Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-ACL Configuration | 127.37 KB |
Table of Contents
Implementing Time-Based ACL Rules
IPv4 Fragments Filtering with ACLs
Configuring an Ethernet Frame Header ACL
Displaying and Maintaining ACLs
IPv4 ACL Configuration Example
IPv6 ACL Configuration Example
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, and mesh APs.
1 ACL Configuration
This chapter includes these sections:
l Configuring an Ethernet Frame Header ACL
l Displaying and Maintaining ACLs
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS and IP routing, for traffic identification.
This section covers these topics:
l Implementing Time-Based ACL Rules
l IPv4 Fragments Filtering with ACLs
ACL Categories
ACLs fall into four categories, as shown in Table 1-1.
|
Category |
ACL number |
IP version |
Match criteria |
|
WLAN ACLs |
100 to 199 |
IPv4 |
Wireless client SSID |
|
Basic ACLs |
2000 to 2999 |
IPv4 |
Source IPv4 address |
|
IPv6 |
Source IPv6 address |
||
|
Advanced ACLs |
3000 to 3999 |
IPv4 |
Source/destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields |
|
IPv6 |
Source/destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields |
||
|
Ethernet frame header ACLs |
4000 to 4999 |
IPv4 |
Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type |
ACL Numbering and Naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number for identification, and in addition, you can also assign the ACL a name for the ease of identification. After creating an ACL with a name, you can neither rename it nor delete its name.
You cannot assign a name for a WLAN ACL.
For a WLAN and Ethernet frame header, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an IPv6 ACL.
Match Order
The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
Two ACL match orders are available:
l config – Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, check rule content and order carefully.
l auto – Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset of a rule is always matched before the rule. Table 1-2 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.
The match order of WLAN ACLs can only be config.
Table 1-2 Sort ACL rules in depth-first order
|
ACL category |
Sequence of tie breaker |
|
IPv4 basic ACL |
1) VPN instance 2) More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 3) Smaller rule ID |
|
IPv4 advanced ACL |
1) VPN instance 2) Specific protocol type rather than IP (IP represents any protocol over IP) 3) More 0s in the source IP address wildcard mask 4) More 0s in the destination IP address wildcard 5) Narrower TCP/UDP service port number range 6) Smaller ID |
|
IPv6 basic ACL |
1) Longer prefix for the source IP address (a longer prefix means a narrower IP address range) 2) Smaller ID |
|
IPv6 advanced ACL |
1) Specific protocol type rather than IP (IP represents any protocol over IPv6) 2) Longer prefix for the source IPv6 address 3) Longer prefix for the destination IPv6 address 4) Narrower TCP/UDP service port number range 5) Smaller ID |
|
Ethernet frame header ACL |
1) More 1s in the source MAC address mask (more 1s means a smaller MAC address) 2) More 1s in the destination MAC address mask 3) Smaller ID |
l The AP does not support ACL rules with the VPN instance attribute.
l A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, while the 1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
ACL Rule Numbering
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID.
Automatic rule numbering and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will be numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.
Implementing Time-Based ACL Rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range.
Two basic types of time range are available:
l Periodic time range, which recurs periodically on a day or days of the week.
l Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the time range can take effect only after you define the time range.
IPv4 Fragments Filtering with ACLs
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
l Filters all fragments by default, including non-first fragments.
l Provides standard and exact match modes for matching ACLs that contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules.
ACL Configuration Task List
IPv4 configuration task list
Complete the following tasks to configure an IPv4 ACL:
|
Task |
Remarks |
|
Optional |
|
|
Required Configure at least one task. |
|
|
Optional |
IPv6 ACL configuration task list
Complete the following tasks to configure an IPv6 ACL:
|
Task |
Remarks |
|
Optional |
|
|
Required Configure at least one task. |
|
|
Optional |
Configuring an ACL
Creating a Time Range
Follow these steps to create a time range:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create a time range |
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } |
Required By default, no time range exists. |
You may create time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most.
Configuring a WLAN ACL
WLAN ACLs match packets based on SSIDs of wireless clients.
Follow these steps to configure a WLAN ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create a WLAN ACL and enter its view |
acl number acl-number |
Required By default, no ACL exists. WLAN ACLs are numbered in the range 100 to 199. |
|
Configure a description for the WLAN ACL |
description text |
Optional By default, a WLAN ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default. |
|
Create or edit a rule |
rule [ rule-id ] { permit | deny } [ ssid ssid-name ] |
Required By default, a WLAN ACL does not contain any rule. To create or edit multiple rules, repeat this step. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, a WLAN ACL rule has no description. |
Configuring a Basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an IPv4 basic ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required By default, no ACL exists. IPv4 basic ACLs are numbered in the range 2000 to 2999. You can use the acl name acl-name command to enter the view of an existing named IPv4 ACL. |
|
Configure a description for the IPv4 basic ACL |
description text |
Optional By default, an IPv4 basic ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default. |
|
Create or edit a rule |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * |
Required By default, an IPv4 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module that uses the ACL supports logging. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, an IPv4 ACL rule has no rule description. |
Configuring an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an IPv6 basic ACL view and enter its view |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
Required By default, no ACL exists. IPv6 basic ACLs are numbered in the range 2000 to 2999. You can use the acl ipv6 name acl6-name command to enter the view of an existing named IPv6 ACL. |
|
Configure a description for the IPv6 basic ACL |
description text |
Optional By default, an IPv6 basic ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default |
|
Create or edit a rule |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] * |
Required By default, an IPv6 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module using the ACL supports logging. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, an IPv6 basic ACL rule has no rule description. |
Configuring an Advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an IPv4 advanced ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required By default, no ACL exists. IPv4 advanced ACLs are numbered in the range 3000 to 3999. You can use the acl name acl-name command to enter the view of an existing named IPv4 ACL. |
|
Configure a description for the IPv4 advanced ACL |
description text |
Optional By default, an IPv4 advanced ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default. |
|
Create or edit a rule |
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] * |
Required By default, an IPv4 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module using the ACL supports logging. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, an IPv4 advanced ACL rule has no rule description. |
Configuring an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an IPv6 advanced ACL and enter its view |
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] |
Required By default, no ACL exists. IPv6 advanced ACLs are numbered in the range 3000 to 3999. You can use the acl ipv6 name acl6-name command to enter the view of an existing named IPv6 ACL. |
|
Configure a description for the IPv6 advanced ACL |
description text |
Optional By default, an IPv6 advanced ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default. |
|
Create or edit a rule |
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] * |
Required By default IPv6 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module using the ACL supports logging. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, an IPv6 advanced ACL rule has no rule description. |
Configuring an Ethernet Frame Header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type.
Follow these steps to configure an Ethernet frame header ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Create an Ethernet frame header ACL and enter its view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required By default, no ACL exists. Ethernet frame header ACLs are numbered in the range 4000 to 4999. You can use the acl name acl-name command to enter the view of an existing named Ethernet frame header ACL. |
|
Configure a description for the Ethernet frame header ACL |
description text |
Optional By default, an Ethernet frame header ACL has no ACL description. |
|
Set the rule numbering step |
step step-value |
Optional 5 by default. |
|
Create or edit a rule |
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] * |
Required By default, an Ethernet frame header ACL does not contain any rule. To create or edit multiple rules, repeat this step. |
|
Configure or edit a rule description |
rule rule-id comment text |
Optional By default, an Ethernet frame header ACL rule has no rule description. |
Copying an ACL
You can create an ACL by copying an existing ACL. The new ACL has the same properties and content as the source ACL except the ACL number and name.
To successfully copy an ACL, ensure that:
l The destination ACL number is from the same category as the source ACL number.
l The source ACL already exists but the destination ACL does not.
Copying an IPv4 ACL
Follow these steps to copy an IPv4 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Copy an existing IPv4 ACL to create a new IPv4 ACL |
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } |
Required The name keyword is not available for WLAN ACLs |
Copying an IPv6 ACL
Follow these steps to copy an IPv6 ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Copy an existing IPv6 ACL to generate a new one of the same category |
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } |
Required |
Displaying and Maintaining ACLs
|
To do... |
Use the command… |
Remarks |
|
Display configuration and match statistics for one or all IPv4 ACLs |
display acl { acl-number | all | name acl-name } |
Available in any view |
|
Display configuration and match statistics for one or all IPv6 ACLs |
display acl ipv6 { acl6-number | all | name acl6-name } |
Available in any view |
|
Display the configuration and status of one or all time ranges |
display time-range { time-range-name | all } |
Available in any view |
|
Clear statistics for one or all IPv4 ACLs |
reset acl counter { acl-number | all | name acl-name } |
Available in user view |
|
Clear statistics for one or all IPv6 basic and advanced ACLs |
reset acl ipv6 counter { acl6-number | all | name acl6-name } |
Available in user view |
ACL Configuration Examples
IPv4 ACL Configuration Example
Network Requirements
A company interconnects its departments through the wireless AP. Configure an ACL to:
l Permits access from the President’s office at any time to the salary server of the Financial department.
Figure 1-1 Network diagram for ACL configuration
Configuration Procedure
1) Create a time range for office hours
# Create a periodic time range from 8:00 to 18:00 in working days.
<AP> system-view
[AP] time-range trname 8:00 to 18:00 working-day
2) Define an ACL to control access to the salary server
# Create an advanced IPv4 ACL numbered 3000 and enter its view.
[AP] acl number 3000
# Create a rule to allow access from the President’s office to the salary server.
[AP-acl-adv-3000] rule 1 permit ip source 129.111.1.2 0.0.0.0 destination 129.110.1.2 0.0.0.0
[AP-acl-adv-3000] quit
# Create an advanced IPv4 ACL numbered 3001 and enter its view.
[AP] acl number 3001
# Create a rule to deny access from any other department to the salary server during working hours.
[AP-acl-adv-3001] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range trname
[AP-acl-adv-3001] quit
# Apply IPv4 ACL 3000 and ACL 3001.
[AP] traffic classifier access1
[AP-classifier-access1] if-match acl 3000
[AP-classifier-access1] quit
[AP] traffic behavior access1
[AP-behavior-access1] filter permit
[AP] traffic classifier access2
[AP-classifier-access2] if-match acl 3001
[AP-classifier-access2] quit
[AP] traffic behavior access2
[AP-behavior-access2] filter deny
[AP-behavior-access2] qos policy access
[AP-qospolicy-access] classifier access1 behavior access1
[AP-qospolicy-access] classifier access2 behavior access2
[AP-qospolicy-access] interface wlan-bss1
[AP-WLAN-BSS1] qos apply policy access inbound
IPv6 ACL Configuration Example
Network Requirements
Perform packet filtering in the inbound direction of interface WLAN-BSS 1 to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF.
Configuration Procedure
1) Create an ACL that is to be applied to interface WLAN-BSS 1.
# Create a basic IPv6 ACL numbered 2000, and enter its view.
<AP> system-view
[AP] acl ipv6 number 2000
# Create a rule to allow access from IPv6 address 4050::9000 to 4050::90FF.
[AP-acl6-basic-2000] rule 1 permit source 4050::9000/120
[AP-acl6-basic-2000] quit
# Create a basic IPv6 ACL numbered 2001, and enter its view.
[AP] acl ipv6 number 2001
# Create a rule to deny access from other IPv6 addresses.
[AP-acl6-basic-2001] rule 1 deny source any
[AP-acl6-basic-2001] quit
2) Apply the ACLs
# Apply ACL 2000 and ACL 2001.
[AP] traffic classifier access1
[AP-classifier-access1] if-match acl ipv6 2000
[AP-classifier-access1] quit
[AP] traffic behavior access1
[AP-behavior-access1] filter permit
[AP] traffic classifier access2
[AP-classifier-access2] if-match acl ipv6 2001
[AP-classifier-access2] quit
[AP] traffic behavior access2
[AP-behavior-access2] filter deny
[AP-behavior-access2] qos policy access
[AP-qospolicy-access] classifier access1 behavior access1
[AP-qospolicy-access] classifier access2 behavior access2
[AP-qospolicy-access] interface wlan-bss1
