WA2210-AG

H3C WA2210-AG Configuration manual

  • Hello! I am an AI chatbot trained to assist you with the H3C WA2210-AG Configuration manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C WA Series WLAN Access Points
ACL and QoS Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document Version: 6W100-20100910
Copyright © 2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, V
n
G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WA documentation set includes 10 configuration guides, which describe the software features
for the H3C WA series WLAN access points and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply the
software features to different network scenarios.
The ACL and QoS Configuration Guide describes ACL and QoS configurations.
This preface includes:
z Audience
z Conventions
z About the H3C WA Documentation Set
z Obtaining Documentation
z Documentation Feedback
Audience
This documentation is intended for:
z Network planners
z Field technical support and servicing engineers
z Network administrators working with the WA series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold
text represents commands and keywords that you enter literally as shown.
italic
Italic text represents arguments that you replace with actual values.
[ ]
Square brackets enclose syntax choices (keywords or arguments) that are
optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars,
from which you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical
bars, from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by
vertical bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by
vertical bars, from which you may select multiple choices or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&)
sign can be entered 1 to n times.
Convention Description
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface.
For example, the
New User
window appears; click
OK
.
>
Multi-level menus are separated by angle brackets. For example,
File
>
Create
>
Folder
.
Symbols
Convention Description
Means reader be extremely careful. Improper operation may cause bodily
injury.
Means reader be careful. Improper operation may cause data loss or damage to
equipment.
Means an action or information that needs special attention to ensure
successful configuration or good performance.
Means a complementary description.
Means techniques helpful for you to make configuration with ease.
About the H3C WA Documentation Set
The H3C WA documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product
description and
specifications
Technology white papers
Provide an in-depth description of software features and
technologies.
Compliance and safety
manual
Provides regulatory information and the safety instructions
that must be followed during installation.
Quick start
Guides you through initial installation and setup procedures to
help you quickly set up and use your AP with the minimum
configuration.
Hardware
specifications
and installation
Installation guide
Guides you through hardware specifications and installation
methods to help you install your AP.
Getting started guide
Guides you through the main functions of your AP, and
describes how to install and log in to your AP, perform basic
configurations, maintain software, and troubleshoot your AP.
Configuration guides Describe software features and configuration procedures.
Software
configuration
Command references Provide a quick reference to all available commands.
Category Documents Purposes
User FAQ
Provides answers to some of the most frequently asked
questions on how to troubleshoot your AP.
Operations and
maintenance
Release notes
Provide information about the product release, including the
version history, hardware and software compatibility matrix,
version upgrade information, technical support information,
and software upgrading.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, getting started, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with
the software version.
Documentation Feedback
You can e-mail your comments about product documentation to inf[email protected].
We appreciate your comments.
i
Table of Contents
1 Applicable Models and Software Versions·····························································································1-1
2 Feature Matrix············································································································································2-1
3 Command/Parameter Matrix·····················································································································3-1
4 ACL Configuration·····································································································································4-1
ACL Overview·········································································································································4-1
ACL Categories·······························································································································4-2
ACL Numbering and Naming ··········································································································4-2
Match Order·····································································································································4-2
ACL Rule Numbering·······················································································································4-4
Implementing Time-Based ACL Rules····························································································4-4
IPv4 Fragments Filtering with ACLs································································································4-4
ACL Configuration Task List ···················································································································4-4
Configuring an ACL·································································································································4-5
Creating a Time Range ···················································································································4-5
Configuring a WLAN ACL················································································································4-5
Configuring a Basic ACL ·················································································································4-6
Configuring an Advanced ACL········································································································4-7
Configuring an Ethernet Frame Header ACL··················································································4-9
Copying an ACL ····························································································································4-10
Displaying and Maintaining ACLs·········································································································4-10
ACL Configuration Examples················································································································4-10
IPv4 ACL Configuration Example··································································································4-10
IPv6 ACL Configuration Example··································································································4-12
5 QoS Overview ············································································································································5-1
Introduction to QoS·································································································································5-1
Introduction to QoS Service Models ·······································································································5-1
Best-Effort Service Model················································································································5-1
IntServ Service Model ·····················································································································5-2
DiffServ Service Model····················································································································5-2
QoS Techniques Overview ·····················································································································5-2
Applying QoS Techniques in a Network··························································································5-3
QoS Processing Flow in an AP ·······································································································5-4
6 QoS Policy Configuration·························································································································6-1
QoS Configuration Approach Overview··································································································6-1
Non-Policy Approach·······················································································································6-1
Policy Approach·······························································································································6-1
Configuring a QoS Policy························································································································6-1
Defining a Class ······························································································································6-2
Defining a Traffic Behavior··············································································································6-2
ii
Defining a QoS Policy and Applying the QoS Policy to an Interface ··············································6-3
Displaying and Maintaining QoS Policies ·······························································································6-3
7 Priority Mapping Configuration················································································································7-1
Introduction to Packet Precedences·······································································································7-1
IP Precedence and DSCP Values···································································································7-1
802.1p Priority ·································································································································7-2
802.11e Priority ·······························································································································7-3
Priority Mapping Overview······················································································································7-3
Introduction to Priority Mapping·······································································································7-3
Introduction to Priority Mapping Tables···························································································7-4
Priority Mapping Configuration Task List································································································7-5
Configuring Priority Mapping···················································································································7-6
Configuring a Priority Mapping Table······························································································7-6
Configuring a Port to Trust Packet Priority for Priority Mapping······················································7-6
Changing the Port Priority of an Interface·······················································································7-7
Displaying and Maintaining Priority Mapping··························································································7-7
Priority Mapping Configuration Example·································································································7-7
8 Index ···························································································································································8-1
1-1
z The models listed in this document are not applicable to all regions. Please consult your local sales
office for the models applicable to your region.
z Read this chapter before using an H3C WA series WLAN access point.
1 Applicable Models and Software Versions
H3C WA series WLAN access points include the WA2200 series and WA2600 series. Table 1-1 shows
the applicable models and software versions.
Table 1-1 Applicable models and software versions
Series Model Software version
WA2210-AG
WA2200 series access
points (indoors)
WA2220-AG
WA2210X-G
WA2200 series
WA2200 series access
points (outdoors)
WA2220X-AG
R 1115
WA2610-AGN
WA2612-AGN
WA2600 series access
points (indoors)
WA2620-AGN
R 1106
WA2610E-AGN
WA2600 series
WA2600 series access
points (enhanced)
WA2620E-AGN
R 1109
2-1
2 Feature Matrix
z Support of the H3C WA series WLAN access points for features, commands and parameters may
vary by device model. See this document for more information.
z For information about feature support, see Table 2-1. For information about command and
parameter support, see
Table 3-1.
z The term AP in this document refers to common APs, wireless bridges, or mesh APs.
Table 2-1 Feature matrix
Document Feature WA2200 series WA2600 series
Fundamentals
Configuration Guide
HTTPS Not supported Supported
802.11n radio mode Not supported Supported
802.11n bandwidth mode Not supported Supported
WLAN Configuration
Guide
802.11n rate configuration Not supported Supported
Optical Ethernet interface
Supported on
WA2210X-G/WA2220X-
AG only
Not supported
Layer 2 – LAN
Switching
Configuration Guide
GE interface Not supported Supported
DHCP server configuration Not supported Supported
Layer 3 – IP Services
Configuration Guide
DHCPv6 configuration Not supported Supported
IGMP snooping configuration Not supported Supported
IP Multicast
Configuration Guide
MLD snooping configuration Not supported Supported
Security Configuration
Guide
SSH2.0 Not supported Supported
3-1
3 Command/Parameter Matrix
Table 3-1 Command/Parameter matrix
Document Module Command/Parameter WA2200 series WA2600 series
display ip https
Not supported Supported
ip https acl
Not supported Supported
ip https certificate
access-control-policy
Not supported Supported
Fundamentals
Command
Reference
HTTP commands
ip https enable
Not supported Supported
a-mpdu enable
Not supported Supported
a-msdu enable
Not supported Supported
channel band-width
Not supported Supported
client dot11n-only
Not supported Supported
preamble
{
long
|
short
}
Only APs that
support the
802.11b/g radio
mode support this
command.
Only APs that
support the
802.11b/g radio
mode support this
command.
radio-type
Keywords
dot11an
and
dot11gn
not
supported
Supported
WLAN service
commands
short-gi enable
Not supported Supported
dot11a
{
disabled-rate |
mandatory-rate |
supported-rate
} rate-value
Only APs that
support 802.11a
radio mode
support this
command.
Only APs that
support 802.11a
radio mode
support this
command.
dot11n mandatory
maximum-mcs
Not supported Supported
dot11n support
maximum-mcs
Not supported Supported
WLAN
Command
Reference
WLAN RRM
commands
power-constraint
power-constraint
Only APs that
support the
802.11a radio
mode support this
command.
Only APs that
support the
802.11a radio
mode support this
command.
3-2
Document Module Command/Parameter WA2200 series WA2600 series
The maximum
number of
broadcast packets
that can be
forwarded on an
Ethernet interface
per second
broadcast-suppression
{ ratio |
pps
max-pps }
pps
max-pps
ranges from 1 to
148810.
pps
max-pps
ranges from 1 to
1488100.
The maximum
number of multicast
packets allowed on
an Ethernet
interface per
second
multicast-suppression
{ ratio |
pps
max-pps }
pps
max-pps
ranges from 1 to
148810.
pps
max-pps
ranges from 1 to
1488100.
Layer 2 – LAN
Switching
Command
Reference
The maximum
number of unknown
unicast packets
allowed on an
Ethernet interface
per second
unicast-suppression
{ ratio
|
pps
max-pps }
pps
max-pps
ranges from 1 to
148810.
pps
max-pps
ranges from 1 to
1488100.
DHCP commands
DHCP server configuration
commands
Not supported Supported
display ipv6 dhcp client
[
interface
interface-type
interface-number ]
Not supported Supported
display ipv6 dhcp client
statistics
[
interface
interface-type
interface-number
]
Not supported Supported
display ipv6 dhcp duid
Not supported Supported
Layer 3 - IP
Services
Command
Reference
DHCPv6
commands
reset ipv6 dhcp client
statistics
[
interface
interface-type
interface-number
]
Not supported Supported
4-1
z The models listed in this document are not applicable to all regions. Please consult your local sales
office for the models applicable to your region.
z Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For
more information, see Feature Matrix.
z The interface types and the number of interfaces vary by AP model.
z The term AP in this document refers to common APs, wireless bridges, and mesh APs.
4 ACL Configuration
This chapter includes these sections:
z ACL Overview
z ACL Configuration Task List
z Configuring an ACL
z Creating a Time Range
z Configuring a WLAN ACL
z Configuring a Basic ACL
z Configuring an Advanced ACL
z Configuring an Ethernet Frame Header ACL
z Copying an ACL
z Displaying and Maintaining ACLs
z ACL Configuration Examples
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based
on criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example,
QoS and IP routing, for traffic identification.
This section covers these topics:
4-2
z ACL Categories
z ACL Numbering and Naming
z Match Order
z ACL Rule Numbering
z Implementing Time-Based ACL Rules
z IPv4 Fragments Filtering with ACLs
ACL Categories
ACLs fall into four categories, as shown in Table 4-1.
Table 4-1 ACL categories
Category ACL number IP version Match criteria
WLAN ACLs 100 to 199 IPv4 Wireless client SSID
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address
IPv4
Source/destination IPv4 address, protocols over
IPv4, and other Layer 3 and Layer 4 header fields
Advanced ACLs 3000 to 3999
IPv6
Source/destination IPv6 address, protocols over
IPv6, and other Layer 3 and Layer 4 header fields
Ethernet frame
header ACLs
4000 to 4999 IPv4
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority, and
link layer protocol type
ACL Numbering and Naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number for identification, and in addition, you can also assign the ACL a name for the ease of
identification. After creating an ACL with a name, you can neither rename it nor delete its name.
You cannot assign a name for a WLAN ACL.
For a WLAN and Ethernet frame header, the ACL number and name must be globally unique. For an
IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for
an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number
and name as an IPv6 ACL.
Match Order
The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
Two ACL match orders are available:
z config – Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, check rule content and order carefully.
4-3
z auto – Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset of a rule is
always matched before the rule.
Table 4-2 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
The match order of WLAN ACLs can only be config.
Table 4-2 Sort ACL rules in depth-first order
ACL category Sequence of tie breaker
IPv4 basic ACL
1) VPN instance
2) More 0s in the source IP address wildcard (more 0s means a narrower IP address
range)
3) Smaller rule ID
IPv4 advanced ACL
1) VPN instance
2) Specific protocol type rather than IP (IP represents any protocol over IP)
3) More 0s in the source IP address wildcard mask
4) More 0s in the destination IP address wildcard
5) Narrower TCP/UDP service port number range
6) Smaller ID
IPv6 basic ACL
1) Longer prefix for the source IP address (a longer prefix means a narrower IP
address range)
2) Smaller ID
IPv6 advanced ACL
1) Specific protocol type rather than IP (IP represents any protocol over IPv6)
2) Longer prefix for the source IPv6 address
3) Longer prefix for the destination IPv6 address
4) Narrower TCP/UDP service port number range
5) Smaller ID
Ethernet frame
header ACL
1) More 1s in the source MAC address mask (more 1s means a smaller MAC
address)
2) More 1s in the destination MAC address mask
3) Smaller ID
z The AP does not support ACL rules with the VPN instance attribute.
z A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, while
the 1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits
in an IP address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The
0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard
mask.
4-4
ACL Rule Numbering
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example,
the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between
two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched
in ascending order of rule ID.
Automatic rule numbering and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule
will be numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five
rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered
0, 2, 4, 6 and 8.
Implementing Time-Based ACL Rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
Two basic types of time range are available:
z Periodic time range, which recurs periodically on a day or days of the week.
z Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the time
range can take effect only after you define the time range.
IPv4 Fragments Filtering with ACLs
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
z Filters all fragments by default, including non-first fragments.
z Provides standard and exact match modes for matching ACLs that contain advanced attributes
such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers
only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules.
ACL Configuration Task List
IPv4 configuration task list
Complete the following tasks to configure an IPv4 ACL:
4-5
Task Remarks
Creating a Time Range Optional
Configuring a WLAN ACL
Configuring an IPv4 basic ACL
Configuring an IPv4 advanced ACL
Configuring an Ethernet Frame Header ACL
Required
Configure at least one task.
Copying an IPv4 ACL Optional
IPv6 ACL configuration task list
Complete the following tasks to configure an IPv6 ACL:
Task Remarks
Creating a Time Range Optional
Configuring an IPv6 basic ACL
Configuring an IPv6 Advanced ACL
Required
Configure at least one task.
Copying an IPv6 ACL Optional
Configuring an ACL
Creating a Time Range
Follow these steps to create a time range:
To do… Use the command… Remarks
Enter system view
system-view
––
Create a time
range
time-range
time-range-name { start-time
to
end-time
days [
from
time1 date1 ] [
to
time2 date2 ] |
from
time1
date1 [
to
time2 date2 ] |
to
time2 date2 }
Required
By default, no time range
exists.
You may create time ranges identified with the same name. They are regarded as one time range
whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic
and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at
most and 12 absolute time ranges at most.
Configuring a WLAN ACL
WLAN ACLs match packets based on SSIDs of wireless clients.
Follow these steps to configure a WLAN ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
4-6
To do… Use the command… Remarks
Create a WLAN ACL and
enter its view
acl number
acl-number
Required
By default, no ACL exists.
WLAN ACLs are numbered in the range 100 to 199.
Configure a description
for the WLAN ACL
description
text
Optional
By default, a WLAN ACL has no ACL description.
Set the rule numbering
step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
permit
|
deny
} [
ssid
ssid-name ]
Required
By default, a WLAN ACL does not contain any rule.
To create or edit multiple rules, repeat this step.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, a WLAN ACL rule has no description.
Configuring a Basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv4 basic ACL
and enter its view
acl number
acl-number
[
name
acl-name ]
[
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv4 basic ACLs are numbered in the range 2000
to 2999.
You can use the
acl
name
acl-name command to
enter the view of an existing named IPv4 ACL.
Configure a description
for the IPv4 basic ACL
description
text
Optional
By default, an IPv4 basic ACL has no ACL
description.
Set the rule numbering
step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
} [
fragment
|
logging
|
source
{ sour-addr
sour-wildcard |
any
} |
time-range
time-range-name ] *
Required
By default, an IPv4 basic ACL does not contain
any rule.
To create or edit multiple rules, repeat this step.
The
logging
keyword takes effect only when the
module that uses the ACL supports logging.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, an IPv4 ACL rule has no rule
description.
Configuring an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
4-7
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv6 basic
ACL view and enter its
view
acl ipv6 number
acl6-number
[
name
acl6-name ]
[
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv6 basic ACLs are numbered in the range 2000
to 2999.
You can use the
acl
ipv6
name
acl6-name
command to enter the view of an existing named
IPv6 ACL.
Configure a description
for the IPv6 basic ACL
description
text
Optional
By default, an IPv6 basic ACL has no ACL
description.
Set the rule numbering
step
step
step-value
Optional
5 by default
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
[
fragment
|
logging
|
source
{ ipv6-address prefix-length |
ipv6-address/prefix-length |
any
} |
time-range
time-range-name ] *
Required
By default, an IPv6 basic ACL does not contain
any rule.
To create or edit multiple rules, repeat this step.
The
logging
keyword takes effect only when the
module using the ACL supports logging.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, an IPv6 basic ACL rule has no rule
description.
Configuring an Advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,
and other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS),
IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv4 advanced
ACL and enter its view
acl number
acl-number [
name
acl-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv4 advanced ACLs are numbered in the
range 3000 to 3999.
You can use the
acl
name
acl-name
command to enter the view of an existing
named IPv4 ACL.
Configure a description for
the IPv4 advanced ACL
description
text
Optional
By default, an IPv4 advanced ACL has no
ACL description.
4-8
To do… Use the command… Remarks
Set the rule numbering
step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
protocol [ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
destination
{ dest-addr
dest-wildcard |
any
} |
destination-port
operator port1
[ port2 ] |
dscp
dscp |
fragment
|
icmp-type
{ icmp-type icmp-code |
icmp-message } |
logging
|
precedence
precedence |
reflective
|
source
{ sour-addr
sour-wildcard |
any
} |
source-port
operator port1 [ port2 ] |
time-range
time-range-name |
tos
tos ] *
Required
By default, an IPv4 advanced ACL does
not contain any rule.
To create or edit multiple rules, repeat this
step.
The
logging
keyword takes effect only
when the module using the ACL supports
logging.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, an IPv4 advanced ACL rule has
no rule description.
Configuring an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv6
advanced ACL and
enter its view
acl ipv6
number
acl6-number [
name
acl6-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are numbered in
the range 3000 to 3999.
You can use the
acl
ipv6
name
acl6-name command to enter the view
of an existing named IPv6 ACL.
Configure a
description for the
IPv6 advanced ACL
description
text
Optional
By default, an IPv6 advanced ACL has
no ACL description.
Set the rule
numbering step
step
step-value
Optional
5 by default.
4-9
To do… Use the command… Remarks
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
} protocol
[ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
destination
{ dest dest-prefix |
dest/dest-prefix |
any
} |
destination-port
operator port1 [ port2 ] |
dscp
dscp |
fragment
|
icmp6-type
{ icmp6-type
icmp6-code | icmp6-message } |
logging
|
source
{ source source-prefix |
source/source-prefix
| any
} |
source-port
operator port1 [ port2 ] |
time-range
time-range-name ] *
Required
By default IPv6 advanced ACL does not
contain any rule.
To create or edit multiple rules, repeat
this step.
The
logging
keyword takes effect only
when the module using the ACL
supports logging.
Configure or edit a
rule description
rule
rule-id
comment
text
Optional
By default, an IPv6 advanced ACL rule
has no rule description.
Configuring an Ethernet Frame Header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
Follow these steps to configure an Ethernet frame header ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an Ethernet frame
header ACL and enter its
view
acl number
acl-number [
name
acl-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
Ethernet frame header ACLs are numbered
in the range 4000 to 4999.
You can use the
acl
name
acl-name
command to enter the view of an existing
named Ethernet frame header ACL.
Configure a description
for the Ethernet frame
header ACL
description
text
Optional
By default, an Ethernet frame header ACL
has no ACL description.
Set the rule numbering
step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
[
cos
vlan-pri |
dest-mac
dest-addr
dest-mask | {
lsap
lsap-type
lsap-type-mask |
type
protocol-type protocol-type-mask }
|
source-mac
sour-addr
source-mask |
time-range
time-range-name ] *
Required
By default, an Ethernet frame header ACL
does not contain any rule.
To create or edit multiple rules, repeat this
step.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, an Ethernet frame header ACL
rule has no rule description.
/