H3C S3100 Series Operating instructions

S3100 Series
H3C
Brand
H3C
Model
S3100 Series
Category
Network switches
Type
Operating instructions

H3C S3100 Series are Ethernet switches designed for enterprise networks. They feature high-performance hardware, robust security, and flexible management capabilities. With comprehensive Layer 2/Layer 3/Layer 4 switching features, they are ideal for building high-density access networks.

H3C S3100 Series are Ethernet switches designed for enterprise networks. They feature high-performance hardware, robust security, and flexible management capabilities. With comprehensive Layer 2/Layer 3/Layer 4 switching features, they are ideal for building high-density access networks.

Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 ACL Configuration.......................................................................................................1-1
1.1 ACL Overview....................................................................................................................1-1
1.1.1 ACL Matching Order ...............................................................................................1-2
1.1.2 Ways to Apply an ACL on a Switch.........................................................................1-3
1.1.3 Types of ACLs Supported by S3100 Series Ethernet Switches .............................1-3
1.2 ACL Configuration..............................................................................................................1-4
1.2.1 Configuring Time Range.........................................................................................1-4
1.2.2 Configuring Basic ACL............................................................................................1-5
1.2.3 Configuring Advanced ACL.....................................................................................1-7
1.2.4 Configuring Layer 2 ACL.........................................................................................1-8
1.2.5 Configuring an IPv6 ACL.......................................................................................1-10
1.3 ACL Assignment..............................................................................................................1-12
1.3.1 Assigning an ACL Globally....................................................................................1-13
1.3.2 Assigning an ACL to a VLAN................................................................................1-13
1.3.3 Assigning an ACL to a Port Group........................................................................1-14
1.3.4 Assigning an ACL to a Port...................................................................................1-15
1.4 Displaying ACL Configuration..........................................................................................1-16
1.5 Example for Upper-Layer Software Referencing ACLs...................................................1-16
1.5.1 Example for Controlling Telnet Login Users by Source IP.................................... 1-16
1.5.2 Example for Controlling Web Login Users by Source IP......................................1-17
1.6 Example for Applying ACLs to Hardware........................................................................1-18
1.6.1 Basic ACL Configuration Example........................................................................1-18
1.6.2 Advanced ACL Configuration Example.................................................................1-19
1.6.3 Layer 2 ACL Configuration Example.....................................................................1-19
1.6.4 IPv6 ACL Configuration Example..........................................................................1-20
1.6.5 Example for Applying an ACL to a Port Group .....................................................1-21
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-1
Chapter 1 ACL Configuration
1.1 ACL Overview
As the network scale and network traffic are increasingly growing, security control and
bandwidth assignment play a more and more important role in network management.
Filtering data packets can prevent a network from being accessed by unauthorized
users efficiently while controlling network traffic and saving network resources. Access
control lists (ACL) are often used to filter packets with configured matching rules.
Upon receiving a packet, the switch compares the packet with the rules of the ACL
applied on the current port to permit or discard the packet.
The rules of an ACL can be referenced by other functions that need traffic classification,
such as QoS.
ACLs classify packets using a series of conditions known as rules. The conditions can
be based on source addresses, destination addresses and port numbers carried in the
packets.
According to their application purposes, ACLs fall into the following four types.
z Basic ACL. Rules are created based on source IP addresses only.
z Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information
such as the source and destination IP addresses, type of the protocols carried by
IP, protocol-specific features, and so on.
z Layer 2 ACL. Rules are created based on the Layer 2 information such as source
and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so
on.
z User-defined ACL. An ACL of this type matches packets by comparing the strings
retrieved from the packets with specified strings. It defines the byte it begins to
perform “and” operation with the mask on the basis of packet headers.
Note:
S3100 Series Ethernet switches match IPv6 packets by user-defined ACLs. In the
following sections, user-defined ACLs are referred to as IPv6 ACLs. For details about
IPv6 ACL, refer to section
1.2.5 Configuring an IPv6 ACL.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-2
1.1.1 ACL Matching Order
An ACL can contain multiple rules, each of which matches specific type of packets. So
the order in which the rules of an ACL are matched needs to be determined.
The rules in an ACL can be matched in one of the following two ways:
z config: where rules in an ACL are matched in the order defined by the user.
z auto: where rules in an ACL are matched in the order determined by the system,
namely the “depth-first” rule.
For depth-first rule, there are two cases:
I. Depth-first match order for rules of a basic ACL
1) Range of source IP address: The smaller the source IP address range (that is, the
more the number of zeros in the wildcard mask), the higher the match priority.
2) Fragment keyword: A rule with the fragment keyword is prior to others.
3) If the above two conditions are identical, the earlier configured rule applies.
II. Depth-first match order for rules of an advanced ACL
1) Protocol range: A rule which has specified the types of the protocols carried by IP
is prior to others.
2) Range of source IP address: The smaller the source IP address range (that is, the
more the number of zeros in the wildcard mask), the higher the match priority.
3) Range of destination IP address. The smaller the destination IP address range
(that is, the more the number of zeros in the wildcard mask), the higher the match
priority.
4) Range of Layer 4 port number, that is, TCP/UDP port number. The smaller the
range, the higher the match priority.
5) Number of parameters: the more the parameters, the higher the match priority.
If rule A and rule B are still the same after comparison in the above order, the weighting
principles will be used in deciding their priority order. Each parameter is given a fixed
weighting value. This weighting value and the value of the parameter itself will jointly
decide the final matching order. Involved parameters with weighting values from high to
low are icmp-type, established, dscp, tos, precedence, fragment. Comparison
rules are listed below.
z The smaller the weighting value left, which is a fixed weighting value minus the
weighting value of every parameter of the rule, the higher the match priority.
z If the types of parameter are the same for multiple rules, then the sum of
parameters’ weighting values of a rule determines its priority. The smaller the sum,
the higher the match priority.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-3
Note:
The match order of an IPv6 ACL can only be config.
1.1.2 Ways to Apply an ACL on a Switch
I. Being applied to the hardware directly
In the switch, an ACL can be directly applied to hardware for packet filtering and traffic
classification. In this case, the rules in an ACL are matched in the order determined by
the hardware instead of that defined in the ACL. For H3C S3100 series Ethernet
switches, the earlier the rule applies, the higher the match priority.
ACLs are directly applied to hardware when they are used for:
z Implementing QoS
z Filtering the packets to be forwarded
II. Being referenced by upper-level software
ACLs can also be used to filter and classify the packets to be processed by software. In
this case, the rules in an ACL can be matched in one of the following two ways:
z config, where rules in an ACL are matched in the order defined by the user.
z auto, where the rules in an ACL are matched in the order determined by the
system, namely the “depth-first” order.
When applying an ACL in this way, you can specify the order in which the rules in the
ACL are matched. The match order cannot be modified once it is determined, unless
you delete all the rules in the ACL and define the match order.
An ACL can be referenced by upper-layer software:
z Referenced by routing policies
z Used to control Telnet, SNMP and Web login users
Note:
z When an ACL is directly applied to hardware for packet filtering, the switch will
permit packets if the packets do not match the ACL.
z When an ACL is referenced by upper-layer software to control Telnet, SNMP and
Web login users, the switch will deny packets if the packets do not match the ACL.
1.1.3 Types of ACLs Supported by S3100 Series Ethernet Switches
S3100 Series Ethernet switches support the following types of ACLs.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-4
z Basic ACLs
z Advanced ACLs
z Layer 2 ACLs
z IPv6 ACLs
Note that ACLs defined on S3100 Series Ethernet switches can be applied to hardware
directly or referenced by upper-layer software for packet filtering.
1.2 ACL Configuration
1.2.1 Configuring Time Range
Time ranges can be used to filter packets. You can specify a time range for each rule in
an ACL. A time range-based ACL takes effect only in specified time ranges. Only after a
time range is configured and the system time is within the time range, can an ACL rule
take effect.
Two types of time ranges are available:
z Periodic time range, which recurs periodically on the day or days of the week.
z Absolute time range, which takes effect only in a period of time and does not recur.
Note:
An absolute time range on an H3C S3100 Series Ethernet Switches can be within the
range 1970/1/1 00:00 to 2100/12/31 24:00.
I. Configuration procedure
Table 1-1 Configure a time range
Operation Command Description
Enter system view
system-view
Create a time
range
time-range time-name { start-time to
end-time days-of-the-week [ from
start-time start-date ] [ to end-time
end-date ] | from start-time start-date [ to
end-time end-date ] | to end-time
end-date }
Required
Note that:
z If only a periodic time section is defined in a time range, the time range is active
only when the system time is within the defined periodic time section. If multiple
periodic time sections are defined in a time range, the time range is active only
when the system time is within one of the periodic time sections.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-5
z If only an absolute time section is defined in a time range, the time range is active
only when the system time is within the defined absolute time section. If multiple
absolute time sections are defined in a time range, the time range is active only
when the system time is within one of the absolute time sections.
z If both a periodic time section and an absolute time section are defined in a time
range, the time range is active only when the periodic time range and the absolute
time range are both matched. Assume that a time range contains an absolute time
section ranging from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a
periodic time section ranging from 12:00 to 14:00 on every Wednesday. This time
range is active only when the system time is within the range from 12:00 to 14:00
on every Wednesday in 2004.
z If the start time is not specified, the time section starts from 1970/1/1 00:00 and
ends on the specified end date. If the end date is not specified, the time section
starts from the specified start date to 2100/12/31 23:59.
II. Configuration example
# Define a periodic time range that spans from 8:00 to 18:00 on Monday through Friday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
[Sysname] display time-range test
Current time is 13:27:32 Apr/16/2005 Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008.
<Sysname> system-view
[Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008
[Sysname] display time-range test
Current time is 13:30:32 Apr/16/2005 Saturday
Time-range : test ( Inactive )
From 15:00 Jan/28/2000 to 15:00 Jan/28/2004
1.2.2 Configuring Basic ACL
A basic ACL filters packets based on their source IP addresses.
A basic ACL can be numbered from 2000 to 2999.
I. Configuration prerequisites
z To configure a time range-based basic ACL rule, you need to create the
corresponding time range first. For information about time range configuration,
refer to section
1.2.1 Configuring Time Range.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-6
z The source IP addresses based on which the ACL filters packets are determined.
II. Configuration procedure
Table 1-2 Define a basic ACL rule
Operation Command Description
Enter system view
system-view
Create an ACL and
enter basic ACL
view
acl number acl-number
[ match-order { auto | config } ]
Required
config by default
Define an ACL rule
rule [ rule-id ] { deny | permit }
[ rule-string ]
Required
For information about
rule-string, refer to ACL
Command.
Configure a
description string to
the ACL
description text
Optional
Not configured by default
Note that:
z With the config match order specified for the basic ACL, you can modify any
existent rule. The unmodified part of the rule remains. With the auto match order
specified for the basic ACL, you cannot modify any existent rule; otherwise the
system prompts error information.
z If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with the content of
any existing rule; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
z With the auto match order specified, the newly created rules will be inserted in the
existent ones by depth-first principle, but the numbers of the existent rules are
unaltered.
III. Configuration example
# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 192.168.0.1 0
# Display the configuration information of ACL 2000.
[Sysname-acl-basic-2000] display acl 2000
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-7
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 deny source 192.168.0.1 0
1.2.3 Configuring Advanced ACL
An advanced ACL can filter packets by their source and destination IP addresses, the
protocols carried by IP, and protocol-specific features such as TCP/UDP source and
destination ports, ICMP message type and message code.
An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL
3999 cannot be configured because they are reserved for cluster management.
Advanced ACLs support analysis and processing of three packet priority levels: type of
service (ToS) priority, IP priority and differentiated services codepoint (DSCP) priority.
Using advanced ACLs, you can define classification rules that are more accurate, more
abundant, and more flexible than those defined for basic ACLs.
I. Configuration prerequisites
z To configure a time range-based advanced ACL rule, you need to create the
corresponding time ranges first. For information about of time range configuration,
refer to section
1.2.1 Configuring Time Range.
z The settings to be specified in the rule, such as source and destination IP
addresses, the protocols carried by IP, and protocol-specific features, are
determined.
II. Configuration procedure
Table 1-3 Define an advanced ACL rule
Operation Command Description
Enter system view
system-view
Create an
advanced ACL and
enter advanced
ACL view
acl number acl-number
[ match-order { auto |
config } ]
Required
config by default
Define an ACL rule
rule [ rule-id ] { permit |
deny } protocol [ rule-string ]
Required
For information about protocol
and rule-string, refer to ACL
Commands.
Assign a
description string
to the ACL rule
rule rule-id comment text
Optional
No description by default
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-8
Operation Command Description
Assign a
description string
to the ACL
description text
Optional
No description by default
Note that:
z With the config match order specified for the advanced ACL, you can modify any
existent rule. The unmodified part of the rule remains. With the auto match order
specified for the ACL, you cannot modify any existent rule; otherwise the system
prompts error information.
z If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with the content of
any existing rules; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
z If the ACL is created with the auto keyword specified, the newly created rules will
be inserted in the existent ones by depth-first principle, but the numbers of the
existent rules are unaltered.
III. Configuration example
# Configure ACL 3000 to permit the TCP packets sourced from the network
129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the destination
port number being 80.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Display the configuration information of ACL 3000.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 1
rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0
0.0.0.255 destination-port eq www
1.2.4 Configuring Layer 2 ACL
Layer 2 ACLs filter packets according to their Layer 2 information, such as the source
and destination MAC addresses, VLAN priority, and Layer 2 protocol types.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-9
A Layer 2 ACL can be numbered from 4000 to 4999.
I. Configuration prerequisites
z To configure a time range-based Layer 2 ACL rule, you need to create the
corresponding time ranges first. For information about time range configuration,
refer to section
1.2.1 Configuring Time Range
z The settings to be specified in the rule, such as source and destination MAC
addresses, VLAN priorities, and Layer 2 protocol types, are determined.
II. Configuration procedure
Table 1-4 Define a Layer 2 ACL rule
Operation Command Description
Enter system view
system-view
Create a Layer 2
ACL and enter
Layer 2 ACL view
acl number acl-number
Required
Define an ACL rule
rule [ rule-id ] { permit |
deny } rule-string
Required
For information about
rule-string, refer to ACL
Commands.
Assign a
description string
to the ACL rule
rule rule-id comment text
Optional
No description by default
Assign a
description string
to the ACL
description text
Optional
No description by default
Note that:
z You can modify any existent rule of the Layer 2 ACL and the unmodified part of the
ACL remains.
z If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with the content of
any existing rules; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
III. Configuration example
# Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed,
destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-10
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed
ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
# Display the configuration information of ACL 4000.
[Sysname-acl-ethernetframe-4000] display acl 4000
Ethernet frame ACL 4000, 1 rule
Acl's step is 1
rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest
0011-4301-991e ffff-ffff-ffff
1.2.5 Configuring an IPv6 ACL
You can match IPv6 packets by IPv6 ACLs to process IPv6 data flows as required.
S3100 Series Ethernet switches support matching the following fields:
z dscp: Matches the traffic class field in IPv6 packets.
z ip-protocol: Matches the next header field in IPv6 packets.
z src-ip: Matches the source address field in IPv6 packets.
z dest-ip: Matches the destination address field in IPv6 packets.
z src-port: Matches the TCP/UDP source port field in IPv6 packets.
z dest-port: Matches the TCP/UDP destination port field in IPv6 packets.
z icmpv6-type: Matches the ICMPv6 type field in IPv6 packets.
z icmpv6-code: Matches the ICMPv6 code field in IPv6 packets.
Note:
For information about the IPv6 packet format, refer to IPv6 Management Operation.
Before applying an IPv6 ACL, be sure to configure an IPv6 ACL template to specify the
fields to be matched. Also make sure that the contents of the IPv6 ACL are a subset of
the contents of the template. Otherwise, you cannot apply the IPv6 ACL to the
hardware.
I. Configuration prerequisites
z To configure time range-based IPv6 ACL rules, you need to create the
corresponding time ranges first. For information about time range configuration,
refer to section
1.2.1 Configuring Time Range.
z The settings to be specified in the rule are determined.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-11
II. Configuration procedure
Table 1-5 Define an IPv6 ACL rule
Operation Command Description
Enter system view
system-view
Configure an IPv6 ACL
template
ipv6-acl-template
{ dscp | ip-protocol |
src-ip | dest-ip | src-port
| dest-port | icmpv6-type
| icmpv6-code } *
Required
By default, no IPv6 ACL
template is configured.
To specify the src-port,
dest-port, icmpv6-type
or icmpv6-code keyword
in the command, you
need to specify the
ip-protocol keyword at
first.
Create an IPv6 ACL and
enter IPv6 ACL view
acl number acl-number
Required
Define an ACL rule
rule [ rule-id ] { permit |
deny } [ dscp rule-string
rule-mask ] [ ip-protocol
rule-string rule-mask ]
[ src-ip ipv6-address
prefix-length ] [ dest-ip
ipv6-address
prefix-length ] [ [ src-port
rule-string rule-mask |
dest-port rule-string
rule-mask ] * |
[ icmpv6-type rule-string
rule-mask | icmpv6-code
rule-string rule-mask ] * ]
[ time-range time-name ]
Required
To specify the src-port or
dest-port keyword in the
command, you need to
specify the ip-protocol
rule-string rule-mask
combination as TCP or
UDP, that is, 0x06 or
0x11. To specify the
icmpv6-type or
icmpv6-code keyword,
you need to specify the
ip-protocol rule-string
rule-mask combination as
ICMPv6, that is, 0x3a.
Assign a description string
to the ACL rule
rule rule-id comment text
Optional
No description by default
Assign a description string
to the ACL
description text
Optional
No description by default
Note that:
z You can modify any existent rule of an IPv6 ACL. If you modify only the action to
be taken or the time range, the unmodified part of the rule remains the same. If you
modify the contents of a user-defined string, the new string overwrites the original
one.
z If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-12
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with the content of
any existing rule of the ACL; otherwise the rule modification or creation will fail,
and the system prompts that the rule already exists.
Note:
z IPv6 ACLs do not match IPv6 packets with extension headers.
z Do not use IPv6 ACLs with VLAN mapping and trusted port priority together.
III. Configuration example
# Configure an rule for IPv6 ACL 5000, denying packets from 3001::1/64 to 3002::1/64.
<Sysname> system-view
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule deny src-ip 3001::1 64 dest-ip 3002::1 64
# Display the configuration information of ACL 5000.
[Sysname-acl-user-5000] display acl 5000
User defined ACL 5000, 1 rule
Acl's step is 1
rule 0 deny src-ip 3001::1 64 dest-ip 3002::1 64
1.3 ACL Assignment
On an S3100 Ethernet switch, you can assign ACLs to the hardware for packet filtering.
As for ACL assignment, the following four ways are available.
z Assigning ACLs globally, for filtering the inbound packets on all the ports.
z Assigning ACLs to a VLAN, for filtering the inbound packets on all the ports and
belonging to a VLAN.
z Assigning ACLs to a port group, for filtering the inbound packets on all the ports in
a port group. For information about port group, refer to Port Basic Configuration.
z Assigning ACLs to a port, for filtering the inbound packets on a port.
You can assign ACLs in the above-mentioned ways as required.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-13
Caution:
In terms of priority, the ACLs assigned globally, ACLs assigned to a VLAN and ACLs
assigned to a port group (or a port) rank in descending order. If a packet matches
multiple rules in these ACLs and is permitted by some rules but denied by the others,
the device permits or denies the packet based on the rule in the ACL with the highest
priority.
1.3.1 Assigning an ACL Globally
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need to define the related ACLs. For
information about defining an ACL, refer to section
1.2.2 Configuring Basic ACL,
section
1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and
section
1.2.5 Configuring an IPv6 ACL.
II. Configure procedure
Table 1-6 Assign an ACL globally
Operation Command Description
Enter system view
system-view
Assign an ACL
globally
packet-filter inbound
acl-rule
Required
For description on the acl-rule
argument, refer to ACL Command.
III. Configuration example
# Apply ACL 2000 globally to filter the inbound packets on all the ports.
<Sysname> system-view
[Sysname] packet-filter inbound ip-group 2000
1.3.2 Assigning an ACL to a VLAN
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need to define the related ACLs. For
information about defining an ACL, refer to section
1.2.2 Configuring Basic ACL,
section
1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and
section
1.2.5 Configuring an IPv6 ACL.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-14
II. Configuration procedure
Table 1-7 Assign an ACL to a VLAN
Operation Command Description
Enter system view
system-view
Apply an ACL to a
VLAN
packet-filter vlan
vlan-id inbound
acl-rule
Required
For description on the acl-rule
argument, refer to ACL Command.
Caution:
An ACL assigned to a VLAN takes effect only for the packets tagged with 802.1Q
header. For more information about 802.1Q header, refer to the VLAN part.
III. Configuration example
# Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports.
<Sysname> system-view
[Sysname] packet-filter vlan 10 inbound ip-group 2000
1.3.3 Assigning an ACL to a Port Group
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need to define the related ACLs. For
information about defining an ACL, refer to section
1.2.2 Configuring Basic ACL,
section
1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and
section
1.2.5 Configuring an IPv6 ACL.
II. Configuration procedure
Table 1-8 Assign an ACL to a port group
Operation Command Description
Enter system view
system-view
Enter port group
view
port-group group-id
Apply an ACL to the
port group
packet-filter
inbound acl-rule
Required
For description on the acl-rule
argument, refer to ACL Command.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-15
Note:
After an ACL is assigned to a port group, it will be automatically assigned to the ports
that are subsequently added to the port group.
III. Configuration example
# Apply ACL 2000 to port group 1 to filter the inbound packets on all the ports in the port
group.
<Sysname> system-view
[Sysname] port-group 1
[Sysname-port-group-1] packet-filter inbound ip-group 2000
1.3.4 Assigning an ACL to a Port
I. Configuration prerequisites
Before applying ACL rules to a VLAN, you need to define the related ACLs. For
information about defining an ACL, refer to section
1.2.2 Configuring Basic ACL,
section
1.2.3 Configuring Advanced ACL, section 1.2.4 Configuring Layer 2 ACL, and
section
1.2.5 Configuring an IPv6 ACL.
II. Configuration procedure
Table 1-9 Apply an ACL to a port
Operation Command Description
Enter system view
system-view
Enter Ethernet port
view
interface interface-type
interface-number
Apply an ACL to the
port
packet-filter inbound acl-rule
Required
For description on the
acl-rule argument, refer
to ACL Command.
Note:
You cannot assign an ACL to a member port of a port group.
III. Configuration example
# Apply ACL 2000 to Ethernet 1/0/1 to filter the inbound packets.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-16
<Sysname> system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000
1.4 Displaying ACL Configuration
After the above configuration, you can execute the display commands in any view to
view the ACL running information and verify the configuration.
Table 1-10 Display ACL configuration
Operation Command Description
Display a configured
ACL or all the ACLs
display acl { all | acl-number }
Display a time range or
all the time ranges
display time-range { all | time-name }
Display the information
about packet filtering
display packet-filter { global | interface
interface-type interface-number |
port-group [ group-id ] | unitid unit-id |
vlan [ vlan-id ] }
Display the information
about remaining ACL
resources
display acl remaining entry
Display the IPv6 ACL
template configuration
information
display ipv6-acl-template
In any view.
1.5 Example for Upper-Layer Software Referencing ACLs
1.5.1 Example for Controlling Telnet Login Users by Source IP
I. Network requirements
Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to
the switch.
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-17
II. Network diagram
Switch
PC
10.110.100.52
Internet
Figure 1-1 Network diagram for controlling Telnet login users by source IP
III. Configuration procedure
# Define ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 on VTY user interface to control Telnet login users.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
1.5.2 Example for Controlling Web Login Users by Source IP
I. Network requirements
Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in
to the switch through HTTP.
II. Network diagram
Switch
PC
10.110.100.46
Internet
Figure 1-2 Network diagram for controlling Web login users by source IP
III. Configuration procedure
# Define ACL 2001.
<Sysname> system-view
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-18
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0
[Sysname-acl-basic-2001] quit
# Reference ACL 2001 to control users logging in to the Web server.
[Sysname] ip http acl 2001
1.6 Example for Applying ACLs to Hardware
1.6.1 Basic ACL Configuration Example
I. Network requirements
PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC1’s IP address is
10.1.1.1. Apply an ACL on Ethernet 1/0/1 to deny packets with the source IP address of
10.1.1.1 from 8:00 to 18:00 everyday.
II. Network diagram
Figure 1-3 Network diagram for basic ACL configuration
III. Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 2000 to filter packets with the source IP address of 10.1.1.1.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test
[Sysname-acl-basic-2000] quit
# Apply ACL 2000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000
Operation Manual (For Soliton) – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-19
1.6.2 Advanced ACL Configuration Example
I. Network requirements
Different departments of an enterprise are interconnected through a switch. The IP
address of the wage query server is 192.168.1.2. The R&D department is connected to
Ethernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department
and destined for the wage server during the working hours (8:00 to 18:00).
II. Network diagram
Figure 1-4 Network diagram for advanced ACL configuration
III. Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
# Define ACL 3000 to filter packets destined for wage query server.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range
test
[Sysname-acl-adv-3000] quit
# Apply ACL 3000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 3000
1.6.3 Layer 2 ACL Configuration Example
I. Network requirements
PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC1’s MAC address is
0011-0011-0011. Apply an ACL to filter packets with the source MAC address of
0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to
18:00 everyday.
Page is loading ...
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23

H3C S3100 Series Operating instructions

S3100 Series
H3C
Brand
H3C
Model
S3100 Series
Category
Network switches
Type
Operating instructions

H3C S3100 Series are Ethernet switches designed for enterprise networks. They feature high-performance hardware, robust security, and flexible management capabilities. With comprehensive Layer 2/Layer 3/Layer 4 switching features, they are ideal for building high-density access networks.

Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents