< Home

Configuring a User ACL6

Prerequisites

  • The NAC mode has been set to the unified mode using the authentication unified-mode command, restarted to make the NAC mode take effect. By default, the unified NAC configuration mode is used.

  • For the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, the ACL resource allocation mode device has been set to NAC mode using the assign resource-template acl-mode, restarted to make the NAC mode take effect. By default, the Normal ACL resource allocation mode is used.

  • A UCL group that identifies the user category has been created using the ucl-group command.

  • If you need to configure a time-based ACL6, create a time range and associate the time range with the ACL6 rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A user ACL6 defines rules to filter IPv6 packets based on the source IPv6 addresses or source User Control List (UCL) groups, destination IPv6 addresses, IPv6 protocol types, ICMPv6 types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

To filter packets based on UCL groups, configure a user ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a user ACL6. You can create a numbered or named ACL6.

    • Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to create a numbered user ACL6 (6000-9999) and enter the user ACL6 view.

    • Run the acl ipv6 name acl6-name { ucl | acl6-number } [ match-order { auto | config } ] command to create a named user ACL6 and enter the user ACL6 view.

    By default, no ACL6 exists on the device.

    If the parameter match-order is not specified when you create an ACL6, the default matching order config is used. The matching order of an ACL6 is the same as that of an ACL. For details, see ACL Matching.

  3. (Optional) Run description text

    A description is configured for the ACL6.

    By default, an ACL6 has no description.

    The ACL6 description helps you understand and remember the functions or purpose of an ACL6.

  4. Configure user ACL6 rules.

    You can configure the user ACL6 rules according to the protocol types of IPv6 packets. The parameters vary according to the protocol types.

    • When the protocol type is ICMPv6, the command format is:

      rule [ rule-id ] { permit | deny } { icmpv6 | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | icmp6-type { icmp6-type [ icmp6-code ] | icmp6-name } | vpn-instance vpn-instance-name | time-range time-name ] *

    • When the protocol type is TCP, the command format is:

      rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is UDP, the command format is:

      rule [ rule-id ] { deny | permit } { udp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    • When the protocol type is GRE, IPv6, or OSPF, the command format is:

      rule [ rule-id ] { deny | permit } { gre | ipv6 | ospf | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    The S2720-EI, S5720-LI, S5720S-LI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S5720-EI, S6720S-EI, and S6720-EI do not support vpn-instance vpn-instance-name.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    A rule configuration example is provided in Configuring user ACL6 rules.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring user ACL6 rules

  • Configuring a packet filtering ACL6 rule based on the source UCL group and destination IPv6 address

    Configure a rule in ACL6 6000 to reject all the IPv6 packets sent from the hosts in source UCL group group1 to the network segment fc00:1::/64.
    <HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl ipv6 6000
[HUAWEI-acl6-ucl-6000] rule deny ipv6 source ucl-group name group1 destination fc00:1:: 64

  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >