Configuring an Advanced ACL
Prerequisites
If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.
Context
Advanced ACLs give you greater flexibility and functionality than basic ACLs, allowing you to filter packets more accurately. For example, with advanced ACLs, you can define rules to filter IPv4 packets based on a range of criteria, including source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.
Procedure
- Run system-view
The system view is displayed.
- Create an advanced ACL. You can create a numbered or named ACL.
Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered advanced ACL (3000-3999) and enter the advanced ACL view.
Run the acl name acl-name { advance | acl-number } [ match-order { auto | config } ] command to create a named advanced ACL and enter the advanced ACL view.
By default, no ACL exists on the device.
If the parameter match-order is not specified when you create an ACL, the default matching order config is used. For details about the ACL matching order, see ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see ACL Increment; for configuration of the step, see Adjusting the Increment of ACL Rules.
- (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose of an ACL.
- Configure rules for the advanced ACL.
You can configure advanced ACL rules according to the protocols carried by IP. The parameters vary according to the protocol types.
When the protocol type is ICMP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *
When the protocol type is TCP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *
When the protocol type is UDP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *
When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *
- Only the S5720-EI, S6720S-EI, and S6720-EI support ttl-expired.
The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.
- If the ACL rules configured on the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI are hardware-based ACLs, tcp-flag is not supported.
- Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support first-fragment. For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, an ACL containing the first-fragment can only be used in the inbound direction.
In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.
For details about the time ranges, types of protocols carried by IP, source/destination IP addresses and their wildcard masks, TCP/UDP port numbers, TCP flaps, and IP fragment information, see ACLs Supported by Switches and Common Matching Conditions. Configuring rules for an advanced ACL provides a rule configuration example.
- (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.
Configuration Examples
Configuring rules for an advanced ACLConfiguring a packet filtering rule for ICMP protocol packets based on the source IP address (host address) and destination network segment
To allow ICMP packets from a host that are destined for a network segment to pass, configure a rule in an ACL. For example, to allow ICMP packets from the host at 192.168.1.3 that are destined for the network segment 192.168.2.0/24 to pass, configure the following rule in ACL 3001.<HUAWEI> system-view [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
Configuring a packet filtering rule for TCP protocol packets based on the TCP destination port number, source IP address (host address), and destination network segment
To prohibit Telnet connections between a specified host and the hosts on a network segment, configure a rule in an advanced ACL. For example, to prohibit Telnet connections between the host at 192.168.1.3 and hosts on the network segment 192.168.2.0/24, configure the following rule in the advanced ACL deny-telnet.<HUAWEI> system-view [HUAWEI] acl name deny-telnet [HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
To prohibit the specified hosts from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), configure rules in an advanced ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the following rules in ACL no-web and set the description for the ACL to "Web access restrictions."<HUAWEI> system-view [HUAWEI] acl name no-web [HUAWEI-acl-adv-no-web] description Web access restrictions [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0 [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0
Configuring a packet filtering rule for TCP packets based on the source network segment and TCP flags
To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on the network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to "Allow the ACK TCP packets through", "Allow the RST TCP packets through", and "Do not Allow the other TCP packet through."
To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.<HUAWEI> system-view [HUAWEI] acl 3002 [HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack [HUAWEI-acl-adv-3002] display this // If you do not specify an ID for a created rule, you can view the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID. # acl number 3002 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack // The rule ID allocated by the system is 5. # return [HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through [HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst [HUAWEI-acl-adv-3002] display this # acl number 3002 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack rule 5 description Allow the ACK TCP packets through rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst // The rule ID allocated by the system is 10. # return [HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through [HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255 [HUAWEI-acl-adv-3002] display this # acl number 3002 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack rule 5 description Allow the ACK TCP packets through rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst rule 10 description Allow the RST TCP packets through rule 15 deny tcp source 192.168.2.0 0.0.0.255 // The rule ID allocated by the system is 15. # return [HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
You can specify the parameter established to allow the packets with the ACK or RST field being 1 sent from 192.168.2.0/24 to pass and configure a deny rule to reject other TCP packets from this subnet.<HUAWEI> system-view [HUAWEI] acl 3002 [HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established [HUAWEI-acl-adv-3002] rule 5 description Allow the Established TCP packets through [HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255 [HUAWEI-acl-adv-3002] rule 10 description Do not Allow the other TCP packet through [HUAWEI-acl-adv-3002] display this # acl number 3002 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established rule 5 description Allow the Established TCP packets through rule 10 deny tcp source 192.168.2.0 0.0.0.255 rule 10 description Do not Allow the other TCP packet through # return
Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.
Configuring a packet filtering rule based on the source network segment and IP fragment information
For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.