H3C WX Series, WX5002 Configuration Manual
H3C WX Series Access Controllers
ACL and QoS Configuration Guide
Abstract
This document describes ACL and QoS configurations. You can use ACL or other match
criteria to classify traffic in your network, and implement flow control based on traffic
classes. With ACL and QoS, you can well allocate the limited network resources, and
improve network usage. The intended audience includes network planners, field
technical support and servicing engineers, and network administrators working with the
WX series.
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Copyright © 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents.
However, the statements, information, and recommendations in this document do not
constitute a warranty of any kind, express or implied. Hangzhou H3C Technologies Co.,
Ltd. and its licensors shall not be liable for technical or editorial errors or omissions
contained herein.
Acknowledgments
H3C, , Aolynk,
, H3Care,
, TOP G, , IRF, NetPilot, Neocean,
NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA,
VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of
Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
2
Contents
1 ACL configuration ·············································································································· 8
ACL classification ························································································································· 8
ACL numbering and naming ········································································································· 8
Match order ································································································································ 9
ACL rule numbering ···················································································································· 11
ACL rule numbering step ········································································································ 11
Automatic rule numbering and re-numbering ·········································································· 11
Implementing time-based ACL rules ···························································································· 11
IPv4 fragments filtering with ACLs ································································································· 12
ACL configuration task list ··········································································································· 12
IPv4 ACL configuration task list ································································································ 12
IPv6 ACL configuration task list ································································································ 12
Configuring an ACL ···················································································································· 13
Creating a time range ··········································································································· 13
Configuring a WLAN ACL ······································································································· 13
Configuring a basic ACL ········································································································ 14
Configuring an advanced ACL ······························································································· 16
Configuring an Ethernet frame header ACL ············································································· 18
Copying an ACL ···················································································································· 19
Displaying and maintaining ACLs································································································· 20
ACL configuration examples ······································································································· 21
IPv4 ACL configuration example ····························································································· 21
IPv6 ACL configuration example ····························································································· 22
2 QoS overview ···················································································································24
QoS service models ···················································································································· 24
Best-effort service model ········································································································ 24
3
IntServ model ························································································································ 25
DiffServ model ······················································································································· 25
QoS techniques ························································································································· 25
Applying QoS techniques in a network ···················································································· 26
QoS processing flow in an AC ································································································· 27
3 QoS configuration approaches ··························································································28
Non-policy approach ················································································································· 28
Policy approach ························································································································ 28
Configuring a QoS policy ············································································································ 28
Defining a class ····················································································································· 29
Defining a traffic behavior ······································································································ 30
Defining a policy ··················································································································· 31
Applying the QoS policy ········································································································· 32
Displaying and maintaining QoS policies ················································································· 34
4 Priority mapping configuration ···························································································35
Priority mapping overview ··········································································································· 35
Priority mapping tables ··············································································································· 35
Priority mapping configuration tasks ···························································································· 37
Configuring priority mapping······································································································· 38
Configuring a priority mapping table ······················································································ 38
Configuring a port to trust packet priority for priority mapping··················································· 39
Configuring the port priority of a port ······················································································ 39
Displaying and maintaining priority mapping ················································································ 40
Priority mapping configuration examples (on WX Series access controllers)····································· 41
Trusted priority type configuration example ············································································· 42
Port priority configuration example ························································································· 43
5 Traffic policing and line rate configuration ···········································································45
Traffic evaluation and token bucket ···························································································· 45
Token bucket features ··········································································································· 45
Evaluating traffic with the token bucket ·················································································· 45
4
Complicated evaluation ········································································································ 46
Traffic policing ··························································································································· 46
Line rate ···································································································································· 47
Configuration task list ·················································································································· 48
Configuring traffic policing ·········································································································· 48
Configuring traffic policing in policy-based approach ······························································ 49
Configuring traffic policing in non policy-based approach ······················································· 49
Configuring line rate ··················································································································· 50
Displaying and maintaining line rate ···························································································· 51
6 Congestion management configuration ·············································································52
Causes, impacts, and countermeasures of congestion ································································· 52
Congestion management policies ······························································································ 53
FIFO ······································································································································ 53
Priority queuing ······················································································································ 54
Custom queuing ···················································································································· 55
Congestion management technology comparison ······································································ 55
Configuring PQ ·························································································································· 56
PQ configuration procedure··································································································· 57
PQ configuration example on WX5002 ···················································································· 58
PQ configuration example (on any H3C WX access controllers but WX5002) ······························ 60
Configuring CQ ·························································································································· 60
Configuration procedure ······································································································· 61
CQ configuration example on WX5002···················································································· 62
CQ configuration example (on any H3C WX access controllers but WX5002) ····························· 62
7 Support and other resources ······························································································64
Related documentation ············································································································· 64
Contact us································································································································· 64
Documentation feedback ·········································································································· 64
Technical support ······················································································································· 64
Typographical conventions and symbols ····················································································· 65
5
Command conventions ········································································································· 65
Document conventions ·········································································································· 65
Symbols ································································································································ 66
Index 67
6
NOTE:
The models listed in this document are not applicable to all regions. Please consult your local
sales office for the models applicable to your region.
Support of the H3C WX series access controllers (ACs) for features may vary by AC model. For
more information, see ―Feature Matrix‖ in About the WX Configuration Guides.
The interface types and the number of interfaces vary by AC model.
7
1 ACL configuration
Category
ACL number
IP version
Match criteria
WLAN ACLs
100 to 199
IPv4
Wireless client SSID
Basic ACLs
2000 to 2999
IPv4
Source IPv4 address
IPv6
Source IPv6 address
Advanced
ACLs
3000 to 3999
IPv4
Source/destination IPv4 address,
protocols over IPv4, and other Layer 3
and Layer 4 header fields
IPv6
Source/destination IPv6 address,
protocols over IPv6, and other Layer 3
and Layer 4 header fields
Ethernet
frame header
ACLs
4000 to 4999
IPv4
Layer 2 header fields, such as source
and destination MAC addresses, 802.1p
priority, and link layer protocol type
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying
traffic based on criteria such as the source IP address, destination IP address, and port
number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a
deny rule and permits packets that match a permit rule. ACLs are also widely used by
many modules, for example, QoS and IP routing, for traffic identification.
NOTE:
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL classification
ACLs fall into four categories, as shown in Table 1 .
Table 1 ACL categories
ACL numbering and naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you
must assign it a number for identification, and in addition, you can also assign the ACL a
8
name for the ease of identification. After creating an ACL with a name, you can neither
ACL category
Depth-first rule sorting procedures
IPv4 basic ACL
1. The rule configured with a VPN instance takes precedence.
2. The rule with more 0s in the source IP address wildcard mask takes
precedence. More 0s means a narrower IP address range.
3. The rule with a smaller rule ID takes precedence.
rename it nor delete its name.
You cannot assign a name for a WLAN ACL.
For a WLAN ACL, the ACL number and name must be globally unique. For an IPv4 basic
or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and
for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL
the same number and name as an IPv6 ACL.
Match order
The rules in an ACL are sorted in certain order. When a packet matches a rule, the
device stops the match process and performs the action defined in the rule. If an ACL
contains overlapping or conflicting rules, the matching result and action to take
depend on the rule order.
Two ACL match orders are available:
config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is
matched before a rule with a higher ID. If you use this approach, check rule
content and order carefully.
auto: Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset
of a rule is always matched before the rule. The depth-first ordering procedure
varies with ACL categories, as shown in Table 2 .
NOTE:
The rule order of WLAN ACLs can only be config.
Table 2 Sorting ACL rules in depth-first order
9
ACL category
Depth-first rule sorting procedures
IPv4 advanced
ACL
1. The rule configured with a VPN instance takes precedence.
2. The rule configured with a specific protocol is prior to a rule with the
protocol type set to IP. IP represents any protocol over IP.
3. The rule with more 0s in the source IP address wildcard mask takes
precedence. More 0s means a narrower IP address range.
4. The rule with more 0s in the destination IP address wildcard mask takes
precedence.
5. The rule with a narrower TCP/UDP service port number range takes
precedence.
6. The rule with a smaller ID takes precedence.
IPv6 basic ACL
1. The rule configured with a longer prefix for the source IP address takes
precedence. A longer prefix means a narrower IP address range.
2. The rule with a smaller ID takes precedence.
IPv6 advanced
ACL
1. The rule configured with a specific protocol is prior to a rule with the
protocol type set to IP. IP represents any protocol over IPv6.
2. The rule configured with a longer prefix for the source IPv6 address has a
higher priority.
3. The rule configured with a longer prefix for the destination IPv6 address
takes precedence.
4. The rule with a narrower TCP/UDP service port number range takes
precedence.
5. The rule with a smaller ID takes precedence.
Ethernet frame
header ACL
1. The rule with more 1s in the source MAC address mask takes precedence.
More 1s means a smaller MAC address.
2. The rule with more 1s in the destination MAC address mask takes
precedence.
3. The rule with a smaller ID takes precedence.
NOTE:
Currently, the AC does not support ACL rules with the VPN instance attribute.
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‗do
care‘ bits, while the 1 bits represent 'don‘t care bits.' If the 'do care' bits in an IP address are
identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All
'don‘t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For
example, 0.255.0.255 is a valid wildcard mask.
10
ACL rule numbering
ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns
it a rule ID. The rule numbering step sets the increment by which the system
automatically numbers rules. For example, the default ACL rule numbering step is 5. If
you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.
The wider the numbering step, the more rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have
the flexibility of inserting rules in an ACL. This feature is important for a config order ACL,
where ACL rules are matched in ascending order of rule ID.
Automatic rule numbering and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the
numbering step to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules
numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not
contain any rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if
there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes
the rules to be renumbered 0, 2, 4, 6 and 8.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to
them. A time-based ACL rule takes effect only in any time periods specified by the time
range.
Two basic types of time range are available:
Periodic time range, which recurs periodically on a day or days of the week.
Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the
rules using the time range can take effect only after you define the time range.
11
IPv4 fragments filtering with ACLs
Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all
subsequent non-first fragments to pass through. This mechanism resulted in security risks,
because attackers may fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
Filters all fragments by default, including non-first fragments.
Provides standard and exact match modes for matching ACLs that contain
advanced attributes such as TCP/UDP port number and ICMP type. Standard
match is the default mode. It considers only Layer 3 attributes. Exact match
considers all header attributes defined in IPv4 ACL rules.
ACL configuration task list
IPv4 ACL configuration task list
Complete the following tasks to configure an IPv4 ACL:
Creating a time range (Optional)
The following four tasks are required: (Configure at least one task.)
Configuring a WLAN ACL
Configuring an IPv4 basic ACL
Configuring an IPv4 advanced ACL
Configuring an Ethernet frame header ACL
Copying an IPv4 ACL (Optional)
IPv6 ACL configuration task list
Complete the following tasks to configure an IPv6 ACL:
Creating a time range (Optional)
The following two tasks are required: (Configure at least one task.)
Configuring an IPv6 basic ACL
Configuring an IPv6 advanced ACL
Copying an IPv6 ACL (Optional)
12
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create a time range
time-range
time-range-name
{ start-time to end-time days
[ from time1 date1 ] [ to
time2 date2 ] | from time1
date1 [ to time2 date2 ] | to
time2 date2 }
Required
By default, no time range
exists.
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create a WLAN ACL and
enter its view
acl number acl-number
Required
By default, no ACL exists.
WLAN ACLs are numbered in
the range 100 to 199.
Configure a description for
the WLAN ACL
description text
Optional
By default, a WLAN ACL has
no ACL description.
Set the rule numbering step
step step-value
Optional
5 by default
Configuring an ACL
Creating a time range
Follow these steps to create a time range:
You may create time ranges identified with the same name. They are regarded as one
time range whose active period is the result of ORing periodic ones, ORing absolute
ones, and ANDing periodic and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic
time ranges at most and 12 absolute time ranges at most.
Configuring a WLAN ACL
WLAN ACLs match packets based on SSIDs of wireless clients.
Follow these steps to configure a WLAN ACL:
13
To do…
Use the command…
Remarks
Create or edit a rule
rule [ rule-id ] { permit |
deny } [ ssid ssid-name ]
Required
By default, a WLAN ACL
does not contain any rule.
To create or edit multiple
rules, repeat this step.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, a WLAN ACL rule
has no description.
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an IPv4 basic ACL
and enter its view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 basic ACLs are
numbered in the range 2000
to 2999.
You can use the acl name
acl-name command to
enter the view of an existing
named IPv4 ACL.
Configure a description for
the IPv4 basic ACL
description text
Optional
By default, an IPv4 basic
ACL has no ACL description.
Set the rule numbering step
step step-value
Optional
5 by default
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
14
To do…
Use the command…
Remarks
Create or edit a rule
rule [ rule-id ] { deny |
permit } [ fragment | logging
| source { sour-addr
sour-wildcard | any } |
time-range
time-range-name ] *
Required
By default, an IPv4 basic
ACL does not contain any
rule.
To create or edit multiple
rules, repeat this step.
The logging keyword takes
effect only when the
module that uses the ACL
supports logging.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, an IPv4 ACL rule
has no rule description.
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an IPv6 basic ACL
view and enter its view
acl ipv6 number
acl6-number [ name
acl6-name ] [ match-order
{ auto | config } ]
Required
By default, no ACL exists.
IPv6 basic ACLs are
numbered in the range 2000
to 2999.
You can use the acl ipv6
name acl6-name command
to enter the view of an
existing named IPv6 ACL.
Configure a description for
the IPv6 basic ACL
description text
Optional
By default, an IPv6 basic
ACL has no ACL description.
Set the rule numbering step
step step-value
Optional
5 by default
Configuring an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
15
To do…
Use the command…
Remarks
Create or edit a rule
rule [ rule-id ] { deny |
permit } [ fragment | logging
| source { ipv6-address
prefix-length |
ipv6-address/prefix-length |
any } | time-range
time-range-name ] *
Required
By default, an IPv6 basic
ACL does not contain any
rule.
To create or edit multiple
rules, repeat this step.
The logging keyword takes
effect only when the
module using the ACL
supports logging.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, an IPv6 basic
ACL rule has no rule
description.
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an IPv4 advanced
ACL and enter its view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range 3000
to 3999.
You can use the acl name
acl-name command to
enter the view of an existing
named IPv4 ACL.
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses,
protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type
of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and
accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
16
To do…
Use the command…
Remarks
Configure a description for
the IPv4 advanced ACL
description text
Optional
By default, an IPv4
advanced ACL has no ACL
description.
Set the rule numbering step
step step-value
Optional
5 by default
Create or edit a rule
rule [ rule-id ] { deny |
permit } protocol [ { { ack
ack-value | fin fin-value |
psh psh-value | rst rst-value
| syn syn-value | urg
urg-value } * | established }
| destination { dest-addr
dest-wildcard | any } |
destination-port operator
port1 [ port2 ] | dscp dscp |
fragment | icmp-type
{ icmp-type icmp-code |
icmp-message } | logging |
precedence precedence |
reflective | source
{ sour-addr sour-wildcard |
any } | source-port operator
port1 [ port2 ] | time-range
time-range-name | tos tos] *
Required
By default, an IPv4
advanced ACL does not
contain any rule.
To create or edit multiple
rules, repeat this step.
The logging keyword takes
effect only when the
module using the ACL
supports logging.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, an IPv4
advanced ACL rule has no
rule description.
To do…
Use the command…
Remarks
Enter system view
system-view
––
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6
address, protocol carried over IPv6, and other protocol header fields such as the
TCP/UDP source port number, TCP/UDP destination port number, ICMP message type,
and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
17
To do…
Use the command…
Remarks
Create an IPv6
advanced ACL and
enter its view
acl ipv6 number acl6-number
[ name acl6-name ]
[ match-order { auto | config } ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are
numbered in the range
3000 to 3999.
You can use the acl ipv6
name acl6-name
command to enter the
view of an existing named
IPv6 ACL.
Configure a description
for the IPv6 advanced
ACL
description text
Optional
By default, an IPv6
advanced ACL has no
ACL description.
Set the rule numbering
step
step step-value
Optional
5 by default
Create or edit a rule
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
destination { dest dest-prefix |
dest/dest-prefix | any } |
destination-port operator port1
[ port2 ] | dscp dscp | fragment
| icmp6-type { icmp6-type
icmp6-code | icmp6-message }
| logging | source { source
source-prefix |
source/source-prefix | any } |
source-port operator port1
[ port2 ] | time-range
time-range-name ] *
Required
By default IPv6 advanced
ACL does not contain any
rule.
To create or edit multiple
rules, repeat this step.
The logging keyword takes
effect only when the
module using the ACL
supports logging.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, an IPv6
advanced ACL rule has no
rule description.
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2
protocol header fields such as source MAC address, destination MAC address, 802.1p
priority (VLAN priority), and link layer protocol type.
18
Follow these steps to configure an Ethernet frame header ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an Ethernet frame
header ACL and enter its
view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
By default, no ACL exists.
Ethernet frame header ACLs
are numbered in the range
4000 to 4999.
You can use the acl name
acl-name command to
enter the view of an existing
named Ethernet frame
header ACL.
Configure a description for
the Ethernet frame header
ACL
description text
Optional
By default, an Ethernet
frame header ACL has no
ACL description.
Set the rule numbering step
step step-value
Optional
5 by default
Create or edit a rule
rule [ rule-id ] { deny |
permit } [ cos vlan-pri |
dest-mac dest-addr
dest-mask | { lsap lsap-type
lsap-type-mask | type
protocol-type
protocol-type-mask } |
source-mac sour-addr
source-mask | time-range
time-range-name ] *
Required
By default, an Ethernet
frame header ACL does not
contain any rule.
To create or edit multiple
rules, repeat this step.
Configure or edit a rule
description
rule rule-id comment text
Optional
By default, an Ethernet
frame header ACL rule has
no rule description.
Copying an ACL
You can create an ACL by copying an existing ACL. The new ACL has the same
properties and content as the source ACL except the ACL number and name.
To copy an IPv4 or IPv6 ACL successfully, ensure that:
The destination ACL number is from the same category as the source ACL number.
19
The source IPv4 or IPv6 ACL already exists but the destination IPv4 or IPv6 ACL does
To do…
Use the command…
Remarks
Enter system view
system-view
—
Copy an existing IPv4 ACL to
create a new IPv4 ACL
acl copy
{ source-acl-number | name
source-acl-name } to
{ dest-acl-number | name
dest-acl-name }
Required
The name keyword is not
available for WLAN ACLs
To do…
Use the command…
Remarks
Enter system view
system-view
—
Copy an existing IPv6 ACL to
generate a new one of the
same category
acl ipv6 copy
{ source-acl6-number |
name source-acl6-name } to
{ dest-acl6-number | name
dest-acl6-name }
Required
To do...
Use the command…
Remarks
Display configuration and
match statistics for one or all
IPv4 ACLs
display acl { acl-number | all | name
acl-name }
Available in any
view
Display configuration and
match statistics for one or all
IPv6 ACLs
display acl ipv6 { acl6-number | all |
name acl6-name }
Available in any
view
Display the configuration
and status of one or all time
ranges
display time-range
{ time-range-name | all }
Available in any
view
Clear statistics on one or all
IPv4 ACLs
reset acl counter { acl-number | all |
name acl-name }
Available in user
view
Clear statistics on one or all
IPv6 basic and advanced
ACLs
reset acl ipv6 counter { acl6-number |
all | name acl6-name }
Available in user
view
not.
Copying an IPv4 ACL
Follow these steps to copy an IPv4 ACL:
Copying an IPv6 ACL
Follow these steps to copy an IPv6 ACL:
Displaying and maintaining ACLs
20
AC
GE 1/0/1
Server
192.168.1.2
IP network
AP 1 AP 2
Client A Client B
ACL configuration examples
IPv4 ACL configuration example
Network Requirements
As shown in Figure 1 , a company interconnects its wireless users and servers through the
access controller (AC). The salary server uses IP address 192.168.1.2. The wireless users in
the research and development (R&D) department are connected to the wireless
interface WLAN-ESS 1 of the AC.
Configure an ACL to deny access from the wireless users in R&D department to the
salary server during office hours (from 8:00 to 18:00) on working days.
Figure 1 Network diagram for ACL configuration
Configuration procedure
1. Create a time range for office hours:
Create a periodic time range from 8:00 to 18:00 on working days:
<AC> system-view
[AC] time-range trname 8:00 to 18:00 working-day
2. Define an ACL to control access to the salary server:
a. Create an advanced IPv4 ACL numbered 3000 and enter its view:
[AC] acl number 3000
21
Loading...