Documente Academic
Documente Profesional
Documente Cultură
Configuring ACLs 1
Overview 1
ACL categories 1
Numbering and Naming ACLs 1
Match order 1
Rule numbering 2
Fragments filtering with ACLs 3
Configuration task list 3
Configuring a basic ACL 4
Configuring an IPv4 basic ACL 4
Configuring an IPv6 basic ACL 4
Configuring an advanced ACL 5
Configuring an IPv4 advanced ACL 5
Configuring an IPv6 advanced ACL 6
Configuring an Ethernet frame header ACL 7
Configuring a user-defined ACL 8
Copying an ACL 8
Configuring IPv6 for the ACL hardware mode 9
Configuring packet filtering with ACLs 9
Applying an ACL to filter packets globally 9 49H
Setting the interval for generating and outputting packet filtering logs 11
2H 52H
i
Configuring ACLs
A switch can operate in standalone mode (the default) or IRF mode. For more information about the IRF
mode, see IRF Configuration Guide.
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic.
The packet drop or forwarding decisions varies with the modules that use ACLs.
ACL categories
Category ACL number IP version Match criteria
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
1
The following ACL match orders are available:
configSorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, carefully check the rules and their order.
autoSorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is
always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering
uses to sort rules for each type of ACL.
NOTE:
The match order of user-defined ACLs can only be config.
A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the
1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits
in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s
and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic
ACL rule numbering works.
2
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example, the
default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can
insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched
in ascending order of rule ID.
3
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
4
Step Command Remarks
By default, no ACL exists.
IPv6 basic ACLs are numbered in
acl ipv6 number acl-number
2. Create an IPv6 basic ACL the range of 2000 to 2999.
[ name acl-name ] [ match-order
view and enter its view.
{ auto | config } ] You can use the acl ipv6 name
acl-name command to enter the
view of a named ACL.
3. (Optional.) Configure a
By default, an IPv6 basic ACL has
description for the IPv6 basic description text
no ACL description.
ACL.
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.
5
Step Command Remarks
3. (Optional.) Configure a
By default, an IPv4 advanced ACL
description for the IPv4 description text
has no ACL description.
advanced ACL.
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.
6
Step Command Remarks
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.
7
Step Command Remarks
rule [ rule-id ] { deny | permit } [ cos
By default, an Ethernet frame
vlan-pri | counting | dest-mac
header ACL does not contain any
dest-address dest-mask | { lsap
rule.
lsap-type lsap-type-mask | type
5. Create or edit a rule. The lsap keyword is not supported
protocol-type protocol-type-mask }
| source-mac source-address in the current software version. The
source-mask | time-range keyword is reserved for future
time-range-name ] * support.
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the
same properties and content as the source ACL, but not the same ACL number and name.
To successfully copy an ACL, make sure:
The destination ACL number is from the same category as the source ACL number.
The source ACL already exists, but the destination ACL does not.
8
To copy an ACL:
Step Command
1. Enter system view. system-view
Devices with different IPv6 states for ACL hardware mode cannot form an IRF fabric. For more information
about IRF, see IRF Configuration Guide.
When the switch has EF or EF cards, you can enable or disable IPv6 for the ACL hardware mode as
needed:
When IPv6 is disabled for the ACL hardware mode, the EC or EF card supports only IPv4 basic,
IPv4 advanced, and Ethernet frame header ACLs.
When IPv6 is enabled for the ACL hardware mode, the EC or EF card supports IPv4 basic, IPv4
advanced, Ethernet frame header, IPv6 basic, IPv6 advanced, and user-defined ACLs.
Enabling or disabling IPv6 for the ACL hardware mode changes the ACL rule length and the maximum
number of ACL rules supported on EC and EF cards, and might invalidate the ACL configurations. Use
this feature with caution.
To enable or disable IPv6 for the ACL hardware mode:
NOTE:
User-defined ACLs cannot be used to filter outgoing packets.
NOTE:
You can apply up to 32 ACLs to the same direction of all physical interfaces.
interface interface-type
2. Enter interface view. N/A
interface-number
NOTE:
You can apply up to 32 ACLs to the same direction of an interface.
When you use the packet-filter command in VLAN interface view to filter the outgoing IPv4 packets, the
command takes effect on only Layer 3 unicast packets.
NOTE:
You can apply up to 32 ACLs to the same direction of an interface.
10
Setting the interval for generating and outputting packet
filtering logs
After you set the interval, the device periodically generates packet filtering logs and sends them to the
information center, including the number of matching packets and the matched ACL rules. For more
information about information center, see Network Management Configuration Guide.
To set the interval for generating and outputting packet filtering logs:
interface interface-type
2. Enter interface view N/A
interface-number
3. Enable hardware-count for the By default, hardware-count is
packet-filter default { inbound |
packet filtering default action disabled for the packet filtering
outbound } hardware-count
on the interface. default action.
11
Task Command
display acl [ ipv6 ] { acl-number | all | name
Display ACL configuration and match statistics.
acl-name }
12
IPv4 ACL configuration example
Network requirements
A company interconnects its departments through a switch A. Configure an ACL to:
Permit access from the President's office at any time to the salary server.
Deny access from any other department to the salary server during office hours (from 8:00 to 18:00)
on working days.
Figure 1 Network diagram
Configuration procedure
1. Create a periodic time range from 8:00 to 18:00 on working days.
<Switch> system-view
[Switch] time-range trname 8:00 to 18:00 working-day
2. Define ACLs:
# Create ACL 3000, and configure an ACL rule for it.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule 1 permit ip source 129.111.1.2 0.0.0.0 destination
129.110.1.2 0.0.0.0
[Switch-acl-adv-3000] quit
# Create ACL 3001, and configure an ACL rule for it.
[Switch] acl number 3001
[Switch-acl-adv-3001] rule 1 permit ip source any destination 129.110.1.2 0.0.0.0
time-range trname
[Switch-acl-adv-3001] quit
3. Define a QoS policy and apply the policy to ports:
# Create traffic classes and define traffic behaviors.
[Switch] traffic classifier test_permit
[Switch-classifier-test_permit] if-match acl 3000
[Switch-classifier-test_permit] quit
[Switch] traffic behavior test_permit
13
[Switch-behavior-test_permit] filter permit
[Switch-behavior-test_permit] quit
[Switch] traffic classifier test_deny
[Switch-classifier-test_deny] if-match acl 3001
[Switch-classifier-test_deny] quit
[Switch] traffic behavior test_deny
[Switch-behavior-test_deny] filter deny
[Switch-behavior-test_deny] quit
# Create a QoS policy.
[Switch] qos policy test
[Switch-qospolicy-test] classifier test_permit behavior test_permit
[Switch-qospolicy-test] classifier test_deny behavior test_deny
[Switch-qospolicy-test] quit
# Apply the QoS policy to ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 in the
inbound direction.
[Switch] interface gigabitethernet 4/0/1
[Switch-GigabitEthernet4/0/1] qos apply policy test inbound
[Switch-GigabitEthernet4/0/1] quit
[Switch] interface gigabitethernet 4/0/2
[Switch-GigabitEthernet4/0/2] qos apply policy test inbound
[Switch-GigabitEthernet4/0/2] quit
[Switch] interface gigabitethernet 4/0/3
[Switch-GigabitEthernet4/0/3] qos apply policy test inbound
[Switch-GigabitEthernet4/0/3] quit
Configuration procedure
# Create ACL 2000, and define an ACL rule for it.
<Switch> system-view
[Switch] acl ipv6 number 2000
[Switch-acl6-basic-2000] rule permit source 4050::9000/120
[Switch-acl6-basic-2000] quit
# Define a class and a traffic behavior to permit packets with source addresses in the range 4050::9000
to 4050::90FF.
[Switch] traffic classifier c_permit
[Switch-classifier-c_permit] if-match acl ipv6 2000
[Switch-classifier-c_permit] quit
[Switch] traffic behavior b_permit
14
[Switch-behavior-b_permit] filter permit
[Switch-behavior-b_permit] quit
# Apply the QoS policy to port GigabitEthernet 4/0/1 in the inbound direction.
[Switch] interface gigabitethernet 4/0/1
[Switch-GigabitEthernet4/0/1] qos apply policy test inbound
[Switch-GigabitEthernet4/0/1] quit
Configuration procedure
# Create a time range named study; set it to be active from 08:00 to 18:00 everyday.
<Switch> system-view
[Switch] time-range study 8:00 to 18:00 daily
15
[Switch-vlan2] quit
# Create an ACL rule to deny IPv4 packets sourced from 192.168.1.2/32, and configure the rule to log
packet filtering events and count rule matches.
[Switch-acl-basic-2009] rule 5 deny source 192.168.1.2 0 time-range study logging counting
[Switch-acl-basic-2009] quit
# Enable the switch to generate and output IPv4 packet filtering logs at 10-minute intervals.
[Switch] acl logging frequence 10
# Edit ACL rule 5 in ACL 2009 to deny IPv4 packets sourced from 192.168.1.3/32. The rule takes effect
on VLAN-interface 2 immediately after the modification. (The switch supports dynamic modification of
ACLs in use.)
[Switch] acl number 2009
[Switch-acl-basic-2009] rule 5 deny source 192.168.1.3 0
16