< Home

Configuring an Advanced ACL6

Prerequisites

If you need to configure a time-based ACL6, create a time range and associate the time range with the ACL6 rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

An advanced ACL6 defines rules to filter IPv6 packets based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL6, an advanced ACL6 is more accurate and flexible, and provides more functions. For example, to filter packets based on source and destination IPv6 addresses, configure an advanced ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create an advanced ACL6. You can create a numbered or named ACL.

    • Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to create a numbered advanced ACL6 (3000-3999) and enter the advanced ACL6 view.

    • Run the acl ipv6 name acl6-name { advance | acl6-number } [ match-order { auto | config } ] command to create a named advanced ACL6 and enter the advanced ACL6 view.

    By default, no ACL6 exists on the device.

    If the parameter match-order is not specified when you create an ACL6, the default matching order config is used. The matching order of an ACL6 is the same as that of an ACL. For details, see ACL Matching.

  3. (Optional) Run description text

    A description is configured for the ACL6.

    By default, an ACL6 has no description.

    The ACL6 description helps you understand and remember the functions or purpose of an ACL6.

  4. Configure rules for the advanced ACL6.

    You can configure advanced ACL6 rules according to the protocols carried by IP. The parameters vary according to the protocol types.

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    • When the protocol is ICMPv6, the command format is:

      rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    • When the protocol is others, the command format is:

      rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

      • The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

      • If the ACL rules configured on the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI are hardware-based ACLs, tcp-flag is not supported.
      • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support routing [ routing-type routing-type ].
      • Only the S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support dscp, precedence, and tos.
      • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support destination and first-fragment. For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, an ACL containing the first-fragment can only be used in the inbound direction.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    Configuring rules for the advanced ACL6 provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring rules for an advanced ACL6

  • Configuring a packet filtering rule for ICMPv6 protocol packets based on the source IPv6 address (host address) and destination IPv6 network segment

    Configure a rule in ACL6 3001 to allow the ICMPv6 packets from the host at fc00:1::1 and destined for the network segment fc00:2::/64 to pass.
    <HUAWEI> system-view
[HUAWEI] acl ipv6 3001
[HUAWEI-acl6-adv-3001] rule permit icmpv6 source fc00:1::1 128 destination fc00:2:: 64

  • Configuring a packet filtering rule for TCP protocol packets based on the TCP destination port number, source IPv6 address (host address), and destination IPv6 address segment

    Configure a rule in the advanced ACL6 deny-telnet to forbid Telnet connections between the host at fc00:1::3 and hosts on the network segment fc00:2::/64.
    <HUAWEI> system-view
[HUAWEI] acl ipv6 name deny-telnet
[HUAWEI-acl6-adv-deny-telnet] rule deny tcp destination-port eq telnet source fc00:1::3 128 destination fc00:2:: 64
    Configure a rule in the advanced ACL6 no-web to forbid hosts at fc00:1::3 and fc00:1::4 from accessing web pages (HTTP is used to access web pages, and the TCP port number is 80).
    <HUAWEI> system-view
[HUAWEI] acl ipv6 name no-web
[HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::3 128
[HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::4 128

  • Configuring a time-based ACL6 rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the source network segment and IP fragment information

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >