ucl-group (System view)

Function

The ucl-group command creates a UCL group.

The undo ucl-group command deletes the configured UCL group.

By default, no UCL group is created.

Format

ucl-group group-index [ name group-name ]

undo ucl-group { all | group-index | name group-name }

Parameters

Parameter	Description	Value
group-index	Specifies the index of a UCL group.	The value is an integer that ranges from 1 to 30 for S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, from 1 to 48 for S5720-EI, S6720-EI, and S6720S-EI, and from 1 to 64000 for S5720-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S and S5730-HI.
name group-name	Specifies the name of a UCL group.	The value is a string of 1 to 31 case-sensitive characters without spaces. The value cannot be -, --, a, an, or any, and cannot contain the following special characters: / \ : * ? " < > \| @ ' %
all	Specifies the all UCL group.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In NAC network deployment, there are a large number of users and each user may be configured with many ACL rules. The ACL resources on the device are limited and therefore are insufficient to meet the demand of each user. If ACL rules are independently deployed for each user, the workload is heavy.

In actual NAC application, there are a large number of access users but the user types (users of a type have the same network access rights) are limited. The users can be classified using UCL groups (identify user types), and a group of ACL groups are deployed for users of the same type.

After you create UCL groups on the device and configure a UCL group for a user on the authentication server, the authentication server delivers the user's UCL group to the device when authenticating the user. In this way, the device obtains the mapping between users and UCL groups, and accordingly adds users to different UCL groups so that the users in each group can share the same ACL rules.

Follow-up Procedure

A UCL group only identifies a user type and does not control users' network access rights. To control the network access rights, you must first configure ACL rules numbered from 6000 to 9999 and then configure ACL-based packet filtering.

Run the acl command to create an ACL with the number range of 6000 to 9999.
Run the rule (user ACL view) to create rules for the ACL.
Run the traffic-filter acl command to configure ACL-based packet filtering.

Precautions

For the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, and S5720-SI, a UCL group cannot be deleted after it is referenced using any command. For other models, a UCL group cannot be deleted after it is referenced using any command except rule (user ACL view).

The UCL group and iStack functions are mutually exclusive for the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, and S5720-SI. A UCL group can be configured on the device only when it is deployed in a single-node system, the stack ID is 0, no stack port is configured, and no dedicated stack cable is installed. If a UCL group has been configured on the device, the stack ID cannot be changed, no stack port can be configured, and a stack cannot be automatically set up even if a dedicated stack cable is installed.

For the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S:

In L3VPN scenarios, both static and dynamic UCL groups can be used to control packets sent from PEs to CEs, but only static UCL groups can be used to control packets sent from CEs to PEs.
When IP packets are forwarded through MPLS LDP tunnels or MPLS TE tunnels, both static and dynamic UCL groups can be used to control the packets leaving the tunnels.
In L2VPN scenarios, UCL groups cannot be used to control packets.

Example

# Create a UCL group named abc with the group ID 10.

<HUAWEI> system-view
[HUAWEI] ucl-group 10 name abc