< Home

Configuring a Basic ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges.

To filter packets based only on source IP addresses, you can configure a basic ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a basic ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered basic ACL (2000-2999) and enter the basic ACL view.

    • Run the acl name acl-name { basic | acl-number } [ match-order { auto | config } ] command to create a named basic ACL and enter the basic ACL view.

    By default, no ACL exists on the device.

    If the parameter match-order is not specified when you create an ACL, the default matching order config is used. For details about the ACL matching order, see ACL Matching.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see ACL Increment; for configuration of the step, see Adjusting the Increment of ACL Rules.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL has no description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    Rules are configured in the basic ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    For details about the time range, source IP address and its wildcard mask, and IP fragment information, see ACLs Supported by Switches and Common Matching Conditions. Configuring rules for a basic ACL provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring rules for a basic ACL

  • Configuring a packet filtering rule based on the source IP address (host address)

    To allow packets from a host to pass, add a rule to an ACL. For example, to allow packets from the host at 192.168.1.3 to pass, create the following rule in ACL 2001.
    <HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0

  • Configuring a packet filtering rule based on the source network segment

    To allow packets from a host to pass and reject packets from other hosts on the same network segment, configure rules in an ACL. For example, to allow packets from the host at 192.168.1.3 to pass and reject packets from other hosts on the network segment 192.168.1.0/24, configure the following rules in ACL 2001 and set the description of ACL 2001 to "Permit only 192.168.1.3 through."
    <HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] description permit only 192.168.1.3 through

  • Configuring a time-based ACL rule

    Create a time range working-time (for example, 8:00-18:00 on Monday through Friday) and configure a rule in ACL work-acl. The rule rejects the packets from the network segment 192.168.1.0/24 within the specified time range working-time.
    <HUAWEI> system-view
[HUAWEI] time-range working-time 8:00 to 18:00 working-day
[HUAWEI] acl name work-acl basic
[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

  • Configuring a packet filtering rule based on the source network segment and IP fragment information

    To reject non-initial fragments from a network segment, configure a rule in an ACL. For example, to reject non-initial fragments from the network segment 192.168.1.0/24, configure the following rule in ACL 2001.
    <HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >