherwise, an error message is displayed.

Add rules.

Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.

Select an ACL and click Add Rule.

Figure 5-145 shows the Add Rule page.

Figure 5-145 Add Rule

Table 5-78 describes the parameters for adding rules.

Table 5-78 Add Rule

Parameter		Description
Action		Indicates whether to permit or deny packets. The default action is permit.
Protocol type		Indicates the type of the protocol. It is mandatory. The protocol types include: GRE(47) ICMP(1) IGMP(2) IP IPINIP(4) OSPF(89) TCP(6) UDP(17) Customized type NOTE: The text box is valid only when the protocol type is customized.
Match IP	Source IP/Wildcard	Indicates the IP address and wildcard. By default, all source IP addresses are specified.
Match IP	Destination IP/Wildcard	Indicates the IP address and wildcard. By default, all destination IP addresses are specified.
Match Packet Priority	IP precedence	Indicates that the packets are filtered according to the precedence field.
	TOS	Indicates that packets are filtered according to the Type of Service (ToS).
	DSCP	Specifies the Differentiated Services Code Point (DSCP). NOTE: If you set the IP precedence or TOS, the DSCP priority cannot be set. If you set the DSCP priority, the IP precedence or TOS cannot be set.
Matching Interface	Source port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.
Matching Interface	Dest port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.
Set Time	Time range	Indicates the time range when the ACL takes effect. NOTE: The time range name is displayed on the configuration result page.

Click OK.

Modify a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to modify the rule. Table 5-78 describes the parameters on the page.
Click and to change the order of the rule, and click Apply to make the new order take effect.
Delete a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

ACLv6 Config

Procedure

Query an ACLv6.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
2. Set the search criteria.
3. Click to display all matching records.

Create an ACLv6.

Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.

Click Create to open the Create ACLv6 page, as shown in Figure 5-146.

Figure 5-146 Create ACLv6

Table 5-79 describes the parameters on the page.

Table 5-79 Create ACLv6

Parameter		Description
ACL name		Indicates the name of an ACL. The ACL name must be unique. NOTE: The value is a string starting with a letter, without spaces. Either an ACL number or an ACL name is required to identify an ACL. When you modify an ACL, the ACL name cannot be changed.
ACL number		Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 3000 to 3999. NOTE: When you modify an ACL, the ACL number cannot be changed. Either an ACL number or an ACL name is required to identify an ACL.

Click OK.

Delete an ACLv6.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
3. Click OK. If the operation succeeds, the system returns to the ACLv6 Config page; otherwise, an error message is displayed.

Add rules.

Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.

Select an ACL and click Add Rule.

Figure 5-147 shows the Add Rule page.

Figure 5-147 Add Rule

Table 5-80 describes the parameters for adding rules.

Table 5-80 Add Rule

Parameter		Description
Action		Indicates whether to permit or deny packets. The default action is permit.
Protocol type		Indicates the type of the protocol. It is mandatory. The protocol types include: GRE ICMPv6 NOTE: The following text boxes are valid only when the type is set to ICMPv6: IPv6 OSPF TCP UDP Customized type NOTE: The text box is valid only when the protocol type is customized.
Match IP	Source IPv6 address/prefix length	Indicates the source IPv6 address length and prefix length.
Match IP	Destination IPv6 address/prefix length	Indicates the destination IPv6 address length and prefix length.
Matching Interface	Source port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.
Matching Interface	Dest port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.
Set Time	Time range	Indicates the time range when the ACL takes effect. NOTE: The time range name is displayed on the configuration result page.

Click OK.

Modify a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to modify the rule. Table 5-80 describes the parameters on the page.
Click and to change the order of the rule, and click Apply to make the new order take effect.
Delete a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > ACLv6 Config to open the ACLv6 Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

UCL Config

Procedure

Query ACLs.
1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
2. Set the search criteria.
3. Click to display all matching records.

Create an ACL.

Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.

Click Create to open the Create ACL page, as shown in Figure 5-148.

Figure 5-148 Create ACL

Table 5-81 describes the parameters on the page.

Table 5-81 Create ACL

Parameter		Description
ACL name		Indicates the name of an ACL. The ACL name must be unique. NOTE: The value is a string starting with a letter, without spaces. Either an ACL number or an ACL name is required to identify an ACL. When you modify an ACL, the ACL name cannot be changed.
ACL number		Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 6000 to 9999. NOTE: When you modify an ACL, the ACL number cannot be changed. Either an ACL number or an ACL name is required to identify an ACL.
ACL description		Indicates the description of an ACL. It is optional.

Click OK.

Modify an ACL.
1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
2. Select an ACL and click Modify.
  - Table 5-81 describes the parameters on the page.
  - The ACL name and number cannot be changed.
Delete an ACL.
1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
3. Click OK. If the operation succeeds, the system returns to the UCL Config page; otherwise, an error message is displayed.

Add a rule.

Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.

Click Add Rule of an ACL.

If the ACL is a UCL, the rule page is displayed as shown in Figure 5-149.

Figure 5-149 Add Rule

Table 5-82 describes the parameters for adding rules.

Table 5-82 Add Rule

Parameter		Description
Action		Indicates whether to permit or deny packets. The default action is permit.
Protocol type		Indicates the type of the protocol. It is mandatory. The ACL types include: GRE(47) ICMP(1) IGMP(2) IP IPINIP(4) OSPF(89) TCP(6) UDP(17) Customized type NOTE: The text box is valid only when the UCL type is customized.
Source	Source IP/Wildcard	Indicates the IP address and wildcard. The source IP address and wildcard are in dotted decimal format. NOTE: If the source IP address and wildcard are not specified, any source IP address is matched.
Source	Source user group	Indicates the source user group of packets. Select the following operations: To specify the source UCL group, click . To create a source UCL group, click . To modify the source UCL group, click . To delete the source UCL group, click .
Destination	Destination IP/Wildcard	Indicates the destination IP address and wildcard in packets. The destination IP address and wildcard are in dotted decimal format. NOTE: If the destination IP address and wildcard are not specified, any destination IP address is matched.
Destination	Dest user group	Indicates the destination user group of packets. Select the following operations: To specify the destination UCL group, click . To create a destination UCL group, click . To modify the destination UCL group, click . To delete the destination UCL group, click .
Matching Interface	Source port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.
Matching Interface	Destination port number	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.
Set Time	Time range	Indicates the time range when the ACL takes effect. NOTE: The time range name is displayed on the configuration result page.

Click OK.

Modify a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to modify the rule. Table 5-82 describes the parameters on the page.
Click and to change the order of the rule, and click Apply to make the new order take effect.
Delete a rule.
1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
2. Select an ACL and click to expand the ACL rules.
3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.

Validity Time Range

Context

A time range specifies a period of time. In practice, users may want certain ACL rules to be valid during a certain period but be invalid out of the period. That is, the ACL rules are used to filter packets based on the time range. In this case, you can set one or more time ranges, and apply the time ranges to a created ACL. Then, packets can be filtered based on the set time ranges.
An effective period can contain periodic time ranges and valid period. A periodic time range takes effect on a certain day in a week. A validity period contains the start time and the end time.

Procedure

Create a time range.

Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.

Click Create to open the Create Time Range page, as shown in Figure 5-150.

Figure 5-150 Create Time Range

Table 5-83 describes the parameters on the page.

Table 5-83 Create Time Range

Parameter	Description
Time range name	Indicates the name of the created time range. It is mandatory.
Time Range	Indicates a validity period. A validity period contains the start time and the end time. You can configure multiple validity periods by clicking . To delete validity periods, select the records you want to delete and click . NOTE: If only one validity period is created, the validity period takes effect when the current time is within it.
Validity Time	Indicates the periodic time range. A periodic time range takes effect on a certain day in a week. You can configure multiple periodic time ranges by clicking . To delete time ranges, select the records you want to delete and click . NOTE: If only one periodic time range is created, the time range takes effect when the current time is within the periodic time range.

Set the required parameters.
- If an effective period contains both time range and validity time, the effective period takes effect only when the current time is within the time range and validity time.
- The start time and end time of the time range can be earlier than the current time.
- Either the time range or validity time must be set.
Click OK.

Modify a time range.
1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
2. Click a time range name to open the Modify Time Range page, as shown in Figure 5-151.
  Figure 5-151 Modify Time Range
  - Table 5-83 describes the parameters on the page.
  - The time range name cannot be modified.
  - The time range and validity time can only be deleted, but cannot be modified.
3. Set the required parameters.
4. Click OK.
Delete a time range.
1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.
  - To select a record, click the checkbox of the record.
  - To delete records in batches, click the checkboxes of records.
3. Click OK.

Device Access Control

Context

When a switch functions as an HTTPS server, you can configure an ACL on the switch to allow only the specified clients to log in to the switch through HTTPS. This function improves system security.

When a switch functions as a Telnet server, you can configure an ACL on the switch to allow only the specified Telnet clients to log in to the switch through Telnet.

When you use a network management system (NMS) to manage the switch, configure SNMP ACL on the switch so that only the specified NMS can access the switch. This effectively improves switch security.

The ACL configured on this page must have pre-defined rules.

Procedure

Choose Configuration > Security Services > ACL Config > Device Access Control to access the Device Access Control page, as shown in Figure 5-152.

Figure 5-152 Access control page

Table 5-84 describes parameters on the page.

Table 5-84 Parameters on access control page

Item	Description
HTTP ACL
ACL	Uses a specified ACL to control access to the HTTPS server.
Telnet ACL
ACL	Uses a specified ACL to control access to the Telnet server.
SNMP ACL
ACL	Uses a specified ACL to control SNMP access.

Set the configuration options and click Apply. Click OK in the displayed dialog box to complete the configuration. To clear the configuration, click Clear Settings.

ACL Config
ACLv6 Config
UCL Config
Validity Time Range
Device Access Control

Translation

简体中文

Download

Updated: 2022-05-20

Document ID: EDOC1100126882

Downloads: 138

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document describes how to configure and maintain devices through the web NMS client, including device status statistics, SVF, interface, Ethernet switching, IP service, IP routing, security, ACL, AAA, system management, QoS, WLAN, diagnosis service, and EasyDeploy.

ACL Config

ACL Config

Procedure

ACLv6 Config

Procedure

UCL Config

Procedure

Validity Time Range

Context

Procedure

Device Access Control

Context

Procedure

Related Version

Related Documents

Digital Signature File