< Home

Configuring a User ACL

Prerequisites

  • The NAC mode has been set to the unified mode using the authentication unified-mode command and the device has been restarted to make the NAC mode take effect.

  • A UCL group that identifies the user category has been created using the ucl-group command.

  • If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

To filter packets based on UCL groups, configure a user ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a user ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered user ACL (6000-9999) and enter the user ACL view.

    • Run the acl name acl-name { ucl | acl-number } [ match-order { auto | config } ] command to create a named user ACL and enter the user ACL view.

    By default, no ACL exists on the device.

    If the parameter match-order is not specified when you create an ACL, the default matching order config is used. For details about the ACL matching order, see ACL Matching.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see ACL Increment; for configuration of the step, see Adjusting the Increment of ACL Rules.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL has no description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Configure user ACL rules.

    You can configure the user ACL rules according to the protocol types of IP packets. The parameters vary according to the protocol types.

    • When the protocol type is ICMP, the command format is:

      rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

    The S2720-EI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S5720-EI, S6720S-EI, and S6720-EI do not support destination { fqdn fqdn-name }, ucl-group { destination-ucl-group-index | name destination-ucl-group-name }, and vpn-instance vpn-instance-name.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    A rule configuration example is provided in Configuring user ACL rules.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring user ACL rules

  • Configuring a packet filtering ACL rule based on the source UCL group and destination IP address

    Configure a rule in ACL 6000 to reject all the IP packets sent from the hosts in source UCL group group1 to the network segment 192.168.1.0/24.
    <HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 192.168.1.0 0.0.0.255

  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >