Académique Documents
Professionnel Documents
Culture Documents
1 ACL Configuration1-1 ACL Overview 1-1 ACL Matching Order1-1 Ways to Apply an ACL on a Device 1-2 Types of ACLs Supported by Devices1-3 ACL Configuration1-3 Configuring Time Range1-3 Configuring Basic ACL 1-5 Configuring Advanced ACL 1-6 Configuring Layer 2 ACL 1-7 ACL Assignment 1-8 Assigning an ACL Globally1-9 Assigning an ACL to a VLAN 1-9 Assigning an ACL to a Port Group 1-10 Assigning an ACL to a Port 1-10 Displaying and Maintaining ACL 1-11 Examples for Upper-layer Software Referencing ACLs1-11 Example for Controlling Telnet Login Users by Source IP 1-11 Example for Controlling Web Login Users by Source IP1-12 Examples for Applying ACLs to Hardware1-13 Basic ACL Configuration Example 1-13 Advanced ACL Configuration Example 1-13 Layer 2 ACL Configuration Example 1-14 Example for Applying an ACL to a VLAN 1-15
ACL Configuration
The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a WX3000. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
ACL Overview
As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources. Access control lists (ACL) are often used to filter packets with configured matching rules. Upon receiving a packet, the device compares the packet with the rules of the ACL applied on the current port to permit or discard the packet. The rules of an ACL can be referenced by other functions that need traffic classification, such as QoS. ACLs classify packets using a series of conditions known as rules. The conditions can be based on source addresses, destination addresses and port numbers carried in the packets. According to their application purposes, ACLs fall into the following four types. Basic ACL. Rules are created based on source IP addresses only. Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses, type of the protocols carried by IP, protocol-specific features, and so on. Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so on. User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings. It defines the byte it begins to perform and operation with the mask on the basis of packet headers.
1-1
config: where rules in an ACL are matched in the order defined by the user. auto: where rules in an ACL are matched in the order determined by the system, namely the depth-first rule. For depth-first rule, there are two cases:
If rule A and rule B are still the same after comparison in the above order, the weighting principles will be used in deciding their priority order. Each parameter is given a fixed weighting value. This weighting value and the value of the parameter itself will jointly decide the final matching order. Involved parameters with weighting values from high to low are icmp-type, established, dscp, tos, precedence, fragment. Comparison rules are listed below. The smaller the weighting value left, which is a fixed weighting value minus the weighting value of every parameter of the rule, the higher the match priority. If the types of parameter are the same for multiple rules, then the sum of parameters weighting values of a rule determines its priority. The smaller the sum, the higher the match priority.
1-2
auto, where the rules in an ACL are matched in the order determined by the system, namely the depth-first order. When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined, unless you delete all the rules in the ACL and define the match order. An ACL can be referenced by upper-layer software: Referenced by routing policies Used to control Telnet, SNMP and Web login users
When an ACL is directly applied to hardware for packet filtering, the device will permit packets if the packets do not match the ACL. When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the device will deny packets if the packets do not match the ACL.
ACL Configuration
Configuring Time Range
Time ranges can be used to filter packets. You can specify a time range for each rule in an ACL. A time range-based ACL takes effect only in specified time ranges. Only after a time range is configured and the system time is within the time range, can an ACL rule take effect. Two types of time ranges are available: Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur.
An absolute time range on a device can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
1-3
Configuration Procedure
Follow these steps to configure a time range:
To do Enter system view system-view time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } Use the command Remarks
Required
Note that: If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections. If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections. If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range contains an absolute time section ranging from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section ranging from 12:00 to 14:00 on every Wednesday. This time range is active only when the system time is within the range from 12:00 to 14:00 on every Wednesday in 2004. If the start time is not specified, the time section starts from 1970/1/1 00:00 and ends on the specified end date. If the end date is not specified, the time section starts from the specified start date to 2100/12/31 23:59.
Configuration Example
# Define a periodic time range that spans from 8:00 to 18:00 on Monday through Friday.
<device> system-view [device] time-range test 8:00 to 18:00 working-day [device] display time-range test Current time is 13:27:32 Apr/16/2005 Saturday
# Define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008.
<device> system-view [device] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [device] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2000 to 15:00 Jan/28/2004
1-4
Configuration Prerequisites
To configure a time range-based basic ACL rule, you need to create the corresponding time range first. For information about time range configuration, refer to Configuring Time Range. The source IP addresses based on which the ACL filters packets are determined.
Configuration Procedure
Follow these steps to define a basic ACL rule:
To do Enter system view Create an ACL and enter basic ACL view Use the command system-view acl number acl-number [ match-order { auto | config } ] Required config by default Required Define an ACL rule rule [ rule-id ] { deny | permit } [ rule-string ] For information about rule-string, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Optional Not configured by default Remarks
description text
Note that: With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system prompts error information. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule number plus one. The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists. With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Configuration Example
# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.
<device> system-view [device] acl number 2000 [device-acl-basic-2000] rule deny source 192.168.0.1 0
1-5
Configuration Prerequisites
To configure a time range-based advanced ACL rule, you need to create the corresponding time ranges first. For information about of time range configuration, refer to Configuring Time Range. The settings to be specified in the rule, such as source and destination IP addresses, the protocols carried by IP, and protocol-specific features, are determined.
Configuration Procedure
Follow these steps to define an advanced ACL rule:
To do Enter system view Create an advanced ACL and enter advanced ACL view Use the command system-view acl number acl-number [ match-order { auto | config } ] Required config by default Required Define an ACL rule rule [ rule-id ] { permit | deny } protocol [ rule-string ] For information about protocol and rule-string, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Optional No description by default Optional No description by default Remarks
Assign a description string to the ACL rule Assign a description string to the ACL
description text
Note that: With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule; otherwise the system prompts error information. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule number plus one. The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
1-6
If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Configuration Example
# Configure ACL 3000 to permit the TCP packets sourced from the network 129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the destination port number being 80.
<device> system-view [device] acl number 3000 [device-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
Configuration Prerequisites
To configure a time range-based Layer 2 ACL rule, you need to create the corresponding time ranges first. For information about time range configuration, refer to Configuring Time Range. The settings to be specified in the rule, such as source and destination MAC addresses, VLAN priorities, and Layer 2 protocol types, are determined.
Configuration Procedure
Follow these steps to define a Layer 2 ACL rule:
To do Enter system view Create a Layer 2 ACL and enter layer 2 ACL view Use the command system-view acl number acl-number Required Required Define an ACL rule rule [ rule-id ] { permit | deny } rule-string For information about rule-string, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Optional No description by default Optional No description by default Remarks
Assign a description string to the ACL rule Assign a description string to the ACL
description text
1-7
Note that: You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule number plus one. The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Configuration Example
# Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.
<device> system-view [device] acl number 4000 [device-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
ACL Assignment
On a device, you can assign ACLs to the hardware for packet filtering. As for ACL assignment, the following four ways are available. Assigning ACLs globally, for filtering the inbound packets on all the ports. Assigning ACLs to a VLAN, for filtering the inbound packets on all the ports and belonging to a VLAN. Assigning ACLs to a port group, for filtering the inbound packets on all the ports in a port group. For information about port group, refer to Basic Port Configuration in H3C WX3000 Series Unified Switches Switching Engine Configuration Guide. Assigning ACLs to a port, for filtering the inbound packets on a port. You can assign ACLs in the above-mentioned ways as required.
1-8
ACLs assigned globally take precedence over those that are assigned to VLANs. That is, when a packet matches a rule of a globally assigned ACL and a rule of an ACL assigned to a VLAN, the device will perform the action defined in the rule of the globally assigned ACL if the actions defined in the two rules conflict. When a packet matches a rule of an ACL assigned globally (or assigned to a VLAN) and a rule of an ACL assigned to a port (or port group), the device will deny the packets if the actions defined in the two rules conflict. ACLs assigned globally or to a VLAN take precedence over the default ACL. However, assigning ACLs globally or to a VLAN may affect device management that is implemented through Telnet and so on.
Configure procedure
Follow these steps to assign an ACL globally:
To do Enter system view Use the command system-view Required Assign an ACL globally packet-filter inbound acl-rule For description on the acl-rule argument, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Remarks
Configuration example
# Apply ACL 2000 globally to filter the inbound packets on all the ports.
<device> system-view [device] packet-filter inbound ip-group 2000
Configuration procedure
Follow these steps to assign an ACL to a VLAN:
To do Enter system view Use the command system-view Remarks
1-9
To do
Remarks
For description on the acl-rule argument, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference.
Configuration example
# Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports.
<device> system-view [device] packet-filter vlan 10 inbound ip-group 2000
Configuration procedure
Follow these steps to assign an ACL to a port group:
To do Enter system view Enter port group view Use the command system-view port-group group-id Required Apply an ACL to the port group packet-filter inbound acl-rule For description on the acl-rule argument, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Remarks
After an ACL is assigned to a port group, it will be automatically assigned to the ports that are subsequently added to the port group.
Configuration example
# Apply ACL 2000 to port group 1 to filter the inbound packets on all the ports in the port group.
<device> system-view [device] port-group 1 [device-port-group-1] packet-filter inbound ip-group 2000
Configuration procedure
Follow these steps to apply an ACL to a port:
To do Enter system view Enter Ethernet port view Use the command system-view interface interface-type interface-number Required Apply an ACL to the port packet-filter inbound acl-rule For description on the acl-rule argument, refer to ACL in H3C WX3000 Series Unified Switches Switching Engine Command Reference. Remarks
Configuration example
# Apply ACL 2000 to GigabitEthernet 1/0/1 to filter the inbound packets.
<device> system-view [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000
1-11
Figure 1-1 Network diagram for controlling Telnet login users by source IP
Internet
Switch
PC 10.110.100.52
Configuration procedure
# Define ACL 2000.
<device> system-view [device] acl number 2000 [device-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [device-acl-basic-2000] quit
# Reference ACL 2000 on VTY user interface to control Telnet login users.
[device] user-interface vty 0 4 [device-ui-vty0-4] acl 2000 inbound
Internet
Switch
PC 10.110.100.46
Configuration procedure
# Define ACL 2001.
<device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit
1-12
PC1 10.1.1.1
GEth1/0/1
PC2
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<device> system-view [device] time-range test 8:00 to 18:00 daily
# Define ACL 2000 to filter packets with the source IP address of 10.1.1.1.
[device] acl number 2000 [device-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [device-acl-basic-2000] quit
1-13
To the router
GEth 1/0/1
GEth 1/0/2
Switch
The R&D Department
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<device> system-view [device] time-range test 8:00 to 18:00 working-day
# Define ACL 3000 to filter packets destined for wage query server.
[device] acl number 3000 [device-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [device-acl-adv-3000] quit
PC1 000f-e20f-0101
GEth1/0/1
PC2
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<device> system-view [device] time-range test 8:00 to 18:00 daily
1-14
# Define ACL 4000 to filter packets with the source MAC address of 000f-e20f-0101 and the destination MAC address of 000f-e20f-0303.
[device] acl number 4000 [device-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101 ffff-ffff-ffff dest 000f-e20f-0303 ffff-ffff-ffff time-range test [device-acl-ethernetframe-4000] quit
GEth1/0/1
GEth 1/0/3
GEth 1/0/2
VLAN 10
PC1
PC2
PC3
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 in working days.
<device> system-view [device] time-range test 8:00 to 18:00 working-day
1-15