H3C SR6600 SPE-FWM Configuration manual

H3C SR6600 Routers

ACL and QoS

Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Document Version: 20100930-C-1.08

Product Version: SR6600-CMW520-R2420

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H

3

Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

2

G, V

n

G, PSPT,

XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,

Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C SR6600 documentation set includes 13 configuration guides, which describe the software

features for the H3C SR6600 Routers and guide you through the software configuration procedures.

These configuration guides also provide configuration examples to help you apply software features to

different network scenarios.

The ACL and QoS Configuration Guide describes fundamentals and configuration for QoS-related

features, including traffic classification, traffic policing, traffic shaping, QoS policy, congestion

management, congestion avoidance, priority mapping, hardware congestion management, EACL, DAR,

MPLS QoS, and FR QoS.

This preface includes:

z Audience

z Conventions

z About the H3C SR6600 Documentation Set

z Obtaining Documentation

z Documentation Feedback

Audience

This documentation is intended for:

z Network planners

z Field technical support and servicing engineers

z Network administrators working with the SR6600

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface Bold

text represents commands and keywords that you enter literally as shown.

italic

Italic text represents arguments that you replace with actual values.

[ ]

Square brackets enclose syntax choices (keywords or arguments) that are

optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars,

from which you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical

bars, from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by

vertical bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by

vertical bars, from which you may select multiple choices or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&)

sign can be entered 1 to n times.

Convention Description

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface

Window names, button names, field names, and menu items are in Boldface.

For example, the

New User

window appears; click

OK

.

>

Multi-level menus are separated by angle brackets. For example,

File

>

Create

>

Folder

.

Symbols

Convention Description

Means reader be extremely careful. Improper operation may cause bodily

injury.

Means reader be careful. Improper operation may cause data loss or damage to

equipment.

Means an action or information that needs special attention to ensure

successful configuration or good performance.

Means a complementary description.

Means techniques helpful for you to make configuration with ease.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router

that supports Layer 2 forwarding and other Layer 2 features.

About the H3C SR6600 Documentation Set

The H3C SR6600 documentation set includes:

Category Documents Purposes

Marketing brochures Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features

and technologies.

Product description and

specifications

Card datasheets Describe card specifications, features, and standards.

Hardware specifications

and installation

Compliance and safety

manual

Provides regulatory information and the safety

instructions that must be followed during installation.

Category Documents Purposes

Installation guide

Provides a complete guide to hardware installation

and hardware specifications.

Card manuals Provide the hardware specifications of cards.

H3C N68 Cabinet

Installation and Remodel

Introduction

Guides you through installing and remodeling H3C

N68 cabinets.

Configuration guides

Describe software features and configuration

procedures.

Software configuration

Command references Provide a quick reference to all available commands.

H3C SR6608 Release

notes

Operations and

maintenance

H3C SR6602 Release

notes

Provide information about the product release,

including the version history, hardware and software

compatibility matrix, version upgrade information,

technical support information, and software upgrading.

Obtaining Documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at

http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with

the software version.

Technical Support

customer_service@h3c.com

http://www.h3c.com

Documentation Feedback

You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

i

Table of Contents

1 ACL Configuration·····································································································································1-1

ACL Overview ·········································································································································1-1

ACL Classification ···························································································································1-1

ACL Numbering and Naming ··········································································································1-2

Match Order·····································································································································1-2

ACL Rule Numbering·······················································································································1-3

Implementing Time-Based ACL Rules ····························································································1-4

IPv4 Fragments Filtering with ACLs ································································································1-4

ACL Application ·······························································································································1-4

ACL Configuration Task List ···················································································································1-4

Configuring an ACL·································································································································1-5

Creating a Time Range ···················································································································1-5

Configuring a Basic ACL ·················································································································1-5

Configuring an Advanced ACL ········································································································1-7

Configuring an Ethernet Frame Header ACL ··················································································1-9

Copying an ACL ····························································································································1-10

Enabling ACL Acceleration for an IPv4 ACL ·················································································1-10

Displaying and Maintaining ACLs ·········································································································1-11

ACL Configuration Examples················································································································1-12

IPv4 ACL Configuration Examples ································································································1-12

IPv6 ACL Configuration Example··································································································1-13

2 QoS Overview ············································································································································2-1

Introduction to QoS ·································································································································2-1

QoS Service Models ·······························································································································2-1

Best-Effort Service Model················································································································2-1

IntServ Model ··································································································································2-1

DiffServ Model ·································································································································2-2

QoS Techniques Overview ·····················································································································2-2

Applying QoS Techniques in a Network··························································································2-2

QoS Processing Flow ······················································································································2-3

3 QoS Configuration Approaches···············································································································3-1

QoS Configuration Approach Overview ··································································································3-1

Non-Policy Approach·······················································································································3-1

Policy Approach·······························································································································3-1

Configuring a QoS Policy························································································································3-1

Defining a Class ······························································································································3-2

Defining a Traffic Behavior ··············································································································3-2

Defining a Policy······························································································································3-3

Applying the QoS Policy··················································································································3-4

Displaying and Maintaining QoS Policies························································································3-6

ii

4 Priority Mapping Configuration················································································································4-1

Priority Mapping Overview ······················································································································4-1

Introduction to Priority Mapping·······································································································4-1

Introduction to Priorities···················································································································4-1

Priority Mapping Tables···················································································································4-2

Priority Mapping Configuration Tasks·····································································································4-2

Configuring Priority Mapping···················································································································4-2

Configuring a Priority Mapping Table ······························································································4-2

Configuring an Interface to Trust Packet Priority for Priority Mapping ············································4-3

Changing the Port Priority of an Interface ·······················································································4-3

Displaying and Maintaining Priority Mapping··························································································4-4

Priority Mapping Configuration Examples·······························································································4-4

Priority Trust Mode Configuration Example·····················································································4-4

Priority Mapping Table and Priority Marking Configuration Example··············································4-5

5 Traffic Policing and Traffic Shaping Configuration···············································································5-1

Traffic Policing and Traffic Shaping Overview ························································································5-1

Traffic Evaluation and Token Bucket·······························································································5-1

Traffic Policing ·································································································································5-2

Traffic Shaping ································································································································5-3

Line Rate ·········································································································································5-4

Traffic Policing, Traffic Shaping, and Line Rate Configuration ·······························································5-5

Configuring Traffic Policing ·············································································································5-5

Configuring Traffic Policing in Policy Approach ··············································································5-6

Configuring Traffic Policing in Non-Policy Approach·······································································5-7

Configuring Traffic Shaping·············································································································5-8

Configuring GTS in Policy Approach·······························································································5-8

Configuring GTS in Non-Policy Approach·······················································································5-8

Configuring the Line Rate················································································································5-9

Displaying and Maintaining Traffic Policing, GTS and Line Rate ·························································5-10

Traffic Policing and GTS Configuration Examples················································································5-10

Traffic Policing and GTS Configuration Example··········································································5-10

IP Rate Limiting Configuration Example························································································5-12

6 Congestion Management Configuration·································································································6-1

Congestion Management Overview········································································································6-1

Causes, Impacts, and Countermeasures of Congestion·································································6-1

Congestion Management Policies···································································································6-2

Congestion Management Technology Comparison ········································································6-7

Configuring FIFO·····································································································································6-8

FIFO Configuration Procedure ········································································································6-8

FIFO Configuration Example···········································································································6-9

Configuring PQ········································································································································6-9

PQ Configuration Procedure ·········································································································6-10

PQ Configuration Example············································································································6-10

Configuring CQ ·····································································································································6-11

Configuration Procedure················································································································6-12

iii

CQ Configuration Example············································································································6-12

Configuring WFQ ··································································································································6-13

Configuration Procedure················································································································6-13

WFQ Configuration Example·········································································································6-13

Configuring CBQ ···································································································································6-14

Defining a Class ····························································································································6-14

Defining a Traffic Behavior ············································································································6-15

Defining a QoS Policy····················································································································6-19

Applying the QoS Policy················································································································6-19

Setting the Maximum Reserved Bandwidth as a Percentage of Available Bandwidth ·················6-22

Displaying and Maintaining CBQ···································································································6-22

CBQ Configuration Example ·········································································································6-22

Configuring RTP Priority Queuing·········································································································6-24

Configuration Procedure················································································································6-24

RTP Priority Queuing Configuration Example···············································································6-24

QoS Token Configuration ·····················································································································6-25

QoS Token Configuration Procedure ····························································································6-25

QoS Token Configuration Example·······························································································6-25

Configuring Packet Information Pre-Extraction·····················································································6-26

Configuration Procedure················································································································6-26

Configuration Example ··················································································································6-26

7 Hardware Congestion Management Configuration················································································7-1

Hardware Congestion Management Overview ·······················································································7-1

Causes, Impacts, and Countermeasures ························································································7-1

Congestion Management Techniques·····························································································7-2

Hardware Congestion Management Configuration Approach ································································7-4

Per-Queue Hardware Congestion Management ····················································································7-5

Configuring SP Queuing··················································································································7-5

Configure WRR Queuing·················································································································7-5

Configuring WFQ Queuing ··············································································································7-7

8 Congestion Avoidance······························································································································8-1

Congestion Avoidance Overview ············································································································8-1

Introduction to WRED Configuration·······································································································8-3

Configuring WRED on an Interface·········································································································8-3

Configuration Procedure··················································································································8-3

Configuration Example ····················································································································8-3

Displaying and Maintaining WRED ·········································································································8-4

WRED Configuration Example················································································································8-4

9 Traffic Filtering Configuration··················································································································9-1

Traffic Filtering Overview ························································································································9-1

Configuring Traffic Filtering·····················································································································9-1

Traffic Filtering Configuration Example···································································································9-2

Traffic Filtering Configuration Example ···························································································9-2

iv

10 Priority Marking Configuration·············································································································10-1

Priority Marking Overview ·····················································································································10-1

Configuring Priority Marking··················································································································10-1

Priority Marking Configuration Example································································································10-2

Priority Marking Configuration Example························································································10-2

11 Traffic Redirecting Configuration········································································································11-1

Traffic Redirecting Overview·················································································································11-1

Configuring Traffic Redirecting ·············································································································11-1

Traffic Redirecting Configuration Examples ·························································································11-2

Redirecting Traffic to an Interface ·································································································11-2

12 EACL Configuration ······························································································································12-1

EACL Overview·····································································································································12-1

EACL Configuration Task List···············································································································12-1

Configuring BT Traffic Limiting··············································································································12-1

EACL Configuration Example ···············································································································12-2

BT Traffic Limiting Configuration Example····················································································12-2

Troubleshooting EACL··························································································································12-4

13 DAR Configuration ································································································································13-1

DAR Overview·······································································································································13-1

Configuring DAR for P2P Traffic Identification······················································································13-1

Loading the P2P Signature File·····································································································13-1

Configuring a P2P Protocol Group ································································································13-2

Enabling P2P Traffic Recognition··································································································13-2

Configuring Protocol Match Criteria ······························································································13-2

Configuring DAR Packet Accounting·····························································································13-2

Displaying and Maintaining DAR ··········································································································13-3

DAR Configuration Examples ···············································································································13-3

P2P Downloading Traffic Blocking Configuration Example···························································13-3

14 Class-Based Accounting Configuration ·····························································································14-1

Class-Based Accounting Overview·······································································································14-1

Configuring Class-Based Accounting ···································································································14-1

Displaying and Maintaining Class-Based Traffic Accounting································································14-2

Class-Based Accounting Configuration Example ·················································································14-2

Class-Based Accounting Configuration Example··········································································14-2

15 Appendix ················································································································································15-1

Appendix A Acronym·····························································································································15-1

Appendix B Default Priority Mapping Tables ························································································15-2

Appendix C Introduction to Packet Precedences ·················································································15-4

IP Precedence and DSCP Values·································································································15-4

802.1p Priority ·······························································································································15-5

802.11e Priority ·····························································································································15-6

EXP Values ···································································································································15-6

16 MPLS QoS Configuration······················································································································16-1

MPLS QoS Overview ····························································································································16-1

v

Configuring MPLS QoS·························································································································16-2

Configuring MPLS CAR·················································································································16-2

Configuring MPLS Priority Marking ·······························································································16-3

Configuring MPLS Congestion Management ················································································16-3

MPLS QoS Configuration Example·······································································································16-4

Configuring QoS for Traffic Within a VPN ·····················································································16-4

17 FR QoS Configuration···························································································································17-1

FR QoS Overview ·································································································································17-1

FR QoS··········································································································································17-1

Key Parameters·····························································································································17-1

FR QoS Implementation················································································································17-2

Configuring FR QoS······························································································································17-7

FR QoS Configuration Task List····································································································17-7

Creating and Configuring an FR Class··························································································17-7

Configuring FRTS··························································································································17-8

Configuring FR Traffic Policing······································································································17-9

Configuring FR Congestion Management···················································································17-10

Configuring FR DE Rule List ·······································································································17-10

Configuring FR Queuing··············································································································17-11

Configuring FR Fragmentation ····································································································17-12

Displaying and Maintaining FR QoS ···································································································17-13

FR QoS Configuration Examples········································································································17-14

FRTS Configuration Example······································································································17-14

FR Fragmentation Configuration Example··················································································17-14

18 Index ·······················································································································································18-1

1-1

1 ACL Configuration

This chapter includes these sections:

z ACL Overview

z ACL Configuration Task List

z Configuring an ACL

z Creating a Time Range

z Configuring a Basic ACL

z Configuring an IPv4 basic ACL

z Configuring an Advanced ACL

z Configuring an Ethernet Frame Header ACL

z Copying an ACL

z Enabling ACL Acceleration for an IPv4 ACL

z Displaying and Maintaining ACLs

z ACL Configuration Examples

Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.

ACL Overview

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based

on criteria such as the source IP address, destination IP address, and port number.

ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and

permits packets that match a permit rule. ACLs are also widely used by many modules, for example,

QoS and IP routing, for traffic identification.

This section covers these topics:

z ACL Classification

z ACL Numbering and Naming

z Match Order

z Implementing Time-Based ACL Rules

z IPv4 Fragments Filtering with ACLs

z ACL Application

ACL Classification

The SR6600 supports three categories of ACLs, as shown in Table 1-1.

1-2

Table 1-1 ACL categories

Category ACL number IP version Match criteria

IPv4 Source IPv4 address

Basic ACLs 2000 to 2999

IPv6 Source IPv6 address

IPv4

Source/destination IPv4 address, protocols over

IPv4, and other Layer 3 and Layer 4 header

fields

Advanced ACLs 3000 to 3999

IPv6

Source/destination IPv6 address, protocols over

IPv6, and other Layer 3 and Layer 4 header

fields

Ethernet frame

header ACLs

4000 to 4999 IPv4

Layer 2 header fields, such as source and

destination MAC addresses, 802.1p priority, and

link layer protocol type

ACL Numbering and Naming

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a

number for identification, and in addition, you can also assign the ACL a name for the ease of

identification. After creating an ACL with a name, you can neither rename it nor delete its name.

The number and name for an Ethernet frame header ACL must be globally unique. The number and

name for an IPv4 basic or advanced ACL must be unique among all IPv4 ACLs, and for an IPv6 basic or

advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an

IPv6 ACL.

Match Order

The rules in an ACL are sorted in a certain order. When a packet matches a rule, the device stops the

match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting

rules, the matching result and action to take depend on the rule order.

Two ACL match orders are available:

z config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule

with a higher ID. If you use this approach, check the rules and their order carefully.

z auto: Sorts ACL rules in depth-first order, as described in Table 1-2. The depth-first order varies

with ACL categories.

Table 1-2 Sorting ACL rules in depth-first order

ACL category Depth-first rule sorting procedures

IPv4 basic ACL

1) The rule configured with a VPN instance takes precedence.

2) The rule with more 0s in the source IP address wildcard mask takes precedence.

More 0s means a narrower IP address range.

3) The rule with a smaller ID takes precedence.

1-3

ACL category Depth-first rule sorting procedures

IPv4 advanced ACL

1) The rule configured with a VPN instance takes precedence.

2) The rule configured with a specific protocol is prior to a rule with the protocol type

set to IP. IP represents any protocol over IP.

3) The rule with more 0s in the source IP address wildcard mask takes precedence.

More 0s means a narrower IP address range.

4) The rule with more 0s in the destination IP address wildcard mask takes

precedence.

5) The rule with a narrower TCP/UDP service port number range takes precedence.

6) The rule with a smaller ID takes precedence.

IPv6 basic ACL

1) The rule configured with a longer prefix for the source IP address takes

precedence. A longer prefix means a narrower IP address range.

2) The rule with a smaller ID takes precedence.

IPv6 advanced ACL

1) The rule configured with a specific protocol is prior to a rule with the protocol type

set to IP. IP represents any protocol over IPv6.

2) The rule configured with a longer prefix for the source IPv6 address has a higher

priority.

3) The rule configured with a longer prefix for the destination IPv6 address takes

precedence.

4) The rule with a narrower TCP/UDP service port number range takes precedence.

5) The rule with a smaller ID takes precedence.

Ethernet frame

header ACL

1) The rule with more 1s in the source MAC address mask takes precedence. More

1s means a smaller MAC address.

2) The rule with more 1s in the destination MAC address mask takes precedence.

3) The rule with a smaller ID takes precedence.

A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal

notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‘do care’ bits, while the

1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an IP

address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and 1s in

a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With

wildcard masks, you can create more granular match criteria than network masks.

ACL Rule Numbering

What is the ACL rule numbering step

If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The

rule numbering step sets the increment by which the system numbers rules automatically. For example,

the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are

numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between

two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched

in ascending order of rule ID.

1-4

Automatic rule numbering and re-numbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,

and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule

will be numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five

rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered

0, 2, 4, 6 and 8.

Implementing Time-Based ACL Rules

You can implement ACL rules based on the time of day by applying a time range to them. A time-based

ACL rule takes effect only in any time periods specified by the time range.

Two basic types of time range are available:

z Periodic time range, which recurs periodically on a day or days of the week.

z Absolute time range, which represents only a period of time and does not recur.

You may apply a time range to ACL rules before or after you create it. However, the rules using the time

range can take effect only after you define the time range.

IPv4 Fragments Filtering with ACLs

Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent

non-first fragments to pass through. This mechanism resulted in security risks, because attackers may

fabricate non-first fragments to attack networks.

To avoids the risks, the H3C ACL implementation:

z Filters all fragments by default, including non-first fragments.

z Provides ACL-based firewalls with standard and exact match modes for matching ACLs that

contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the

default mode. It considers only Layer 3 attributes. Exact match considers all header attributes

defined in IPv4 ACL rules. For more information, see Firewall in the Security Configuration Guide.

ACL Application

You can use ACLs in QoS, firewall, routing, and other technologies for identifying traffic.

ACL Configuration Task List

IPv4 configuration task list

Perform the following tasks to configure an IPv4 ACL:

Task Remarks

Creating a Time Range Optional

Configuring an IPv4 basic ACL

Configuring an IPv4 advanced ACL

Configuring an Ethernet Frame Header ACL

Required

Perform at least one task.

1-5

Task Remarks

Copying an IPv4 ACL Optional

Enabling ACL Acceleration for an IPv4 ACL Optional

IPv6 ACL configuration task list

Perform the following tasks to configure an IPv6 ACL:

Task Remarks

Creating a Time Range Optional

Configuring an IPv6 basic ACL

Configuring an IPv6 Advanced ACL

Required

Perform at least one task.

Copying an IPv6 ACL Optional

Configuring an ACL

Creating a Time Range

Follow these steps to create a time range:

To do… Use the command… Remarks

Enter system view

system-view

––

Create a time range

time-range

time-range-name

{ start-time

to

end-time days [

from

time1 date1 ] [

to

time2 date2 ] |

from

time1 date1 [

to

time2 date2 ]

|

to

time2 date2 }

Required

By default, no time range exists.

You may create time ranges identified with the same name. They are regarded as one time range

whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic

and absolute ones.

You may create a maximum of 256 uniquely named time ranges, each with up to 32 periodic time

ranges and up to 12 absolute time ranges.

Configuring a Basic ACL

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based on only source IP address.

Follow these steps to configure an IPv4 basic ACL:

To do… Use the command… Remarks

Enter system view

system-view

––

1-6

To do… Use the command… Remarks

Create an IPv4 basic ACL and

enter its view

acl number

acl-number [

name

acl-name ] [

match-order

{

auto

|

config

} ]

Required

By default, no ACL exists.

IPv4 basic ACLs are numbered in

the range 2000 to 2999.

You can use the

acl

name

acl-name command to enter the

view of an existing named IPv4

ACL.

Configure a description for the IPv4

basic ACL

description

text

Optional

By default, an IPv4 basic ACL has

no ACL description.

Set the rule numbering step

step

step-value

Optional

5 by default.

Create or edit a rule

rule

[ rule-id ] {

deny

|

permit

}

[

counting

|

fragment

|

logging

|

source

{ sour-addr sour-wildcard |

any

} |

time-range

time-range-name |

vpn-instance

vpn-instance-name ] *

Required

By default, an IPv4 basic ACL does

not contain any rule.

To create or edit multiple rules,

repeat this step.

The

logging

keyword takes effect

only when the module (for

example, a firewall) that uses the

ACL supports logging.

Configure or edit a rule description

rule

rule-id

comment

text

Optional

By default, an IPv4 ACL rule has

no rule description.

Configuring an IPv6 basic ACL

Follow these steps to configure an IPv6 basic ACL:

To do… Use the command… Remarks

Enter system view

system-view

––

Create an IPv6 basic ACL view and

enter its view

acl ipv6 number

acl6-number

[

name

acl6-name ] [

match-order

{

auto

|

config

} ]

Required

By default, no ACL exists.

IPv6 basic ACLs are numbered in

the range 2000 to 2999.

You can use the

acl

ipv6

name

acl6-name command to enter the

view of an existing named IPv6

ACL.

Configure a description for the IPv6

basic ACL

description

text

Optional

By default, an IPv6 basic ACL has

no ACL description.

Set the rule numbering step

step

step-value

Optional

5 by default

1-7

To do… Use the command… Remarks

Create or edit a rule

rule

[ rule-id ] {

deny

|

permit

}

[

counting

|

fragment

|

logging

|

source

{ ipv6-address

prefix-length |

ipv6-address/prefix-length

|

any

} |

time-range

time-range-name ] *

Required

By default, an IPv6 basic ACL does

not contain any rule.

To create or edit multiple rules,

repeat this step.

The

logging

keyword takes effect

only when the module (for

example, a firewall) using the ACL

supports logging.

Configure or edit a rule description

rule

rule-id

comment

text

Optional

By default, an IPv6 basic ACL rule

has no rule description.

Configuring an Advanced ACL

Configuring an IPv4 advanced ACL

IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,

and other protocol header information, such as TCP/UDP source and destination port numbers, TCP

flags, ICMP message types, and ICMP message codes.

IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS),

IP precedence, and differentiated services codepoint (DSCP) priority.

Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.

Follow these steps to configure an IPv4 advanced ACL:

To do… Use the command… Remarks

Enter system view

system-view

––

Create an IPv4 advanced ACL and

enter its view

acl number

acl-number [

name

acl-name ] [

match-order

{

auto

|

config

} ]

Required

By default, no ACL exists.

IPv4 advanced ACLs are

numbered in the range 3000 to

3999.

You can use the

acl

name

acl-name command to enter the

view of an existing named IPv4

ACL.

Configure a description for the IPv4

advanced ACL

description

text

Optional

By default, an IPv4 advanced ACL

has no ACL description.

Set the rule numbering step

step

step-value

Optional

5 by default.

1-8

To do… Use the command… Remarks

Create or edit a rule

rule

[ rule-id ] {

deny

|

permit

}

protocol [ { {

ack

ack-value |

fin

fin-value |

psh

psh-value |

rst

rst-value |

syn

syn-value |

urg

urg-value } * |

established

} |

counting

|

destination

{ dest-addr

dest-wildcard |

any

} |

destination-port

operator port1

[ port2 ] |

dscp

dscp |

fragment

|

icmp-type

{ icmp-type icmp-code |

icmp-message } |

logging

|

precedence

precedence |

reflective

|

source

{ sour-addr

sour-wildcard |

any

} |

source-port

operator port1 [ port2 ] |

time-range

time-range-name |

tos

tos |

vpn-instance

vpn-instance-name

] *

Required

By default, an IPv4 advanced ACL

does not contain any rule.

To create or edit multiple rules,

repeat this step.

The

logging

keyword takes effect

only when the module (for

example, a firewall) using the ACL

supports logging.

Configure or edit a rule description

rule

rule-id

comment

text

Optional

By default, an IPv4 advanced ACL

rule has no rule description.

Configuring an IPv6 Advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,

protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,

TCP/UDP destination port number, ICMP message type, and ICMP message code.

Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.

Follow these steps to configure an IPv6 advanced ACL:

To do… Use the command… Remarks

Enter system view

system-view

––

Create an IPv6 advanced ACL

and enter its view

acl ipv6

number

acl6-number [

name

acl6-name ] [

match-order

{

auto

|

config

} ]

Required

By default, no ACL exists.

IPv6 advanced ACLs are

numbered in the range 3000 to

3999.

You can use the

acl

ipv6

name

acl6-name command to enter the

view of an existing named IPv6

ACL.

Configure a description for the

IPv6 advanced ACL

description

text

Optional

By default, an IPv6 advanced

ACL has no ACL description.

Set the rule numbering step

step

step-value

Optional

5 by default.

1-9

To do… Use the command… Remarks

Create or edit a rule

rule

[ rule-id ] {

deny

|

permit

} protocol

[ { {

ack

ack-value |

fin

fin-value |

psh

psh-value |

rst

rst-value |

syn

syn-value |

urg

urg-value } * |

established

} |

counting

|

destination

{ dest dest-prefix

| dest/dest-prefix |

any

} |

destination-port

operator port1 [ port2 ]

|

dscp

dscp |

flow-label

flow-label-value

|

fragment

|

icmp6-type

{ icmp6-type

icmp6-code | icmp6-message } |

logging

|

source

{ source source-prefix |

source/source-prefix

| any

} |

source-port

operator port1 [ port2 ] |

time-range

time-range-name ] *

Required

By default IPv6 advanced ACL

does not contain any rule.

To create or edit multiple rules,

repeat this step.

The

logging

keyword takes

effect only when the module (for

example, a firewall) using the

ACL supports logging.

Configure or edit a rule

description

rule

rule-id

comment

text

Optional

By default, an IPv6 advanced

ACL rule has no rule description.

Configuring an Ethernet Frame Header ACL

Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol

header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),

and link layer protocol type.

Follow these steps to configure an Ethernet frame header ACL:

To do… Use the command… Remarks

Enter system view

system-view ––

Create an Ethernet frame header

ACL and enter its view

acl number

acl-number [

name

acl-name ] [

match-order

{

auto

|

config

} ]

Required

By default, no ACL exists.

Ethernet frame header ACLs are

numbered in the range 4000 to

4999.

You can use the

acl

name

acl-name command to enter the

view of an existing named Ethernet

frame header ACL.

Configure a description for the

Ethernet frame header ACL

description

text

Optional

By default, an Ethernet frame

header ACL has no ACL

description.

Set the rule numbering step

step

step-value

Optional

5 by default.

Create or edit a rule

rule

[ rule-id ] {

deny

|

permit

}

[

cos

vlan-pri |

counting

|

dest-mac

dest-addr dest-mask |

{

lsap

lsap-type lsap-type-mask |

type

protocol-type

protocol-type-mask } |

source-mac

sour-addr source-mask |

time-range

time-range-name ] *

Required

By default, an Ethernet frame

header ACL does not contain any

rule.

To create or edit multiple rules,

repeat this step.

1-10

To do… Use the command… Remarks

Configure or edit a rule description

rule

rule-id

comment

text

Optional

By default, an Ethernet frame

header ACL rule has no rule

description.

Copying an ACL

You can create an ACL by copying an existing ACL. The new ACL has the same properties and content

as the source ACL except the ACL number and name.

To successfully copy an IPv4 or IPv6 ACL, ensure that:

z The destination ACL number is from the same category as the source ACL number.

z The source IPv4 or IPv6 ACL already exists but the destination IPv4 or IPv6 ACL does not.

Copying an IPv4 ACL

Follow these steps to copy an IPv4 ACL:

To do… Use the command… Remarks

Enter system view

system-view

—

Copy an existing IPv4 ACL to

create a new IPv4 ACL

acl copy

{ source-acl-number |

name

source-acl-name }

to

{ dest-acl-number |

name

dest-acl-name }

Required

Copying an IPv6 ACL

Follow these steps to copy an IPv6 ACL:

To do… Use the command… Remarks

Enter system view

system-view

—

Copy an existing IPv6 ACL to

generate a new one of the same

H3C SR6600 SPE-FWM Configuration manual

H3C SR6600 SPE-FWM Configuration manual

Related papers

Other documents