H3C WX1804H, WX1810H, WX1820H, WX2510H, WX2540H User Configuration Manual
...
H3C Access Controllers
ACL and QoS Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Document version: 6W101-2017112
2
Copyright © 2017, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H
3
Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies
Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
Hardware series
Model
Product version
The H3C access controllers documentation set describes the software features for the H3C access
controllers and guide you through the software configuration procedures. These guides also provide
configuration examples to help you apply software features to different network scenarios.
The ACL and QoS Configuration Guide describes ACL, QoS, and time range configurations.
This preface includes the following topics about the documentation:
• Hardware and software compatibility matrix
• Audience
• Conventions
• Obtaining documentation
• Technical support
• Documentation feedback
Hardware and software compatibility matrix
Table 1 Hardware and software compatibility matrix
WX1800H series
WX2500H series
WX3000H series
WX3500H series
WX5500E series
WX5500H series
Access controller modules
• WX1804H
• WX1810H
• WX1820H
• WX2510H
• WX2540H
• WX2560H
• WX3010H
• WX3010H-L
• WX3010H-X
• WX3024H
• WX3024H-L
• WX3508H
• WX3510H
• WX3520H
• WX3540H
• WX5510E
• WX5540E
• WX5540H
• WX5560H
• WX5580H
• EWPXM1MAC0F
• EWPXM1WCME0
• EWPXM2WCMD0F
• LSQM1WCMX20
• LSQM1WCMX40
• LSUM1WCME0
• LSUM1WCMX20RT
• WX1804H-CMW710-E5208P03
• WX1810H-CMW710-E5215P01
• WX1820H-CMW710-E5208P03
• WX2510H-CMW710-R5215P01
• WX2540H-CMW710-R5215P01
• WX2560H-CMW710-R5215P01
• WX3010H-CMW710-R5215P01
• WX3010HL-CMW710-R5215P01
• WX3010HX-CMW710-R5215P01
• WX3024H-CMW710-R5215P01
• WX3024HL-CMW710-R5215P01
• WX3508H-CMW710-R5215P01
• WX3510H-CMW710-R5215P01
• WX3520H-CMW710-R5215P01
• WX3540H-CMW710-R5215P01
• WX5510E-CMW710-R5215P01
• WX5540E-CMW710-R5215P01
• WX5540H-CMW710-R5215P01
• WX5560H-CMW710-R5215P01
• WX5580H-CMW710-R5215P01
• WCMX40-CMW710-R5215P01
• WCMX40-CMW710-R5215P01
• WCMX20-CMW710-R5215P01
• WCMX20-CMW710-R5215P01
• WCMX40-CMW710-R5215P01
• WCMX40-CMW710-R5215P01
• WCMX20-CMW710-R5215P01
Hardware series
Model
Product version
• LSUM1WCMX40RT
• WCMX40-CMW710-R5215P01
Convention
Description
Convention
Description
Convention
Description
Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the H3C access controllers.
Conventions
The following information describes the conventions used in the documentation.
Command conventions
Boldface Bold
Italic
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
# A line that starts with a pound (#) sign is comments.
GUI conventions
Boldface
text represents commands and keywords that you enter literally as shown.
Italic text represents arguments that you replace with actual values.
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select a minimum of one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
Window names, button names, field names, and menu items are in Boldface. For
example, the
New User
window opens; click OK.
>
Symbols
WARNING!
File
Multi-level menus are separated by angle brackets. For example,
Folder
.
An alert that calls attention to important information that if not understood or followed
can result in personal injury.
>
Create
>
Convention
Description
CAUTION:
IMPORTANT:
NOTE:
TIP:
Convention
Description
T
T
T
T
Network topology icons
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
An alert that calls attention to essential information.
An alert that contains additional or supplementary information.
An alert that provides helpful information.
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
Wireless terminator unit.
Wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Obtaining documentation
To a ccess the most up-to-date H3C product documentation, go to the H3C website at
http://www.h3c.com.hk
To obtain information about installation, configuration, and maintenance, click
http://www.h3c.com.hk/Technical_Documents
To obtain software version information such as release notes, click
http://www.h3c.com.hk/Software_Download
Technical support
service@h3c.com
http://www.h3c.com.hk
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Configuring ACLs ············································································· 1
Overview ·································································································································· 1
ACL types ·························································································································· 1
Numbering and naming ACLs ································································································ 1
Match order ························································································································ 1
Rule numbering ·················································································································· 2
Fragments filtering with ACLs ································································································ 3
Compatibility information ············································································································· 3
Feature and hardware compatibility ························································································· 3
Command and hardware compatibility ····················································································· 4
Configuration restrictions and guidelines ························································································· 4
Configuration task list·················································································································· 4
Configuring a basic ACL ·············································································································· 5
Configuring an IPv4 basic ACL ······························································································· 5
Configuring an IPv6 basic ACL ······························································································· 5
Configuring an advanced ACL ······································································································ 6
Configuring an IPv4 advanced ACL ························································································· 6
Configuring an IPv6 advanced ACL ························································································· 7
Configuring a Layer 2 ACL ··········································································································· 8
Configuring a WLAN client ACL ···································································································· 9
Configuring a WLAN AP ACL ····································································································· 10
Copying an ACL ······················································································································ 10
Configuring packet filtering with ACLs ·························································································· 11
Applying an ACL to an interface for packet filtering ··································································· 11
Configuring SNMP notifications for packet filtering ···································································· 12
Setting the packet filtering default action················································································· 12
Displaying and maintaining ACLs ································································································ 13
ACL configuration example ········································································································ 14
Network requirements ········································································································ 14
Configuration procedure ····································································································· 14
Verifying the configuration ··································································································· 15
QoS overview ················································································ 16
Compatibility information ··········································································································· 16
Feature and hardware compatibility ······················································································· 16
Command and hardware compatibility ··················································································· 17
QoS service models ················································································································· 17
Best-effort service model ···································································································· 17
IntServ model ··················································································································· 17
DiffServ model ·················································································································· 17
QoS techniques overview ·········································································································· 17
Deploying QoS in a network ································································································ 18
QoS processing flow in a device ··························································································· 18
Configuring a QoS policy ································································· 19
Non-MQC approach ················································································································· 19
MQC approach ························································································································ 19
Configuration procedure diagram ································································································ 19
Defining a traffic class ··············································································································· 19
Defining a traffic behavior ·········································································································· 20
Defining a QoS policy ··············································································································· 20
Applying the QoS policy ············································································································ 20
Applying the QoS policy to an interface ·················································································· 21
Applying the QoS policy to a user profile ················································································ 21
Displaying and maintaining QoS policies ······················································································· 22
i
Configuring priority mapping ····························································· 23
Overview ································································································································ 23
Introduction to priorities ······································································································ 23
Priority maps ···················································································································· 23
Priority mapping configuration tasks ····························································································· 23
Configuring a priority map ·········································································································· 24
Configuring a port to trust packet priority for priority mapping ····························································· 24
Changing the port priority of an interface ······················································································· 25
Displaying and maintaining priority mapping ·················································································· 25
Priority mapping configuration examples ······················································································· 25
Network requirements ········································································································ 25
Configuration procedure ····································································································· 26
Configuring traffic policing ································································ 27
Overview ································································································································ 27
Traffic evaluation and token buckets ······················································································ 27
Traffic policing ·················································································································· 27
Configuration procedure ············································································································ 28
Configuring traffic policing by using the MQC approach ····························································· 28
Configuring traffic policing for a user profile by using the non-MQC approach ································· 29
Displaying and maintaining traffic policing ····················································································· 30
Configuring traffic filtering ································································ 31
Configuration procedure ············································································································ 31
Configuration example ·············································································································· 31
Network requirements ········································································································ 31
Configuration procedure ····································································································· 32
Configuring priority marking ······························································ 33
Configuration procedure ············································································································ 33
Configuration example ·············································································································· 34
Network requirements ········································································································ 34
Configuration procedure ····································································································· 34
Appendixes ··················································································· 36
Appendix A Acronym ················································································································ 36
Appendix B Default priority maps ································································································· 36
Appendix C Introduction to packet precedences ············································································· 38
IP precedence and DSCP values ·························································································· 38
802.1p priority ··················································································································· 39
802.11e priority ················································································································· 40
Configuring time ranges ··································································· 41
Feature and hardware compatibility ····························································································· 41
Configuration procedure ············································································································ 42
Displaying and maintaining time ranges ························································································ 42
Time range configuration example ······························································································· 42
Index ··························································································· 44
ii
Configuring ACLs
Type
ACL number
IP version
Match criteria
Overview
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP
address, destination IP address, and por t number. The rules are also called permit or deny
statements.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The
packet drop or forwarding decisions depend on the modules that use ACLs.
ACL types
WLAN client ACL 100 to 199 IPv4 and IPv6 SSID.
WLAN AP ACL 200 to 299 IPv4 and IPv6 AP MAC address and AP serial ID.
Basic ACLs 2000 to 2999
IPv4 Source IPv4 address.
IPv6 Source IPv6 address.
IPv4
Advanced ACLs 3000 to 3999
IPv6
Layer 2 ACLs 4000 to 4999 IPv4 and IPv6
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an
existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6
basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2, WLAN
client, or WLAN AP ACL, its number or name must be globally unique.
Match order
Source IPv4 address, destination IPv4
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Source IPv6 address, destination IPv6
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type.
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops
the match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
• config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before
a rule with a higher ID. If you use this method, check the rules and their order carefully.
1
The match order of WLAN client ACLs and WLAN AP ACLs can only be config.
ACL type
Sequence of tie breakers
NOTE:
• auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule
is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
1. VPN instance.
IPv4 basic ACL
IPv4 advanced ACL
IPv6 basic ACL
IPv6 advanced ACL
Layer 2 ACL
2. More 0s in the source IPv4 address wildcard (more 0s means a
narrower IPv4 address range).
3. Rule configured earlier.
1. VPN instance.
2. Specific protocol number.
3. More 0s in the source IPv4 address wildcard mask.
4. More 0s in the destination IPv4 address wildcard.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
1. VPN instance.
2. Longer prefix for the source IPv6 address (a longer prefix means a
narrower IPv6 address range).
3. Rule configured earlier.
1. VPN instance.
2. Specific protocol number.
3. Longer prefix for the source IPv6 address.
4. Longer prefix for the destination IPv6 address.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
1. More 1s in the source MAC address mask (more 1s means a smaller
MAC address).
2. More 1s in the destination MAC address mask.
3. Rule configured earlier.
A wildcard mask, also called an i nverse mask, is a 32 -bit binary number represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care"
bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the
"do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are
ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a
valid wildcard mask.
Rule numbering
ACL rules can be m anually numbered or automatically numbered. This section describes how
automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For
example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating,
they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more
rules you can insert between two rules.
2
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
Hardware series
Model
ACL compatibility
of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and al lows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the ACL feature is designed as follows:
• Filters all fragments by default, including non-first fragments.
• Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.
Compatibility information
Feature and hardware compatibility
WX1804H
WX1800H series
WX2500H series
WX3000H series
WX3500H series
WX1810H
WX1820H
WX2510H
WX2540H
WX2560H
WX3010H
WX3010H-L
WX3010H-X
WX3024H
WX3024H-L
WX3508H
WX3510H
WX3520H
WX3540H
Yes
Yes
Yes:
• WX3010H
• WX3010H-X
• WX3024H
No:
• WX3010H-L
• WX3024H-L
Yes
WX5500E series
WX5500H series WX5540H Yes
WX5510E
WX5540E
Yes
3
Hardware series
Model
ACL compatibility
WX5560H
Tasks at a glance
WX5580H
EWPXM1MAC0F
EWPXM1WCME0
EWPXM2WCMD0F
Access controller modules
LSQM1WCMX20
LSQM1WCMX40
LSUM1WCME0
LSUM1WCMX20RT
LSUM1WCMX40RT
Yes
Command and hardware compatibility
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the
slot keyword or the slot-number argument.
Configuration restrictions and guidelines
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or
has functions enabled in addition to the following match criteria and functions:
• Source and destination IP addresses.
• Source and destination ports.
• Transport layer protocol.
• ICMP or ICMPv6 message type, message code, and message name.
• VPN instance.
• Logging.
• Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation,
which affects the device forwarding performance.
Configuration task list
(Required.) Configure ACLs according to the characteristics of the packets to be matched:
• Configuring a basic ACL
Configuring an IPv4 basic ACL
Configuring an IPv6 basic ACL
• Configuring an advanced ACL
Configuring an IPv4 advanced ACL
Configuring an IPv6 advanced ACL
• Configuring a Layer 2 ACL
• Configuring a WLAN client ACL
• Configuring a WLAN AP ACL
(Optional.) Copying an ACL
4
Tasks at a glance
(Optional.) Configuring packet filtering with ACLs
Step
Command
Remarks
Step
Command
Remarks
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
1. Enter system view.
2. Create an IPv4 basic ACL
and enter its view.
3. (Optional.) Configure a
description for the IPv4 basic
ACL.
4. (Optional.) Set the rule
numbering step.
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
system-view
acl basic
acl-name } [
config
description
step
rule
fragment | source
[
{ source-address source-wildcard
any
|
time-range-name ] *
rule
{ acl-number |
match-order
} ]
text
step-value
[ rule-id ] {
time-range
} |
comment
rule-id
deny
|
text
name
{
permit
auto
}
N/A
By default, no ACL exists.
The value range for a numbered
IPv4 basic ACL is 2000 to 2999.
Use the
|
command to enter the view of a
numbered IPv4 basic ACL.
Use the
acl-name command to enter the
view of a named IPv4 basic ACL.
By default, an IPv4 basic ACL
does not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
By default, an IPv4 basic ACL
does not contain any rules.
By default, no rule comment is
configured.
acl basic
acl basic name
acl-number
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
1. Enter system view.
system-view
5
N/A
Step
Command
Remarks
2. Create an IPv6 basic ACL
Step
Command
Remarks
view and enter its view.
3. (Optional.) Configure a
description for the IPv6 basic
ACL.
4. (Optional.) Set the rule
numbering step.
acl ipv6 basic
name
acl-name } [
auto
{
description
step
config
|
text
step-value
{ acl-number |
match-order
} ]
By default, no ACL exists.
The value range for a numbered
IPv6 basic ACL is 2000 to 2999.
Use the
acl-number command to enter the
view of a numbered IPv6 basic
ACL.
Use the
acl-name command to enter the
view of a named IPv6 basic ACL.
By default, an IPv6 basic ACL
does not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
acl ipv6 basic
acl ipv6 basic name
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
rule
[ rule-id ] {
fragment | routing
[
routing-type ] |
{ source-address source-prefix |
source-address/source-prefix |
any
time-range
} |
time-range-name ] *
rule
rule-id
deny
source
comment
permit
|
type
[
text
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
• Source IP addresses.
• Destination IP addresses.
• Packet priorities.
• Protocol numbers.
• Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
}
By default, an IPv6 basic ACL
does not contain any rules.
By default, no rule comment is
configured.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
1. Enter system view.
system-view
6
N/A
Step
Command
Remarks
2. Create an IPv4 advanced
Step
Command
Remarks
ACL and enter its view.
3. (Optional.) Configure a
description for the IPv4
advanced ACL.
4. (Optional.) Set the rule
numbering step.
acl advanced
name
acl-name } [
auto
{
description
step
config
|
step-value
{ acl-number |
match-order
} ]
text
By default, no ACL exists.
The value range for a numbered
IPv4 advanced ACL is 3000 to
3999.
Use the
acl-number command to enter the
view of a numbered IPv4
advanced ACL.
Use the
acl-name command to enter the
view of a named IPv4 advanced
ACL.
By default, an IPv4 advanced
ACL does not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
acl advanced
acl advanced name
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
rule
[ rule-id ] {
protocol [ { {
fin-value |
rst-value |
urg-value } * |
destination
dest-wildcard |
destination-port
[ port2 ] | {
precedence
{
tos } * } |
{ icmp-type [ icmp-code ] |
icmp-message } |
{ source-address source-wildcard
any
|
} |
port1 [ port2 ] |
time-range-name ] *
rule
rule-id
deny
ack
ack-value |
psh
psh-value |
syn
syn-value |
established
{ dest-address
any
operator port1
dscp
dscp |
precedence |
fragment
source-port
|
source
time-range
comment
|
} |
icmp-type
operator
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the following criteria:
• Source IPv6 addresses.
• Destination IPv6 addresses.
• Packet priorities.
• Protocol numbers.
• Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination
port number, ICMPv6 message type, and ICMPv6 message code.
permit
text
rst
urg
} |
tos
fin
}
By default, an IPv4 advanced
ACL does not contain any rules.
By default, no rule comment is
configured.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
1. Enter system view.
system-view
7
N/A
Step
Command
Remarks
2. Create an IPv6 advanced
ACL and enter its view.
3. (Optional.) Configure a
description for the IPv6
advanced ACL.
4. (Optional.) Set the rule
numbering step.
acl ipv6 advanced
name
acl-name } [
auto
{
description
step
config
|
text
step-value
} ]
{ acl-number |
match-order
By default, no ACL exists.
The value range for a numbered
IPv6 advanced ACL is 3000 to
3999.
Use the
acl-number command to enter the
view of a numbered IPv6
advanced ACL.
Use the
name
enter the view of a named IPv6
advanced ACL.
By default, an IPv6 advanced
ACL does not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
acl ipv6 advanced
acl ipv6 advanced
acl-name command to
rule
[ rule-id ] {
ack
psh
psh-value |
syn
syn-value |
established
{ dest-address
dscp
dscp |
{ icmp6-type
type
[
routing-type ] |
type
[
{ source-address
source-port
time-range
comment
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
protocol [ { {
fin-value |
rst-value |
urg-value } * |
destination
dest-prefix |
dest-address/dest-prefix |
destination-port
[ port2 ] |
flow-label-value |
icmp6-type
icmp6-code | icmp6-message } |
routing
hop-by-hop
source
source-prefix |
source-address/source-prefix
any
} |
port1 [ port2 ] |
time-range-name ] *
rule
rule-id
Configuring a Layer 2 ACL
deny
permit
|
ack-value |
rst
urg
} |
any
operator port1
flow-label
fragment
hop-type ] |
|
operator
text
fin
}
} |
By default, IPv6 advanced ACL
does not contain any rules.
|
By default, no rule comment is
configured.
Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet
header fields, such as:
• Source MAC address.
• Destination MAC address.
• 802.1p priority (VLAN priority).
• Link layer protocol type.
To configure a Layer 2 ACL:
8
Step
Command
Remarks
1. Enter system view.
Step
Command
Remarks
2. Create a Layer 2 ACL and
enter its view.
3. (Optional.) Configure a
description for the Layer 2
ACL.
4. (Optional.) Set the rule
numbering step.
system-view N/A
By default, no ACL exists.
The value range for a numbered
Layer 2 ACL is 4000 to 4999.
acl mac
acl-name } [
config
description
step
{ acl-number |
} ]
step-value
match-order
text
name
auto
{
Use the
|
command to enter the view of a
numbered Layer 2 ACL.
Use the
command to enter the view of a
named Layer 2 ACL.
By default, a Layer 2 ACL does
not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
acl mac
acl mac name
acl-number
acl-name
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
rule
[ rule-id ] {
cos
[
vlan-pri |
dest-address dest-mask | {
lsap-type lsap-type-mask |
protocol-type
protocol-type-mask } |
source-mac
source-mask |
time-range-name ] *
rule
rule-id
deny
permit
|
dest-mac
source-address
time-range
comment
text
lsap
type
Configuring a WLAN client ACL
WLAN client ACLs match packets based on t he SSID that the WLAN clients use to access the
WLAN. You can use WLAN client ACLs to perform access control on WLAN clients.
To configure a WLAN client ACL:
1. Enter system view.
2. Create a WLAN client ACL
and enter its view.
3. (Optional.) Configure a
description for the WLAN
client ACL.
4. (Optional.) Set the rule
numbering step.
system-view N/A
acl wlan client
{ acl-number |
acl-name }
description
step
step-value
name
text
}
By default
not contain any rules.
By default, no rule comment is
configured.
,
a Layer 2 ACL does
By default, no ACL exists.
The value range for a numbered WLAN
client ACL is 100 to 199.
Use the
command to enter the view of a
numbered WLAN client ACL.
Use the
acl-name command to enter the view of
a named WLAN client ACL.
By default, a WLAN client ACL does not
have a description.
By default, the rule numbering step is 5
and the start rule ID is 0.
acl wlan client
acl wlan client name
acl-number
9
Step
Command
Remarks
5. Configure or edit a rule.
Step
Command
Remarks
Step
Command
6. (Optional.) Add or edit a rule
comment.
rule
[ rule-id ] {
permit
rule
rule-id
} [
deny
ssid
ssid-name ]
comment
|
text
Configuring a WLAN AP ACL
WLAN AP ACLs match packets from WLAN APs based on the MAC address or serial ID.
To configure a WLAN AP ACL:
,
By default
contain any rules.
By default, no rule comment is
configured.
a WLAN client ACL does not
1. Enter system view.
2. Create a WLAN AP ACL and
enter its view.
3. (Optional.) Configure a
description for the WLAN AP
ACL.
4. (Optional.) Set the rule
numbering step.
5. Configure or edit a rule.
6. (Optional.) Add or edit a rule
comment.
Copying an ACL
system-view N/A
By default, no ACL exists.
The value range for a numbered
WLAN AP ACL is 200 to 299.
acl wlan ap
acl-name }
description
step
rule
mac
[
serial-id
[
rule
rule-id
{ acl-number |
text
step-value
[ rule-id ] {
mac-address mac-mask ]
deny
serial-id ]
comment
permit
|
text
name
Use the
command to enter the view of a
numbered WLAN AP ACL.
Use the
acl-name command to enter the
view of a named WLAN AP ACL.
By default, a WLAN AP ACL does
not have a description.
By default, the rule numbering
step is 5 and the start rule ID is 0.
}
By default
not contain any rules.
By default, no rule comment is
configured.
acl wlan ap
acl wlan ap name
,
a WLAN AP ACL does
acl-number
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL)
has the same properties and content as the source ACL, but uses a different number or name than
the source ACL.
To successfully copy an ACL, make sure:
• The destination ACL number is from the same type as the source ACL number.
• The source ACL already exists, but the destination ACL does not.
To copy an ACL:
1. Enter system view.
10
system-view
Loading...