09-ACL and QoS Configuration Guide

01-ACL Configuration

Chapters Download  (220.32 KB)

01-ACL Configuration


 

 

NOTE:

·       Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.

·       In this documentation, SPC cards refer to the cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the cards prefixed with SPE, for example, SPE-1020-E-II.

 

ACL overview

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.

ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also used by many modules, for example, QoS and IP routing, for traffic identification.

ACL categories

 

Category

ACL number

IP version

Match criteria

Basic ACLs

2000 to 2999

IPv4

Source IPv4 address

IPv6

Source IPv6 address

Advanced ACLs

3000 to 3999

IPv4

Source IPv4 address, destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields

IPv6

Source IPv6 address, destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields

Ethernet frame header ACLs

4000 to 4999

IPv4 and IPv6

Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type

User-defined ACLs

5000 to 5999

IPv4 and IPv6

User specified matching patterns in protocol (for example, IP and MPLS) headers

 

ACL numbering and naming

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number for identification. In addition, you can assign the ACL a name for the ease of identification. After creating an ACL with a name, you cannot rename it or delete its name.

For an Ethernet frame header, or user-defined ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACL, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an IPv6 ACL.

Match order

The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

·           config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, check the rule content and order carefully.

·           auto—Sorts ACL rules in depth-first order. Depth-first ordering guarantees that any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.

 

 

NOTE:

The match order of user-defined ACLs can only be config.

 

Table 1 Sort ACL rules in depth-first order

ACL category

Sequence of tie breakers

IPv4 basic ACL

1.     VPN instance

2.     More 0s in the source IP address wildcard (more 0s means a narrower IP address range)

3.     Smaller rule ID

IPv4 advanced ACL

1.     VPN instance

2.     Specific protocol type rather than IP (IP represents any protocol over IP)

3.     More 0s in the source IP address wildcard mask

4.     More 0s in the destination IP address wildcard

5.     Narrower TCP/UDP service port number range

6.     Smaller ID

IPv6 basic ACL

7.     VPN instance

8.     Longer prefix for the source IP address (a longer prefix means a narrower IP address range)

9.     Smaller ID

IPv6 advanced ACL

1.     VPN instance

2.     Specific protocol type rather than IP (IP represents any protocol over IPv6)

3.     Longer prefix for the source IPv6 address

4.     Longer prefix for the destination IPv6 address

5.     Narrower TCP/UDP service port number range

6.     Smaller ID

Ethernet frame header ACL

1.     More 1s in the source MAC address mask (more 1s means a smaller MAC address)

2.     More 1s in the destination MAC address mask

3.     Smaller ID

 

 

NOTE:

A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, and the 1 bits represent 'don’t care' bits. If the 'do care' bits in an IP address are identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

 

ACL rule numbering

What is the ACL rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will be numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.

Implementing time-based ACL rules

You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range.

The following basic types of time range are available:

·           Periodic time range—Recurs periodically on a day or days of the week.

·           Absolute time range—Represents only a period of time and does not recur.

You may apply a time range to ACL rules before or after you create it. However, the rules using the time range can take effect only after you define the time range.

IPv4 fragments filtering with ACLs

Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoids the risks, the H3C ACL implementation:

·           Filters all fragments by default, including non-first fragments.

·           Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules. For more information, see Security Configuration Guide.

Flow templates

Flow templates are sets of criteria based on header fields such as source IP address, destination IP address, source TCP port, and destination TCP port. Flow templates apply only to hardware-based ACLs. You use a flow template to limit the match criteria that can be applied to an interface. ACL rules that contain any criterion beyond the flow template on an interface cannot be assigned to hardware.

There are default flow templates and user-defined templates, where a user-defined template can be basic or extended. By default, an interface uses the default flow template.

ACL application

You can use ACLs in QoS, packet-filter firewall, routing, and other technologies for identifying traffic. For examples of ACL application, see “ACL configuration examples.”

1.      The inbound packet-filter firewall, policy-based routing (PBR), and QoS policy on an interface process an incoming packet as shown in Figure 1.

Figure 1 Incoming packet processing procedure

 

2.      The outbound packet-filter firewall and QoS policy on an interface process an outgoing packet as shown in Figure 2.

Figure 2 Outgoing packet processing procedure

 

For information about packet-filter firewall configuration, see Security Configuration Guide. For information about policy-based routing, see Layer 3IP Routing Configuration Guide. For information about and QoS policy configuration, see the chapter " Configuring a QoS policy."

ACL configuration task list

Complete the following tasks to configure an ACL:

 

Task

Remarks

Configuring a time range

Optional

Applicable to IPv4 and IPv6 ACLs.

Configuring a basic ACL

Required

Configure at least one task.

Applicable to IPv4 and IPv6 ACLs.

Configuring an advanced ACL

Configuring an Ethernet frame header ACL

Configuring a user-defined ACL

Copying an IPv4 ACL

Optional

Applicable to IPv4 and IPv6 ACLs.

Configuring a flow template

Optional

Applicable to IPv4 and IPv6 ACLs.

 

Configuring an ACL

Configuring a time range

To configure a time range:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure a time range.

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

By default, no time range exists.

Repeat this command with the same time range name to create multiple statements for a time range.

 

You can create multiple statements in a time range. The active period of a time range is calculated as follows:

1.      Combining all periodic statements

2.      Combining all absolute statements

3.      Taking the intersection of the two statement sets as the active period of the time range

You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements.

Configuring a basic ACL

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.

To configure an IPv4 basic ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv4 basic ACL and enter its view.

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

By default, no ACL exists.

IPv4 basic ACLs are numbered in the range 2000 to 2999.

You can use the acl name acl-name command to enter the view of a named IPv4 ACL.

3.     Configure a description for the IPv4 basic ACL.

description text

Optional.

By default, an IPv4 basic ACL has no ACL description.

4.     Set the rule numbering step.

step step-value

Optional.

The default setting is 5.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

By default, an IPv4 basic ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

The logging keyword takes effect only when the module (for example, a packet-filter firewall) that uses the ACL supports logging.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, an IPv4 ACL rule has no rule description.

7.     Enable rule match counting for the IPv4 basic ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

 

Configuring an IPv6 basic ACL

To configure an IPv6 basic ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv6 basic ACL view and enter its view.

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

By default, no ACL exists.

IPv6 basic ACLs are numbered in the range 2000 to 2999.

You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL.

3.     Configure a description for the IPv6 basic ACL.

description text

Optional.

By default, an IPv6 basic ACL has no ACL description.

4.     Set the rule numbering step.

step step-value

Optional.

The default setting is 5.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

By default, an IPv6 basic ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, an IPv6 basic ACL rule has no rule description.

7.     Enable rule match counting for the IPv6 basic ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

 

 

NOTE:

When configuring IPv6 basic ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference.

 

Configuring an advanced ACL

Configuring an IPv4 advanced ACL

IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.

IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv4 advanced ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv4 advanced ACL and enter its view.

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

By default, no ACL exists.

IPv4 advanced ACLs are numbered in the range 3000 to 3999.

You can use the acl name acl-name command to enter the view of a named IPv4 ACL.

3.     Configure a description for the IPv4 advanced ACL.

description text

Optional.

By default, an IPv4 advanced ACL has no ACL description.

4.     Set the rule numbering step.

step step-value

Optional.

The default setting is 5.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *

By default, an IPv4 advanced ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, an IPv4 advanced ACL rule has no rule description.

7.     Enable rule match counting for the IPv4 advanced ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

 

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code.

Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv6 advanced ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an IPv6 advanced ACL and enter its view.

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

By default, no ACL exists.

IPv6 advanced ACLs are numbered in the range 3000 to 3999.

You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL.

3.     Configure a description for the IPv6 advanced ACL.

description text

Optional.

By default, an IPv6 advanced ACL has no ACL description.

4.     Set the rule numbering step.

step step-value

Optional.

The default setting is 5.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

By default IPv6 advanced ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, an IPv6 advanced ACL rule has no rule description.

7.     Enable rule match counting for the IPv6 advanced ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

 

 

NOTE:

When configuring IPv6 advanced ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference.

 

Configuring an Ethernet frame header ACL

Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type.

To configure an Ethernet frame header ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an Ethernet frame header ACL and enter its view.

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

By default, no ACL exists.

Ethernet frame header ACLs are numbered in the range 4000 to 4999.

You can use the acl name acl-name command to enter the view of a named Ethernet frame header ACL.

3.     Configure a description for the Ethernet frame header ACL.

description text

Optional.

By default, an Ethernet frame header ACL has no ACL description.

4.     Set the rule numbering step.

step step-value

Optional.

The default setting is 5.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] *

By default, an Ethernet frame header ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, an Ethernet frame header ACL rule has no rule description.

7.     Enable rule match counting for the Ethernet frame header ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

Configuring a user-defined ACL

 

 

NOTE:

This feature is available only on SPC cards.

 

User-defined ACLs allow you to customize rules based on information in protocol headers such as the IP header. You can define a user-defined ACL to deny or permit packets in which a specific number of bytes after the specified offset (relative to the specified header), matches the specified match pattern after being ANDed with a match pattern mask.

To configure a user-defined ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the ACL rule length limit mode.

acl mode { 3 | 4 }

The default setting is 2.

3.     Create a user-defined ACL and enter its view.

acl number acl-number [ name acl-name ]

By default, no ACL exists, and the match order of a user-defined ACL is config.

User-defined ACLs are numbered in the range 5000 to 5999.

You can use the acl name acl-name command to enter the view of a user-defined ACL.

4.     Configure a description for the user-defined ACL.

description text

Optional.

By default, a user-defined ACL has no ACL description.

5.     Create or edit a rule.

rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

By default, a user-defined ACL does not contain any rule.

To create or edit multiple rules, repeat this step.

6.     Configure or edit a rule description.

rule rule-id comment text

Optional.

By default, a user-defined ACL rule has no rule description.

7.     Enable rule match counting for the user-defined ACL.

hardware-count enable

Optional.

By default, rule match counting is disabled.

 

Copying an ACL

You can create an ACL by copying an existing ACL. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

To successfully copy an ACL, make sure that:

·           The destination ACL number is from the same category as the source ACL number.

·           The source ACL already exists but the destination ACL does not.

Copying an IPv4 ACL

To copy an IPv4 ACL:

 

Step

Command

1.     Enter system view.

system-view

2.     Copy an existing IPv4 ACL to create a new IPv4 ACL.

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

 

Copying an IPv6 ACL

To copy an IPv6 ACL:

 

Step

Command

1.     Enter system view.

system-view

2.     Copy an existing IPv6 ACL to generate a new one of the same category.

acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }

 

Configuring a flow template

 

 

NOTE:

This feature is available only on SPE cards.

 

To create a flow template and apply it to an interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a flow template.

flow-template flow-template-name basic { customer-vlan-id | dip | dmac | dport | dscp | ethernet-protocol | fragments | icmp-code | icmp-type | ip-precedence | ip-protocol | mpls-exp | service-cos | sip | smac | sport | tcp-flag | tos } *

N/A

3.     Enter interface view or port group view.

·       Enter interface view:
interface
interface-type interface-number

·       Enter port group view:
port-group manual
port-group-name

N/A

4.     Apply the flow template to the interface or port group.

flow-template flow-template-name

Optional.

The default one applies by default.

 

 

NOTE:

·       The user-defined flow template you are applying to an interface must already exist.

·       You can apply only one user-defined flow template on an interface.

·       The default flow template defines five fields: the source IP address, destination IP address, source port number, destination port number, and protocol type.

·       When the length limit for the match criteria in an ACL rule is 18 bytes for an SPE card, available parameters of the default flow template are sip, dip, ip-protocol, sport, and dport.

·       When the length limit for the match criteria in an ACL rule is 36 bytes for an SPE card, available parameters of the default flow template are sip, dip, ip-protocol, sport, dport, icmp-code, icmp-type, tos, dscp, ip-precedence, mpls-exp, tcp-flag, and fragment.

 

Configuring an ACL rule length limit mode

The ACL rule length limit mode defines the length of the fields available for an ACL flow template. When a large number of ACL rules are required on the router, you may need to change this mode.

To configure an ACL rule length limit mode:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the ACL rule length limit mode.

acl mode { 1 | 2 | 3 | 4 }

The default setting is 2.

 

 

NOTE:

·       The limit mode setting is saved automatically, but it takes effect only after you restart your router.

·       The limit mode setting does not take effect on an SPE card with an ATM subcard.

·       The limit mode setting does not take effect for IPv6 ACLs on an SPE card.

·       When configuring IPv6 ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference.

 

Displaying and maintaining ACLs

 

Task

Command

Remarks

Display configuration and match statistics for one or all IPv4 ACLs.

display acl { acl-number | all | name acl-name } [ | { begin | exclude | include } regular-expression ]

Available in any view

Display configuration and match statistics for one or all IPv6 ACLs.

display acl ipv6 { acl6-number | all | name acl6-name } [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the ACL rule length limit mode.

display acl mode [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the usage of ACL rules.

display acl resource [ | { begin | exclude | include } regular-expression ]

Available in any view

Display information about flow templates applied to interfaces.

display flow-template interface [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the configuration of one or all user-defined flow templates.

display flow-template user-defined [ flow-template-name ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the configuration and status of one or all time ranges.

display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear statistics for one or all IPv4 ACLs.

reset acl counter { acl-number | all | name acl-name }

Available in user view

Clear statistics for one or all IPv6 basic and advanced ACLs.

reset acl ipv6 counter { acl6-number | all | name acl6-name }

Available in user view

 

ACL configuration examples

IPv4 ACL configuration example

Network requirements

A company interconnects its departments through Device A. Configure an ACL to:

·           Permit access from the President's office at any time to the salary server.

·           Deny access from any other department to the salary server from 8:00 to 18:00.

Figure 3 Network diagram

 

Configuration procedure

1.      Create a time range for office hours:

# Create a periodic time range spanning 8:00 to 18:00 in working days.

<Device> system-view

[Device] time-range trname 8:00 to 18:00 working-day

2.      Configure an ACL to control accesses to the salary server:

# Create and enter the view of advanced IPv4 ACL 3000.

[Device] acl number 3000

# Create a rule to control access of the President’s Office to the salary server.

[Device-acl-adv-3000] rule 1 permit ip source 129.111.1.2 0.0.0.0 destination 129.110.1.2 0.0.0.0

[Device-acl-adv-3000] quit

# Create and enter the view of advanced IPv4 ACL 3100.

[Device] acl number 3100

# Create a rule to control accesses of other departments to the salary server.

[Device-acl-adv-3100] rule 2 permit ip source any destination 129.110.1.2 0.0.0.0 time-range trname

[Device-acl-adv-3100] quit

3.      Apply the ACL:

# Configure traffic classification.

[Device] traffic classifier c1

[Device-classifier-c1] if-match acl 3000

[Device-classifier-c1] quit

[Device] traffic classifier c2

[Device-classifier-c2] if-match acl 3100

[Device-classifier-c2] quit

4.      Configure traffic behavior:

# Configure traffic behavior.

[Device] traffic behavior b1

[Device-behavior-b1] filter permit

[Device-behavior-b1] quit

[Device] traffic behavior b2

[Device-behavior-b2] filter deny

[Device-behavior-b2] quit

5.      Associate classification rules and actions:

#  Configure a QoS policy.

[Device] qos policy p1

[Device-qospolicy-p1] classifier c1 behavior b1

[Device-qospolicy-p1] classifier c2 behavior b2

[Device-qospolicy-p1] quit

6.      Apply the QoS policy:

# Apply the QoS policy to the outbound direction of interface GigabitEthernet 2/1/1.

[Device] interface GigabitEthernet 2/1/1

[Device-GigabitEthernet2/1/1] qos apply policy p1 outbound

 IPv6 ACL configuration example

Network requirements

Perform packet filtering in the inbound direction of interface GigabitEthernet 2/1/1 to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF.

Configuration procedure

1.      Create ACLs:

# Create an IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 4050::9000/120

# Create an IPv6 ACL 2100.

[Sysname] acl ipv6 number 2100

[Sysname-acl6-basic-2100] rule permit source any

[Sysname-acl6-basic-2000] quit

2.      Apply the ACL:

# Configure traffic classification.

[Sysname] traffic classifier c1

[Sysname-classifier-c1] if-match acl ipv6 2000

[Sysname-classifier-c1] quit

[Sysname] traffic classifier c2

[Sysname-classifier-c2] if-match acl ipv6 2100

[Sysname-classifier-c2] quit

3.      Configure traffic behaviors:

# Configure traffic behavior.

[Sysname] traffic behavior b1

[Sysname-behavior-b1] filter permit

[Sysname-behavior-b1] quit

[Sysname] traffic behavior b2

[Sysname-behavior-b2] filter deny

[Sysname-behavior-b2] quit

4.      Associate traffic classification rules and actions:

# Configure a QoS policy.

[Sysname] qos policy p1

[Sysname-qospolicy-p1] classifier c1 behavior b1

[Sysname-qospolicy-p1] classifier c2 behavior b2

[Sysname-qospolicy-p1] quit

5.      Apply the QoS policy:

# Apply QoS policy to the outbound direction of interface GigabitEthernet2/1/1.

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] qos apply policy p1 outbound

Flow template configuration example

Network requirements

Create flow templates and apply them to interfaces.

Configuration procedure

# Create basic user-defined flow template aaa.

<Sysname> system-view

[Sysname] flow-template aaa basic smac customer-vlan-id

# Reference user-defined flow template aaa on interface GigabitEthernet 2/1/1.

[Sysname] interface Gigabitethernet 2/1/1

[Sysname-GigabitEthernet2/1/1] flow-template aaa

# Display information about user-defined flow template aaa.

[Sysname] display flow-template user-defined aaa

user-defined flow template: basic

 name:aaa, index:1, total reference counts:1

fields: smac customer-vlan-id

# Display information about all user-defined flow templates.

[Sysname] display flow-template user-defined

user-defined flow template: basic

 name:aaa, index:1, total reference counts:1

 fields: smac customer-vlan-id

user-defined flow template: basic

 name:1, index:2, total reference counts:0

 fields: service-cos

user-defined flow template: basic

 name:2, index:3, total reference counts:0

 fields: ip-protocol dscp

# Display information about the user-defined flow templates referenced to interfaces.

[Sysname] display flow-template interface

Interface: GigabitEthernet2/1/1

user-defined flow template: basic

 name:aaa, index:1, total reference counts:1

 fields: smac customer-vlan-id

# Delete user-defined flow template aaa. As it is being referenced by interface Gigabitethernet 2/1/1, remove it from the interface first.

[Sysname] interface Gigabitethernet 2/1/1

[Sysname-GigabitEthernet2/1/1] undo flow-template

[Sysname-GigabitEthernet2/1/1] quit

[Sysname] undo flow-template name aaa

ACL rule length limit mode configuration example

Network requirements

Configure the ACL rule length limit for an SPE card to 18 bytes and that for an SPC card to 80 bytes.

Configuration procedure

# Set the ACL rule length limit mode to 3.

<Sysname> system-view

[Sysname] acl mode 3

ACL has been set to mode 3, and will take effect after the next system reboot.

# Display the ACL rule length limit mode.

[Sysname] display acl mode

Current ACL mode              : mode 2 (SPE ACL key long, SPC ACL key short)

Acl mode after system restart : mode 3 (SPE ACL key short, SPC ACL key long)

Notice: Changing ACL mode will take effect only after system restart.

# Restart the router.

[Sysname] return

<Sysname> reboot

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.