Scribd
Upload
22 views

13 ACL Configuration

Uploaded by

Xan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
22 views

13 ACL Configuration

Uploaded by

Xan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Contents

Configuring ACLs ·············································································1


Overview ·································································································································· 1
ACL types ·························································································································· 1
Numbering and naming ACLs ································································································ 1
Match order························································································································ 1
Rule numbering ·················································································································· 2
Fragment filtering with ACLs ·································································································· 3
Configuration restrictions and guidelines ························································································· 3
Configuration task list·················································································································· 4
Configuring a basic ACL ·············································································································· 4
Configuring an IPv4 basic ACL ······························································································· 4
Configuring an IPv6 basic ACL ······························································································· 5
Configuring an advanced ACL ······································································································ 6
Configuring an IPv4 advanced ACL ························································································· 6
Configuring an IPv6 advanced ACL ························································································· 7
Configuring a Layer 2 ACL ··········································································································· 8
Configuring a user-defined ACL ···································································································· 9
Copying an ACL ······················································································································ 10
Configuring packet filtering with ACLs ·························································································· 10
Applying an ACL to an interface for packet filtering ··································································· 10
Configuring the applicable scope of packet filtering on a VLAN interface ······································· 11
Configuring logging and SNMP notifications for packet filtering ··················································· 11
Setting the packet filtering default action················································································· 12
Displaying and maintaining ACLs ································································································ 12
ACL configuration examples ······································································································· 13
Interface-based packet filtering configuration example ······························································· 13

i
Configuring ACLs
Overview
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP
address, destination IP address, and port number. The rules are also called permit or deny
statements.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The
packet drop or forwarding decisions depend on the modules that use ACLs.

ACL types
Type ACL number IP version Match criteria
IPv4 Source IPv4 address.
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address.
Source IPv4 address, destination IPv4
IPv4 address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Advanced ACLs 3000 to 3999
Source IPv6 address, destination IPv6
IPv6 address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Layer 2 header fields, such as source and
Layer 2 ACLs 4000 to 4999 IPv4 and IPv6 destination MAC addresses, 802.1p priority,
and link layer protocol type.
User specified matching patterns in protocol
User-defined ACLs 5000 to 5999 IPv4 and IPv6
headers.

Numbering and naming ACLs


When creating an ACL, you must assign it a number or name for identification. You can specify an
existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6
basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2 or
user-defined ACL, its number or name must be globally unique.

Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops
the match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
• config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before
a rule with a higher ID. If you use this method, check the rules and their order carefully.

NOTE:
The match order of user-defined ACLs can only be config.

1
• auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule
is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order

ACL type Sequence of tie breakers


1. VPN instance.
2. More 0s in the source IPv4 address wildcard (more 0s means a
IPv4 basic ACL narrower IPv4 address range).
3. Rule configured earlier.
1. VPN instance.
2. Specific protocol number.
3. More 0s in the source IPv4 address wildcard mask.
IPv4 advanced ACL
4. More 0s in the destination IPv4 address wildcard.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
1. VPN instance.
2. Longer prefix for the source IPv6 address (a longer prefix means a
IPv6 basic ACL narrower IPv6 address range).
3. Rule configured earlier.
1. VPN instance.
2. Specific protocol number.
3. Longer prefix for the source IPv6 address.
IPv6 advanced ACL
4. Longer prefix for the destination IPv6 address.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
1. More 1s in the source MAC address mask (more 1s means a smaller
MAC address).
Layer 2 ACL 2. More 1s in the destination MAC address mask.
3. Rule configured earlier.

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits,
and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do
care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are
ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a
valid wildcard mask.

Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how
automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For
example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating,
they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more
rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are
matched in ascending order of rule ID.

2
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering
step to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.

Fragment filtering with ACLs


Traditional packet filtering matches only first fragments of packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
• Filters all fragments by default, including non-first fragments.
• Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.

Configuration restrictions and guidelines


Follow these restrictions and guidelines when you configure an ACL:
• If you create a numbered ACL, you can enter the view of the ACL by using either of the following
commands:
{ acl [ ipv6 ] number acl-number.
{ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number.
• If you create a named non-WLAN ACL by using the acl [ ipv6 ] number acl-number name
acl-name command, you can enter the view of the ACL by using either of the following
commands:
{ acl [ ipv6 ] number acl-number [ name acl-name ].
{ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
• If you create a named ACL by using the acl { [ ipv6 ] { advanced | basic } | mac | user-defined }
name acl-name command, you can enter the view of the ACL by using only the command that
is used to create the ACL.
• The device uses the slow forwarding process for a packet if the packet matches an ACL rule
that contains criteria except for the following ones:
{ Source IP address, source port number, destination IP address, destination port number, or
transport layer protocol.
{ ICMP message type or ICMP message code.
{ VPN instance.
{ Logging operation.
{ Time range.
During the slow forwarding process, the device sends the matching packets to the control plane.
The forwarding performance is downgraded.

3
Configuration task list
Tasks at a glance
(Required.) Configure ACLs according to the characteristics of the packets to be matched:
• Configuring a basic ACL
{ Configuring an IPv4 basic ACL
{ Configuring an IPv6 basic ACL
• Configuring an advanced ACL
{ Configuring an IPv4 advanced ACL
{ Configuring an IPv6 advanced ACL
• Configuring a Layer 2 ACL
• Configuring a user-defined ACL

(Optional.) Copying an ACL


(Optional.) Configuring packet filtering with ACLs

Configuring a basic ACL


This section describes procedures for configuring IPv4 and IPv6 basic ACLs.

Configuring an IPv4 basic ACL


IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
The value range for a numbered
IPv4 basic ACL is 2000 to 2999.
Use the acl number acl-number
or acl basic acl-number
command to create a numbered
IPv4 basic ACL.
acl basic { acl-number | name
acl-name } [ match-order { auto | To enter the view of a named IPv4
2. Create an IPv4 basic ACL config } ] basic ACL, use the acl name
and enter its view. acl-name or acl basic name
acl number acl-number [ name
acl-name command.
acl-name ] [ match-order { auto |
config } ] The acl name acl-name
command supports entering the
view of an existing IPv4 basic and
advanced ACL.
To enter the view of a numbered
IPv4 basic ACL, use the acl
number acl-number or acl basic
acl-number command.
3. (Optional.) Configure a
description for the IPv4 basic By default, an IPv4 basic ACL
description text
ACL. does not have a description.

4
Step Command Remarks
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.

By default, no IPv4 basic ACL


rules exist.
rule [ rule-id ] { deny | permit }
The flow-logging and logging
[ counting | fragment |
keywords take effect only when
[ flow-logging | logging ] |
the module (for example, packet
5. Create or edit a rule. source { source-address
filtering) that uses the ACL
source-wildcard | any } |
supports logging.
time-range time-range-name |
vpn-instance The vpn-instance
vpn-instance-name ] * vpn-instance-name option is not
supported in the outbound
direction.
6. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Configuring an IPv6 basic ACL


IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
The value range for a numbered
IPv6 basic ACL is 2000 to 2999.
Use the acl ipv6 number
acl-number or acl ipv6 basic
acl-number command to create a
numbered IPv6 basic ACL.
acl ipv6 basic { acl-number |
name acl-name } [ match-order To enter the view of a named IPv6
2. Create an IPv6 basic ACL { auto | config } ] basic ACL, use the acl ipv6 name
view and enter its view. acl-name or acl ipv6 basic name
acl ipv6 number acl-number
acl-name command.
[ name acl-name ] [ match-order
{ auto | config } ] The acl ipv6 name acl-name
command supports entering the
view of an existing IPv6 basic and
advanced ACL.
To enter the view of a numbered
IPv6 basic ACL, use the acl ipv6
number acl-number or acl ipv6
basic acl-number command.
3. (Optional.) Configure a
description for the IPv6 basic By default, an IPv6 basic ACL
description text
ACL. does not have a description.

4. (Optional.) Set the rule


numbering step. step step-value The default setting is 5.

rule [ rule-id ] { deny | permit } By default, no IPv6 basic ACL


[ counting | [ flow-logging | rules exist.
5. Create or edit a rule. logging ] | routing | source The flow-logging and logging
{ source-address source-prefix | keywords take effect only when
source-address/source-prefix | the module (for example, packet

5
Step Command Remarks
any } | time-range filtering) that uses the ACL
time-range-name | vpn-instance supports logging.
vpn-instance-name ] * If an IPv6 basic ACL is used for
outbound QoS traffic classification
or outbound packet filtering, do
not specify the routing keyword.
The vpn-instance
vpn-instance-name option is not
supported in the outbound
direction.
6. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Configuring an advanced ACL


This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.

Configuring an IPv4 advanced ACL


IPv4 advanced ACLs match packets based on the following criteria:
• Source IP addresses.
• Destination IP addresses.
• Packet priorities.
• Protocol numbers.
• Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
The value range for a numbered
IPv4 advanced ACL is 3000 to
3999.
Use the acl number acl-number
or acl advanced acl-number
acl advanced { acl-number | command to create a numbered
name acl-name } [ match-order IPv4 advanced ACL.
2. Create an IPv4 advanced { auto | config } ] To enter the view of a named IPv4
ACL and enter its view. acl number acl-number [ name advanced ACL, use the acl name
acl-name ] [ match-order { auto | acl-name or acl advanced name
config } ] acl-name command t.
The acl name acl-name
command supports entering the
view of an existing IPv4 basic and
advanced ACL.
To enter the view of a numbered
IPv4 advanced ACL, use the acl
number acl-number or acl

6
Step Command Remarks
advanced acl-number command.
3. (Optional.) Configure a
description for the IPv4 By default, an IPv4 advanced ACL
description text
advanced ACL. does not have a description.

4. (Optional.) Set the rule


numbering step. step step-value The default setting is 5.

rule [ rule-id ] { deny | permit }


protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst By default, no IPv4 advanced ACL
rst-value | syn syn-value | urg rules exist.
urg-value } * | established } |
counting | destination The flow-logging and logging
{ object-group keywords take effect only when
address-group-name | the module (for example, packet
dest-address dest-wildcard | any } filtering) that uses the ACL
| destination-port operator port1 supports logging.
5. Create or edit a rule. [ port2 ] | { dscp dscp | If an IPv4 advanced ACL is used
{ precedence precedence | tos for outbound QoS traffic
tos } * } | fragment | icmp-type classification or outbound packet
{ icmp-type [ icmp-code ] | filtering, do not specify the
icmp-message } | [ flow-logging | qos-local-id local-id-value option.
logging ] | qos-local-id
local-id-value | source The vpn-instance
{ source-address source-wildcard vpn-instance-name option is not
| any } | source-port operator supported in the outbound
port1 [ port2 ] | time-range direction.
time-range-name | vpn-instance
vpn-instance-name ] *
6. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Configuring an IPv6 advanced ACL


IPv6 advanced ACLs match packets based on the following criteria:
• Source IPv6 addresses.
• Destination IPv6 addresses.
• Packet priorities.
• Protocol numbers.
• Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination
port number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
acl ipv6 advanced { acl-number |
name acl-name } [ match-order The value range for a numbered
2. Create an IPv6 advanced { auto | config } ] IPv6 advanced ACL is 3000 to
ACL and enter its view. 3999.
acl ipv6 number acl-number
[ name acl-name ] [ match-order Use the acl ipv6 number
{ auto | config } ] acl-number or acl ipv6 advanced
acl-number command to create a

7
Step Command Remarks
numbered IPv6 advanced ACL.
To enter the view of a named IPv6
advanced ACL, use the acl ipv6
name acl-name or acl ipv6
advanced name acl-name
command.
The acl ipv6 name acl-name
command supports entering the
view of an existing IPv6 basic and
advanced ACL.
To enter the view of a numbered
IPv6 advanced ACL, use the acl
ipv6 number acl-number or acl
ipv6 advanced acl-number
command.
3. (Optional.) Configure a
description for the IPv6 By default, an IPv6 advanced ACL
description text
advanced ACL. does not have a description.

4. (Optional.) Set the rule


numbering step. step step-value The default setting is 5.

rule [ rule-id ] { deny | permit }


protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst By default, no IPv6 advanced ACL
rst-value | syn syn-value | urg rules exist.
urg-value } * | established } | The flow-logging and logging
counting | destination keywords take effect only when
{ dest-address dest-prefix | the module (for example, packet
dest-address/dest-prefix | any } | filtering) that uses the ACL
destination-port operator port1 supports logging.
[ port2 ] | dscp dscp | flow-label
flow-label-value | icmp6-type If an IPv6 advanced ACL is used
5. Create or edit a rule. { icmp6-type icmp6-code | for outbound QoS traffic
icmp6-message } | [ flow-logging classification or outbound packet
| logging ] | qos-local-id filtering, do not specify the
local-id-value | routing | qos-local-id local-id-value,
hop-by-hop [ type hop-type ] | routing, or hop-by-hop
source { source-address parameter.
source-prefix | The vpn-instance
source-address/source-prefix | vpn-instance-name option is not
any } | source-port operator port1 supported in the outbound
[ port2 ] | time-range direction.
time-range-name | vpn-instance
vpn-instance-name ] *
6. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Configuring a Layer 2 ACL


Layer 2 ACLs, also called Ethernet frame header ACLs, match packets based on Layer 2 Ethernet
header fields, such as:
• Source MAC address.
• Destination MAC address.
• 802.1p priority (VLAN priority).
• Link layer protocol type.

8
To configure a Layer 2 ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
The value range for a numbered
Layer 2 ACL is 4000 to 4999.
Use the acl number acl-number
acl mac { acl-number | name or acl mac acl-number command
acl-name } [ match-order { auto | to create a numbered Layer 2
2. Create a Layer 2 ACL and config } ] ACL.
enter its view. acl number acl-number [ name Use the acl number acl-number
acl-name ] [ match-order { auto | or acl mac acl-number command
config } ] to enter the view of a numbered
Layer 2 ACL.
Use the acl mac name acl-name
command to enter the view of a
named Layer 2 ACL.
3. (Optional.) Configure a
description for the Layer 2 By default, a Layer 2 ACL does
description text
ACL. not have a description.

4. (Optional.) Set the rule


numbering step. step step-value The default setting is 5.

rule [ rule-id ] { deny | permit }


[ cos dot1p | counting | dest-mac
dest-address dest-mask | { lsap
lsap-type lsap-type-mask | type
5. Create or edit a rule. protocol-type By default, no Layer 2 ACL rules
protocol-type-mask } | exist.
source-mac source-address
source-mask | time-range
time-range-name ] *
6. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Configuring a user-defined ACL


User-defined ACLs allow you to customize rules based on information in protocol headers. You can
define a user-defined ACL to match packets. A specific number of bytes after an offset (relative to the
specified header) are compared against a match pattern after being ANDed with a match pattern
mask.
To configure a user-defined ACL:

Step Command Remarks


1. Enter system view. system-view N/A
By default, no ACLs exist.
acl user-defined { acl-number | The value range for a numbered
2. Create a user-defined ACL name acl-name } user-defined ACL is 5000 to 5999.
and enter its view. acl number acl-number [ name Use the acl number acl-number
acl-name ] or acl user-defined acl-number
command to create a numbered
user-defined ACL.

9
Step Command Remarks
Use the acl number acl-number
or acl user-defined acl-number
command to enter the view of a
numbered user-defined ACL.
Use the acl user-defined name
acl-name command to enter the
view of a named user-defined
ACL.
3. (Optional.) Configure a
description for the By default, a user-defined ACL
description text
user-defined ACL. does not have a description.

rule [ rule-id ] { deny | permit }


4. Create or edit a rule. [ { l2 rule-string rule-mask By default, no user-defined ACL
offset }&<1-8> ] [ counting | rules exist.
time-range time-range-name ] *
5. (Optional.) Add or edit a rule By default, no rule comment is
comment. rule rule-id comment text
configured.

Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL)
has the same properties and content as the source ACL, but uses a different number or name than
the source ACL.
To successfully copy an ACL, make sure:
• The destination ACL number is from the same type as the source ACL number.
• The source ACL already exists, but the destination ACL does not.
To copy an ACL:

Step Command
1. Enter system view. system-view
acl [ ipv6 | mac | user-defined ] copy
2. Copy an existing ACL to create a new ACL. { source-acl-number | name source-acl-name } to
{ dest-acl-number | name dest-acl-name }

Configuring packet filtering with ACLs


This section describes procedures for using an ACL to filter packets. For example, you can apply an
ACL to an interface to filter incoming or outgoing packets.

Applying an ACL to an interface for packet filtering


Step Command Remarks
1. Enter system view. system-view N/A

2. Enter interface view. interface interface-type


N/A
interface-number

10
Step Command Remarks
packet-filter [ ipv6 | mac |
3. Apply an ACL to the interface user-defined ] { acl-number | By default, an interface does not
to filter packets. name acl-name } { inbound | filter packets.
outbound } [ hardware-count ]

Configuring the applicable scope of packet filtering on a


VLAN interface
You can configure the packet filtering on a VLAN interface to filter the following packets:
• Packets forwarded at Layer 3 by the VLAN interface.
• All packets, including packets forwarded at Layer 3 by the VLAN interface and packets
forwarded at Layer 2 by the physical ports associated with the VLAN interface.
To configure the applicable scope of packet filtering on a VLAN interface:

Step Command Remarks


1. Enter system view. system-view N/A
If the VLAN interface already exists,
2. Create a VLAN interface interface vlan-interface you directly enter its view.
and enter its view. vlan-interface-id
By default, no VLAN interface exists.
3. Specify the applicable
scope of packet filtering on By default, the packet filtering filters
packet-filter filter { route | all }
the VLAN interface. packets forwarded at Layer 3.

Configuring logging and SNMP notifications for packet


filtering
You can configure the ACL module to generate log entries or SNMP notifications for packet filtering
and output them to the information center or SNMP module at the output interval. The log entry or
notification records the number of matching packets and the matched ACL rules. If an ACL is
matched for the first time, the device immediately outputs a log entry or notification to record the
matching packet.
For more information about the information center and SNMP, see Network Management and
Monitoring Configuration Guide.
To configure logging and SNMP notifications for packet filtering:

Step Command Remarks


1. Enter system view. system-view N/A

2. Set the interval for outputting The default setting is 0 minutes.


packet filtering logs or acl { logging | trap } interval By default, the device does not
notifications. interval generate log entries or SNMP
notifications for packet filtering.

11
Setting the packet filtering default action
Step Command Remarks
1. Enter system view. system-view N/A

2. Set the packet filtering By default, the packet filter


default action to deny. packet-filter default deny permits packets that do not match
any ACL rule to pass.

Displaying and maintaining ACLs


Execute display commands in any view and reset commands in user view.

Task Command
Display ACL configuration and match display acl [ ipv6 | mac | user-defined ] { acl-number | all |
statistics. name acl-name }
display packet-filter { interface [ interface-type
Display ACL application information for interface-number ] [ inbound | outbound ] | interface
packet filtering (in standalone mode). vlan-interface vlan-interface-number [ inbound | outbound ]
[ slot slot-number ] }
display packet-filter { interface [ interface-type
Display ACL application information for interface-number ] [ inbound | outbound ] | interface
packet filtering (in IRF mode). vlan-interface vlan-interface-number [ inbound | outbound ]
[ chassis chassis-number slot slot-number ] }
display packet-filter statistics interface interface-type
Display match statistics and default action
interface-number { inbound | outbound } [ [ ipv6 | mac |
statistics for packet filtering ACLs.
user-defined ] { acl-number | name acl-name } ] [ brief ]
display packet-filter statistics sum { inbound | outbound }
Display the accumulated statistics for
[ ipv6 | mac | user-defined ] { acl-number | name acl-name }
packet filtering ACLs.
[ brief ]
display packet-filter verbose interface interface-type
Display detailed ACL packet filtering interface-number { inbound | outbound } [ [ ipv6 | mac |
information (in standalone mode). user-defined ] { acl-number | name acl-name } ] [ slot
slot-number ]
display packet-filter verbose interface interface-type
Display detailed ACL packet filtering interface-number { inbound | outbound } [ [ ipv6 | mac |
information (in IRF mode). user-defined ] { acl-number | name acl-name } ] [ chassis
chassis-number slot slot-number ]
Display QoS and ACL resource usage (in
display qos-acl resource [ slot slot-number ]
standalone mode).
Display QoS and ACL resource usage (in display qos-acl resource [ chassis chassis-number slot
IRF mode). slot-number ]
reset acl [ ipv6 | mac | user-defined ] counter { acl-number |
Clear ACL statistics.
all | name acl-name }
Clear match statistics, accumulated match reset packet-filter statistics interface [ interface-type
statistics, and default action statistics for interface-number ] { inbound | outbound } [ [ ipv6 | mac |
packet filtering ACLs. user-defined ] { acl-number | name acl-name } ]

12
ACL configuration examples
Interface-based packet filtering configuration example
Network requirements
A company interconnects its departments through the device. Configure packet filtering to:
• Permit access from the President's office at any time to the financial database server.
• Permit access from the Finance department to the financial database server only during
working hours (from 8:00 to 18:00) on working days.
• Deny access from any other department to the financial database server.
Figure 1 Network diagram

Configuration procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<Device> system-view
[Device] time-range work 08:0 to 18:00 working-day

# Create an IPv4 advanced ACL numbered 3000.


[Device] acl advanced 3000

# Configure a rule to permit access from the President's office to the financial database server.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.0.100 0

# Configure a rule to permit access from the Finance department to the financial database server
during working hours.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.0.100 0 time-range work

# Configure a rule to deny access to the financial database server.


[Device-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0
[Device-acl-ipv4-adv-3000] quit

# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] packet-filter 3000 outbound

13
[Device-GigabitEthernet1/0/1] quit

Verifying the configuration


# Verify that a PC in the Finance department can ping the financial database server during working
hours. (All PCs in this example use Windows XP).
C:\> ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:

Reply from 192.168.0.100: bytes=32 time=1ms TTL=255


Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.100:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

# Verify that a PC in the Marketing department cannot ping the financial database server during
working hours.
C:\> ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:

Request timed out.


Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.100:


Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

# Display configuration and match statistics for IPv4 advanced ACL 3000 on the device during
working hours.
[Device] display acl 3000
Advanced IPv4 ACL 3000, 3 rules,
ACL's step is 5
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
(Active)
rule 10 deny ip destination 192.168.0.100 0

The output shows that rule 5 is active.

14

You might also like