H3C S5500-SI Series Operating instructions

H3C
Brand
H3C
Model
S5500-SI Series
Type
Operating instructions
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 ACL Overview ..............................................................................................................1-1
1.1 ACL Overview....................................................................................................................1-1
1.2 Time-Based ACL................................................................................................................1-1
1.3 IPv4 ACL............................................................................................................................1-1
1.3.1 IPv4 ACL Classification...........................................................................................1-2
1.3.2 IPv4 ACL Match Order............................................................................................ 1-2
1.3.3 IP Fragments Filtering with IPv4 ACL.....................................................................1-3
1.3.4 IPv4 ACL Creation ..................................................................................................1-3
1.4 IPv6 ACL............................................................................................................................1-4
1.4.1 IPv6 ACL Classification...........................................................................................1-4
1.4.2 IPv6 ACL Match Order............................................................................................ 1-4
1.4.3 IPv6 ACL Creation ..................................................................................................1-4
Chapter 2 IPv4 ACL Configuration .............................................................................................. 2-1
2.1 Creating a Time Range...................................................................................................... 2-1
2.1.1 Configuration Procedure.........................................................................................2-1
2.1.2 Configuration Example............................................................................................2-2
2.2 Configuring a Basic IPv4 ACL...........................................................................................2-3
2.2.1 Configuration Prerequisites.....................................................................................2-3
2.2.2 Configuration Procedure.........................................................................................2-3
2.2.3 Configuration Example............................................................................................2-4
2.3 Configuring an Advanced IPv4 ACL..................................................................................2-4
2.3.1 Configuration Prerequisites.....................................................................................2-5
2.3.2 Configuration Procedure.........................................................................................2-5
2.3.3 Configuration Example............................................................................................2-6
2.4 Configuring an Ethernet Frame Header ACL ....................................................................2-6
2.4.1 Configuration Prerequisites.....................................................................................2-6
2.4.2 Configuration Procedure.........................................................................................2-6
2.4.3 Configuration Example............................................................................................2-7
2.5 Displaying and Maintaining IPv4 ACLs..............................................................................2-8
2.6 IPv4 ACL Configuration Example......................................................................................2-8
2.6.1 Network Requirements............................................................................................2-8
2.6.2 Network Diagram.....................................................................................................2-8
2.6.3 Configuration Procedure.........................................................................................2-9
Chapter 3 IPv6 ACL Configuration .............................................................................................. 3-1
3.1 Configuring a Time Range.................................................................................................3-1
3.2 Configuring a Basic IPv6 ACL...........................................................................................3-1
3.2.1 Configuration Prerequisites.....................................................................................3-1
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Table of Contents
ii
3.2.2 Configuration Procedure.........................................................................................3-1
3.2.3 Configuration Example............................................................................................3-2
3.3 Configuring an Advanced IPv6 ACL..................................................................................3-3
3.3.1 Configuration Prerequisites.....................................................................................3-3
3.3.2 Configuration Procedure.........................................................................................3-3
3.3.3 Configuration Example............................................................................................3-4
3.4 Displaying and Maintaining IPv6 ACLs..............................................................................3-4
3.5 IPv6 ACL Configuration Example......................................................................................3-5
3.5.1 Network Requirements............................................................................................3-5
3.5.2 Configuration Procedure.........................................................................................3-5
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 1
ACL Overview
1-1
Chapter 1 ACL Overview
1.1 ACL Overview
An access control list (ACL) is used primarily to identify traffic flows. In order to filter
data packets, a series of match rules must be configured on the network device to
identify the packets to be filtered. After the specific packets are identified, and based on
the predefined policy, the network device can permit/prohibit the corresponding packets
to pass.
ACLs classify packets based on a series of match conditions, which can be the source
addresses, destination addresses and port numbers carried in the packets.
The packet match rules defined by ACLs can be referenced by other functions that
need to differentiate traffic flows, such as the definition of traffic classification rules in
QoS.
Note:
In this manual, IPv4 ACL refers to ACL used for filtering IPv4 packets, and IPv6 ACL
refers to ACL used for filtering IPv6 packets.
1.2 Time-Based ACL
A time range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a rule
is not configured, the system will give a prompt message and allow such a rule to be
successfully created. However, the rule does not take effect immediately. It takes effect
only when the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the
next time the ACL rule timer refreshes.
1.3 IPv4 ACL
This section covers these topics:
z IPv4 ACL Classification
z IPv4 ACL Match Order
z IP Fragments Filtering with IPv4 ACL
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 1
ACL Overview
1-2
1.3.1 IPv4 ACL Classification
IPv4 ACLs, identified by ACL numbers, fall into the following four categories:
z Basic IPv4 ACL, based on source IP address. Basic ACLs are numbered 2000
through 2999.
z Advanced IPv4 ACL, based on source IP address, destination IP address,
protocol carried on IP, and other Layer 3 or Layer 4 protocol header information.
Advanced ACLs are numbered 3000 through 3999.
z Ethernet frame header ACL, based on Layer 2 protocol header fields such as
source MAC address, destination MAC address, 802.1p priority, and link layer
protocol type. Ethernet frame header ACLs are numbered 4000 through 4999.
1.3.2 IPv4 ACL Match Order
Each ACL is a sequential collection of rules defined with different matching criteria. The
order in which a packet is matched against the rules may thus affect how the packet is
handled.
At present, the following two match orders are available:
z config: where rules are compared against in the order in which they are
configured.
z auto: where depth-first match is performed.
I. Depth-first match for a basic IPv4 ACL
The following shows how your device performs depth-first match in a basic IPv4 ACL:
1) Sort rules by source IP address wildcard first and compare packets against the
rule configured with more zeros in the source IP address wildcard prior to other
rules.
2) If two rules are present with the same number of zeros in their source IP address
wildcards, compare packets against the rule configured first prior to the others.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior
to the rule with the source IP address wildcard 0.0.255.255.
II. Depth-first match for an advanced IPv4 ACL
The following shows how your device performs depth-first match in an advanced IPv4
ACL:
1) Sort rules by source IP address wildcard first and compare packets against the
rule configured with more zeros in the source IP address wildcard prior to other
rules.
2) If two rules are present with the same number of zeros in their source IP address
wildcards, look at the destination IP address wildcards in the rules in addition.
Then, compare packets against the rule configured with more zeros in the
destination IP address wildcard prior to the other.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 1
ACL Overview
1-3
3) If the numbers of zeros in the destination IP address wildcards are the same,
compare packets against the rule configured first prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior
to the rule with the source IP address wildcard 0.0.255.255.
III. Depth-first match for an Ethernet frame header IPv4 ACL
The following shows how your device performs depth-first match in an Ethernet frame
header ACL:
1) Sort rules by source MAC address mask first and compare packets against the
rule configured with more ones in the source MAC address mask prior to other
rules.
2) If two rules are present with the same number of ones in their source MAC
address masks, look at the destination MAC address masks. Then, compare
packets against the rule configured with more ones in the destination MAC
address mask prior to the other.
3) If the numbers of ones in the destination MAC address masks are the same, the
one configured first is compared prior to the other.
For example, the rule with source MAC address mask FFFF-FFFF-0000 is compared
prior to the rule with source MAC address mask FFFF-0000-0000.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
1.3.3 IP Fragments Filtering with IPv4 ACL
Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments
are handled the way the first fragments are handled. This causes security risk as
attackers may fabricate non-first fragments to attack your network.
As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that
the rule applies to non-first fragment packets only, and does not apply to non-fragment
packets or the first fragment packets. ACL rules that do not contain this keyword is
applicable to both non-fragment packets and fragment packets.
1.3.4 IPv4 ACL Creation
An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must
first create an IPv4 ACL.
When creating an IPv4 ACL:
z You must specify an ACL number (numeric type), and
z You can optionally specify the match order of the IPv4 ACL.
After an IPv4 ACL is created, the IPv4 ACL view is displayed.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 1
ACL Overview
1-4
1.4 IPv6 ACL
This section covers these topics:
z IPv6 ACL Classification
z IPv6 ACL Match Order
1.4.1 IPv6 ACL Classification
IPv6 ACLs, identified by ACL numbers, fall into the following three categories:
z Basic IPv6 ACL, based on source IPv6 address. Basic IPv6 ACLs are numbered
2000 through 2999.
z Advanced IPv6 ACL, based on source IPv6 address, destination IPv6 address,
protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.
Advanced ACLs are numbered 3000 through 3999.
1.4.2 IPv6 ACL Match Order
Similar to IPv4 ACLs, IPv6 ACLs are sequential collections of rules defined with
different matching parameters. The order in which a packet is matched against the
rules in an IPv6 ACL may affect how the packet is handled.
Like IPv4 ACLs, the following two match orders are available IPv6 ACLs:
z config: where rules are compared against in the order in which they are
configured.
z auto: where depth-first match is performed.
The depth-first mechanism performed by IPv6 ACLs is to match packets against the
rule that specifies a narrower address range first. This is done by comparing prefix
lengths: the smaller the prefix length, the narrower the address range.
Consider two IPv6 addresses, 2050:6070::/96 and 2050:6070::/64. In the auto match
approach, packets are matched against the rule with the address of 2050:6070::/96 first,
because that address specifies a narrower address range compared with
2050:6070::/64. In case two rules with the same prefix length are defined in an IPv6
ACL, the one configured first is compared prior to the other one.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
1.4.3 IPv6 ACL Creation
An IPv6 ACL consists of a set of rules. Before you can configure IPv6 ACL rules, you
must first create an IPv6 ACL.
When creating an IPv6 ACL:
z You must specify an IPv6 ACL number (numeric type), and
z You can optionally specify the match order of the IPv6 ACL.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 1
ACL Overview
1-5
After an IPv6 ACL is created, the IPv6 ACL view is displayed.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-1
Chapter 2 IPv4 ACL Configuration
This chapter covers these topics:
z Creating a Time Range
z Configuring a Basic IPv4 ACL
z Configuring an Advanced IPv4 ACL
z Configuring an Ethernet Frame Header ACL
z Displaying and Maintaining IPv4 ACLs
z IPv4 ACL Configuration Example
2.1 Creating a Time Range
Three types of time ranges are available:
z Periodic time range, which recurs periodically on the day or days of the week.
z Absolute time range, which takes effect only in a period of time and does not recur.
z Compound time range, which recurs on the day or days of the week within a
period.
Caution:
On the S5500-SI Series Ethernet Switches, the start time of an absolute time range
cannot be earlier than 1970/1/1 00:00 and the end time of an absolute time range
cannot be later than 2100/12/31 24:00.
2.1.1 Configuration Procedure
Follow these steps to create a time range:
To do… Use the command… Remarks
Enter system view
system-view
––
Create a time range
time-range time-name { start-time
to end-time days [ from time1
date1 ] [ to time2 date2 ] | from
time1 date1 [ to time2 date2 ] | to
time2 date2 }
Required
Note that:
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-2
z Periodic time range created using the time-range time-name start-time to
end-time days command. A time range thus created recurs periodically on the day
or days of the week.
z Absolute time range created using the time-range time-name { from time1 date1
[ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time
range thus created does not recur. For example, to create an absolute time range
that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you
may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004
command.
z Compound time range created using the time-range time-name start-time to
end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A
time range thus created recurs on the day or days of the week only within the
specified period. For example, to create a time range that is active from 12:00 to
14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004
23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00
01/01/2004 to 23:59 12/31/2004 command.
z You may create individual time ranges identified with the same name. They are
regarded as one time range whose active period is the result of ORing periodic
ones, ORing absolute ones, and ANDing periodic and absolute ones.
z If the start time is not specified, the time range starts on the earliest time available
from the system and ends on the end date. If the end date is note specified, the
time range is from the date of configuration till the largest date available from the
system.
z Up to 256 time ranges can be defined.
2.1.2 Configuration Example
# Create a periodic time range that spans from 8:00 to 18:00 every working day.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
[Sysname] display time-range test
Current time is 13:27:32 4/16/2005 Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Create an absolute time range that spans from 15:00 2000/1/28 to 15:00 2004/1/28.
<Sysname> system-view
[Sysname] time-range test from 15:00 2000/1/28 to 15:00 2004/1/28
[Sysname] display time-range test
Current time is 13:27:32 4/16/2005 Saturday
Time-range : test ( Inactive )
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-3
from 15:00 1/28/2000 to 15:00 1/28/2004
2.2 Configuring a Basic IPv4 ACL
Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the
range 2000 to 2999.
2.2.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
2.2.2 Configuration Procedure
Follow these steps to configure a basic IPv4 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter a
basic IPv4 ACL view
acl number acl-number
[ match-order { config | auto } ]
Required
The default match
order is config.
Create or modify a
rule
rule [ rule-id ] { permit | deny }
[ rule-string ]
Required
To create multiple
rules, repeat this step.
Set a rule numbering
step
step step-value
Optional
The default step is 5.
Create an ACL
description
description text
Optional
Create a rule
description
rule rule-id comment text
Optional
When configuring a rule, note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z When defining ACL rules, you are not necessarily to assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
z A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-4
z Rules created with the auto keyword specified are sorted according to the “depth
first” principle regardless of the order they are created. However, the ID of each
rule does not change.
Caution:
z You can modify the match order of an ACL with the acl number acl-number
match-order { auto | config } command but only when it does not contain any rules.
z You can use the rule comment command only for existing ACL rules.
2.2.3 Configuration Example
# Create IPv4 ACL 2000 to deny the packets with the source address 1.1.1.1 to pass.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
# Verify the configuration.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0 (0 times matched)
2.3 Configuring an Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on source IP address, destination IP address,
upper protocol carried on IP, and other protocol header fields, such as the TCP/UDP
source port, TCP/UDP destination port, ICMP message type, and ICMP message
code.
In addition, advanced ACLs allow you to filter packets based on three priority criteria:
type of service (ToS), IP precedence, and differentiated services codepoint (DSCP)
priority.
Advanced ACLs are numbered in the range 3000 to 3999. Compared to basic ACLs,
they allow of more flexible and accurate filtering.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-5
Note:
z When you configure both IP priority and ToS priority for a rule, both priorities are
valid.
z When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.
2.3.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
2.3.2 Configuration Procedure
Follow these steps to configure an advanced IPv4 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter an
advanced IPv4 ACL view
acl number acl-number
[ match-order { config |
auto } ]
Required
The default match order is
config.
Create or modify a rule
rule [ rule-id ] { permit |
deny } protocol
[ rule-string ]
Required
To create multiple rules,
repeat this step.
Set a rule numbering step
step step-value
Optional
The default step is 5.
Create an ACL
description
description text
Optional
Create a rule description
rule rule-id comment text
Optional
When configuring a rule, note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z When defining ACL rules, you are not necessarily to assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
z A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-6
z Rules created with the auto keyword specified are sorted according to the “depth
first” principle regardless of the order they are created. However, the ID of each
rule does not change.
Caution:
z You can modify the match order of an ACL with the acl number acl-number
match-order { auto | config } command but only when it does not contain any rules.
z You can use the rule comment command only for existing ACL rules.
2.3.3 Configuration Example
# Create IPv4 ACL 3000 to permit TCP packets with port number 80 sent from
129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Verify the configuration.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0
0.0.0.255 destination-port eq www (0 times matched)
2.4 Configuring an Ethernet Frame Header ACL
Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields
such as source MAC address, destination MAC address, 802.1p priority, and link layer
protocol type. They are numbered in the range 4000 to 4999.
2.4.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
2.4.2 Configuration Procedure
Follow these steps to configure an Ethernet frame header ACL:
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-7
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter an
Ethernet frame header
ACL view
acl number acl-number
[ match-order { config |
auto } ]
Required
The default match order is
config.
Create or modify a rule
rule [ rule-id ] { permit |
deny } [ rule-string ]
Required
To create multiple rules,
repeat this step.
Set a rule numbering step
step step-value
Optional
The default step is 5.
Create an ACL
description
description text
Optional
Create a rule description
rule rule-id comment text
Optional
When configuring a rule, note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z When defining ACL rules, you are not necessarily to assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
z A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
z Rules created with the auto keyword specified are sorted according to the “depth
first” principle regardless of the order they are created. However, the ID of each
rule does not change.
Caution:
z You can modify the match order of an ACL with the acl number acl-number
match-order { auto | config } command but only when it does not contain any rules.
z You can use the rule comment command only for existing ACL rules.
2.4.3 Configuration Example
# Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-8
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3
# Verify the configuration.
[Sysname-acl-ethernetframe-4000] display acl 4000
Ethernet frame ACL 4000, 1 rule,
ACL's step is 5
rule 0 deny cos excellent-effort(0 times matched)
2.5 Displaying and Maintaining IPv4 ACLs
To do... Use the command… Remarks
Display information
about a specified or all
IPv4 ACLs
display acl { all | acl-number }
Display the configuration
and state of a specified
or all time ranges
display time-range { all |
time-name }
Available in any
view
Clear the statistics about
the specified or all ACLs
reset acl counter { all |
acl-number }
Available in user
view
2.6 IPv4 ACL Configuration Example
2.6.1 Network Requirements
Different departments of an enterprise are interconnected on the intranet through the
ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of
the R&D department are connected to the GigabitEthernet1/0/1 port of the switch.
Apply an ACL to deny requests sourced from the R&D department and destined for the
wage server during the working hours (8:00 to 18:00).
2.6.2 Network Diagram
R&D Department
Switch
#1
#3
Salary server
192.168.1.2
To a router
#2
R&D Department
Switch
#1
#3
Salary server
192.168.1.2
To a router
#2
n
Figure 2-1 Network diagram for ACL configuratio
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 2
IPv4 ACL Configuration
2-9
2.6.3 Configuration Procedure
1) Create a time range for office hours
# Create a periodic time range spanning 8:00 to 18:00 in working days.
<Sysname> system-view
[Sysname] time-range trname 8:00 to 18:00 working-day
2) Define an ACL to control accesses to the salary server
# Create and enter the view of advanced IPv4 ACL 3000.
[Sysname] acl number 3000
# Create a rule to control accesses of the R&D Department to the salary server.
[Sysname-acl-adv-3000] rule 0 deny ip source any destination 192.168.1.2
0.0.0.0 time-range trname
[Sysname-acl-adv-3000] quit
3) Apply the ACL
# Apply IPv4 ACL 3000 to the inbound direction of interface GigabitEthernet1/0/1.
[Sysname] traffic classifier test
[Sysname-classifier-test] if-match acl 3000
[Sysname-classifier-test] quit
[Sysname] traffic behavior test
[Sysname-behavior-test] filter deny
[Sysname-behavior-test] quit
[Sysname] qos policy test
[Sysname-qospolicy-test] classifier test behavior test
[Sysname-qospolicy-test] quit
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos apply policy test inbound
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 3
IPv6 ACL Configuration
3-1
Chapter 3 IPv6 ACL Configuration
This chapter covers these topics:
z Configuring a Time Range
z Configuring a Basic IPv6 ACL
z Configuring an Advanced IPv6 ACL
z Displaying and Maintaining IPv6 ACLs
z IPv6 ACL Configuration Example
3.1 Configuring a Time Range
Refer to section 2.1 Creating a Time Range.”
3.2 Configuring a Basic IPv6 ACL
Basic IPv6 ACLs filter packets based on source IPv6 address. They are numbered in
the range 2000 to 2999.
3.2.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
3.2.2 Configuration Procedure
Follow these steps to configure an IPv6 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter a basic
IPv6 ACL view
acl ipv6 number acl-number
[ match-order { config |
auto } ]
Required
The default match
order is config.
Create a rule
rule [ rule-id ] { permit |
deny } [ rule-string ]
Required
To create multiple
rules, repeat this step.
Set a rule numbering step
step step-value
Optional
The default step is 5.
Create an ACL
description
description text
Optional
Create a rule description
rule rule-id comment text
Optional
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 3
IPv6 ACL Configuration
3-2
When configuring a rule, note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z When defining ACL rules, you are not necessarily to assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
z A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
z Rules created with the auto keyword specified are sorted according to the “depth
first” principle regardless of the order they are created. However, the ID of each
rule does not change.
Caution:
z You can modify the match order of an IPv6 ACL with the acl ipv6 number
acl6-number match-order { auto | config } command but only when it does not
contain any rules.
z The rule specified in the rule comment command must have existed.
3.2.3 Configuration Example
# Create IPv6 ACL 2000 to permit IPv6 packets with source address
2030:5060::9050/64 to pass while denying IPv6 packets with source address
fe80:5060::8050/96.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96
# Verify the configuration.
[Sysname-acl6-basic-2000] display acl ipv6 2000
Basic IPv6 ACL 2000, 2 rules,
ACL's step is 5
rule 0 permit source 2030:5060::9050/64 (0 times matched)
rule 5 deny source FE80:5060::8050/96 (0 times matched)
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 3
IPv6 ACL Configuration
3-3
3.3 Configuring an Advanced IPv6 ACL
Advanced ACLs filter packets based on the source IPv6 address, destination IPv6
address, upper protocol carried on IP, and other protocol header fields such as the
TCP/UDP source port, TCP/UDP destination port, ICMP message type, and ICMP
message code.
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared to basic
IPv6 ACLs, they allow of more flexible and accurate filtering.
3.3.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
3.3.2 Configuration Procedure
Follow these steps to configure an advanced IPv6 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter an
advanced IPv6 ACL view
acl ipv6 number acl-number
[ match-order { config |
auto } ]
Required
The default match
order is config.
Create a rule
rule [ rule-id ] { permit | deny }
protocol [ rule-string ]
Required
To create multiple
rules, repeat this
step.
Set a rule numbering step
step step-value
Optional
The default step is
5.
Create an ACL
description
description text
Optional
Create a rule description
rule rule-id comment text
Optional
When configuring a rule, note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z When defining ACL rules, you are not necessarily to assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches Chapter 3
IPv6 ACL Configuration
3-4
z A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
z Rules created with the auto keyword specified are sorted according to the “depth
first” principle regardless of the order they are created. However, the ID of each
rule does not change.
Caution:
z You can modify the match order of an IPv6 ACL with the acl ipv6 number
acl6-number match-order { auto | config } command but only when it does not
contain any rules.
z The rule specified in the rule comment command must have existed.
3.3.3 Configuration Example
# Create IPv6 ACL 3000 to permit the TCP packets with the source address
2030:5060::9050/64 to pass.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64
# Verify the configuration.
[Sysname-acl6-adv-3000] display acl ipv6 3000
Advanced IPv6 ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit tcp source 2030:5060::9050/64 (0 times matched)
3.4 Displaying and Maintaining IPv6 ACLs
To do… Use the command… Remarks
Display information about
a specified or all IPv6
ACLs
display acl ipv6 { all |
acl-number }
Available in any view
Clear the statistics about a
specified or all IPv6 ACLs
reset acl ipv6 counter
{ all | acl-number }
Available in user view
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22

H3C S5500-SI Series Operating instructions

H3C
Brand
H3C
Model
S5500-SI Series
Type
Operating instructions
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents