Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

Transcription

1 Contents Configuring ACLs 1 ACL overview 1 ACL categories 1 ACL numbering and naming 1 Match order 2 ACL rule numbering 3 Implementing time-based ACL rules 3 IPv4 fragments filtering with ACLs 3 Flow templates 4 ACL application 4 ACL configuration task list 5 Configuring an ACL 5 Configuring a time range 5 Configuring a basic ACL 6 Configuring an advanced ACL 8 Configuring an Ethernet frame header ACL 10 Configuring a user-defined ACL 10 Copying an ACL 11 Configuring a flow template 12 Configuring an ACL rule length limit mode 13 Displaying and maintaining ACLs 13 ACL configuration examples 14 IPv4 ACL configuration example 14 IPv6 ACL configuration example 16 Flow template configuration example 17 ACL rule length limit mode configuration example 17 i

2 Configuring ACLs NOTE: Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. In this documentation, SPC cards refer to the cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the cards prefixed with SPE, for example, SPE-1020-E-II. ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also used by many modules, for example, QoS and IP routing, for traffic identification. ACL categories Category ACL number IP version Match criteria Basic ACLs 2000 to 2999 Advanced ACLs 3000 to 3999 IPv4 IPv6 IPv4 IPv6 Source IPv4 address Source IPv6 address Source IPv4 address, destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields Source IPv6 address, destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type User-defined ACLs 5000 to 5999 IPv4 and IPv6 User specified matching patterns in protocol (for example, IP and MPLS) headers ACL numbering and naming Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number for identification. In addition, you can assign the ACL a name for the ease of identification. After creating an ACL with a name, you cannot rename it or delete its name. For an Ethernet frame header, or user-defined ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACL, its ACL number and name must be unique among all IPv4 ACLs, and 1

3 for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an IPv6 ACL. Match order The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order. The following ACL match orders are available: config Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, check the rule content and order carefully. auto Sorts ACL rules in depth-first order. Depth-first ordering guarantees that any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. NOTE: The match order of user-defined ACLs can only be config. Table 1 Sort ACL rules in depth-first order ACL category IPv4 basic ACL IPv4 advanced ACL IPv6 basic ACL IPv6 advanced ACL Ethernet frame header ACL Sequence of tie breakers 1. VPN instance 2. More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 3. Smaller rule ID 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IP) 3. More 0s in the source IP address wildcard mask 4. More 0s in the destination IP address wildcard 5. Narrower TCP/UDP service port number range 6. Smaller ID 7. VPN instance 8. Longer prefix for the source IP address (a longer prefix means a narrower IP address range) 9. Smaller ID 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IPv6) 3. Longer prefix for the source IPv6 address 4. Longer prefix for the destination IPv6 address 5. Narrower TCP/UDP service port number range 6. Smaller ID 1. More 1s in the source MAC address mask (more 1s means a smaller MAC address) 2. More 1s in the destination MAC address mask 3. Smaller ID 2

4 NOTE: A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, and the 1 bits represent 'don t care' bits. If the 'do care' bits in an IP address are identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 'don t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, is a valid wildcard mask. ACL rule numbering What is the ACL rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0. For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will be numbered 0. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8. Implementing time-based ACL rules You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range. The following basic types of time range are available: Periodic time range Recurs periodically on a day or days of the week. Absolute time range Represents only a period of time and does not recur. You may apply a time range to ACL rules before or after you create it. However, the rules using the time range can take effect only after you define the time range. IPv4 fragments filtering with ACLs Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoids the risks, the H3C ACL implementation: Filters all fragments by default, including non-first fragments. 3

5 Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules. For more information, see Security Configuration Guide. Flow templates Flow templates are sets of criteria based on header fields such as source IP address, destination IP address, source TCP port, and destination TCP port. Flow templates apply only to hardware-based ACLs. You use a flow template to limit the match criteria that can be applied to an interface. ACL rules that contain any criterion beyond the flow template on an interface cannot be assigned to hardware. There are default flow templates and user-defined templates, where a user-defined template can be basic or extended. By default, an interface uses the default flow template. ACL application You can use ACLs in QoS, packet-filter firewall, routing, and other technologies for identifying traffic. For examples of ACL application, see ACL configuration examples. 1. The inbound packet-filter firewall, policy-based routing (PBR), and QoS policy on an interface process an incoming packet as shown in Figure 1. Figure 1 Incoming packet processing procedure An incoming packet arrives Packet-filter firewall Match a deny rule? Yes Drop No PBR Match an ACL rule? No Yes Process the packet QoS policy 2. The outbound packet-filter firewall and QoS policy on an interface process an outgoing packet as shown in Figure 2. 4

6 Figure 2 Outgoing packet processing procedure An outgoing packet arrives Packet-filter firewall Drop deny rule Find a match? permit rule Forward No QoS policy For information about packet-filter firewall configuration, see Security Configuration Guide. For information about policy-based routing, see Layer 3 IP Routing Configuration Guide. For information about and QoS policy configuration, see the chapter " Configuring a QoS policy." ACL configuration task list Complete the following tasks to configure an ACL: Task Configuring a time range Configuring a basic ACL Configuring an advanced ACL Configuring an Ethernet frame header ACL Configuring a user-defined ACL Copying an IPv4 ACL Configuring a flow template Remarks Optional Applicable to IPv4 and IPv6 ACLs. Required Configure at least one task. Applicable to IPv4 and IPv6 ACLs. Optional Applicable to IPv4 and IPv6 ACLs. Optional Applicable to IPv4 and IPv6 ACLs. Configuring an ACL Configuring a time range To configure a time range: Step Command Remarks 1. Enter system view. system-view N/A 5

7 Step Command Remarks 2. Configure a time range. time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] from time1 date1 [ to time2 date2 ] to time2 date2 } By default, no time range exists. Repeat this command with the same time range name to create multiple statements for a time range. You can create multiple statements in a time range. The active period of a time range is calculated as follows: 1. Combining all periodic statements 2. Combining all absolute statements 3. Taking the intersection of the two statement sets as the active period of the time range You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. Configuring a basic ACL Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv4 basic ACL and enter its view. 3. Configure a description for the IPv4 basic ACL. 4. Set the rule numbering step. 5. Create or edit a rule. 6. Configure or edit a rule description. acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } [ counting fragment logging source { sour-addr sour-wildcard any } time-range time-range-name vpn-instance vpn-instance-name ] * rule rule-id comment text By default, no ACL exists. IPv4 basic ACLs are numbered in the range 2000 to You can use the acl name acl-name command to enter the view of a named IPv4 ACL. By default, an IPv4 basic ACL has no ACL description. The default setting is 5. By default, an IPv4 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a packet-filter firewall) that uses the ACL supports logging. By default, an IPv4 ACL rule has no rule description. 6

8 Step Command Remarks 7. Enable rule match counting for the IPv4 basic ACL. hardware-count enable By default, rule match counting is disabled. Configuring an IPv6 basic ACL To configure an IPv6 basic ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv6 basic ACL view and enter its view. 3. Configure a description for the IPv6 basic ACL. acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] description text By default, no ACL exists. IPv6 basic ACLs are numbered in the range 2000 to You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL. By default, an IPv6 basic ACL has no ACL description. 4. Set the rule numbering step. step step-value The default setting is Create or edit a rule. 6. Configure or edit a rule description. 7. Enable rule match counting for the IPv6 basic ACL. rule [ rule-id ] { deny permit } [ counting fragment logging source { ipv6-address prefix-length ipv6-address/prefix-length any } time-range time-range-name vpn-instance vpn-instance-name ] * rule rule-id comment text hardware-count enable By default, an IPv6 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging. By default, an IPv6 basic ACL rule has no rule description. By default, rule match counting is disabled. NOTE: When configuring IPv6 basic ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference. 7

9 Configuring an advanced ACL Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes. IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority. Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering. To configure an IPv4 advanced ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv4 advanced ACL and enter its view. 3. Configure a description for the IPv4 advanced ACL. acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text By default, no ACL exists. IPv4 advanced ACLs are numbered in the range 3000 to You can use the acl name acl-name command to enter the view of a named IPv4 ACL. By default, an IPv4 advanced ACL has no ACL description. 4. Set the rule numbering step. step step-value The default setting is Create or edit a rule. 6. Configure or edit a rule description. rule [ rule-id ] { deny permit } protocol [ { { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * established } counting destination { dest-addr dest-wildcard any } destination-port operator port1 [ port2 ] dscp dscp fragment icmp-type { icmp-type [ icmp-code ] icmp-message } logging precedence precedence reflective source { sour-addr sour-wildcard any } source-port operator port1 [ port2 ] time-range time-range-name tos tos vpn-instance vpn-instance-name ] * rule rule-id comment text By default, an IPv4 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging. By default, an IPv4 advanced ACL rule has no rule description. 8

10 Step Command Remarks 7. Enable rule match counting for the IPv4 advanced ACL. hardware-count enable By default, rule match counting is disabled. Configuring an IPv6 advanced ACL IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code. Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering. To configure an IPv6 advanced ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv6 advanced ACL and enter its view. 3. Configure a description for the IPv6 advanced ACL. 4. Set the rule numbering step. 5. Create or edit a rule. 6. Configure or edit a rule description. 7. Enable rule match counting for the IPv6 advanced ACL. acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } protocol [ { { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * established } counting destination { dest dest-prefix dest/dest-prefix any } destination-port operator port1 [ port2 ] dscp dscp flow-label flow-label-value fragment icmp6-type { icmp6-type icmp6-code icmp6-message } logging source { source source-prefix source/source-prefix any } source-port operator port1 [ port2 ] time-range time-range-name vpn-instance vpn-instance-name ] * rule rule-id comment text hardware-count enable By default, no ACL exists. IPv6 advanced ACLs are numbered in the range 3000 to You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL. By default, an IPv6 advanced ACL has no ACL description. The default setting is 5. By default IPv6 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a packet-filter firewall) using the ACL supports logging. By default, an IPv6 advanced ACL rule has no rule description. By default, rule match counting is disabled. 9

11 NOTE: When configuring IPv6 advanced ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference. Configuring an Ethernet frame header ACL Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. To configure an Ethernet frame header ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an Ethernet frame header ACL and enter its view. 3. Configure a description for the Ethernet frame header ACL. acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text By default, no ACL exists. Ethernet frame header ACLs are numbered in the range 4000 to You can use the acl name acl-name command to enter the view of a named Ethernet frame header ACL. By default, an Ethernet frame header ACL has no ACL description. 4. Set the rule numbering step. step step-value The default setting is Create or edit a rule. 6. Configure or edit a rule description. 7. Enable rule match counting for the Ethernet frame header ACL. rule [ rule-id ] { deny permit } [ cos vlan-pri counting dest-mac dest-addr dest-mask { lsap lsap-type lsap-type-mask type protocol-type protocol-type-mask } source-mac sour-addr source-mask time-range time-range-name ] * rule rule-id comment text hardware-count enable By default, an Ethernet frame header ACL does not contain any rule. To create or edit multiple rules, repeat this step. By default, an Ethernet frame header ACL rule has no rule description. By default, rule match counting is disabled. Configuring a user-defined ACL 10

12 NOTE: This feature is available only on SPC cards. User-defined ACLs allow you to customize rules based on information in protocol headers such as the IP header. You can define a user-defined ACL to deny or permit packets in which a specific number of bytes after the specified offset (relative to the specified header), matches the specified match pattern after being ANDed with a match pattern mask. To configure a user-defined ACL: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ACL rule length limit acl mode { 3 4 } The default setting is 2. mode. 3. Create a user-defined ACL and enter its view. acl number acl-number [ name acl-name ] By default, no ACL exists, and the match order of a user-defined ACL is config. User-defined ACLs are numbered in the range 5000 to You can use the acl name acl-name command to enter the view of a user-defined ACL. 4. Configure a description for the user-defined ACL. 5. Create or edit a rule. 6. Configure or edit a rule description. 7. Enable rule match counting for the user-defined ACL. description text rule [ rule-id ] { deny permit } [ { { ipv4 ipv6 l2 l4 } rule-string rule-mask offset }&<1-8> ] [ counting time-range time-range-name ] * rule rule-id comment text hardware-count enable By default, a user-defined ACL has no ACL description. By default, a user-defined ACL does not contain any rule. To create or edit multiple rules, repeat this step. By default, a user-defined ACL rule has no rule description. By default, rule match counting is disabled. Copying an ACL You can create an ACL by copying an existing ACL. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name. To successfully copy an ACL, make sure that: The destination ACL number is from the same category as the source ACL number. The source ACL already exists but the destination ACL does not. Copying an IPv4 ACL To copy an IPv4 ACL: 11

13 Step Command 1. Enter system view. system-view 2. Copy an existing IPv4 ACL to create a new IPv4 ACL. acl copy { source-acl-number name source-acl-name } to { dest-acl-number name dest-acl-name } Copying an IPv6 ACL To copy an IPv6 ACL: Step Command 1. Enter system view. system-view 2. Copy an existing IPv6 ACL to generate a new one of the same category. acl ipv6 copy { source-acl6-number name source-acl6-name } to { dest-acl6-number name dest-acl6-name } Configuring a flow template NOTE: This feature is available only on SPE cards. To create a flow template and apply it to an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a flow template. 3. Enter interface view or port group view. 4. Apply the flow template to the interface or port group. flow-template flow-template-name basic { customer-vlan-id dip dmac dport dscp ethernet-protocol fragments icmp-code icmp-type ip-precedence ip-protocol mpls-exp service-cos sip smac sport tcp-flag tos } * Enter interface view: interface interface-type interface-number Enter port group view: port-group manual port-group-name flow-template flow-template-name N/A N/A The default one applies by default. 12

14 NOTE: The user-defined flow template you are applying to an interface must already exist. You can apply only one user-defined flow template on an interface. The default flow template defines five fields: the source IP address, destination IP address, source port number, destination port number, and protocol type. When the length limit for the match criteria in an ACL rule is 18 bytes for an SPE card, available parameters of the default flow template are sip, dip, ip-protocol, sport, and dport. When the length limit for the match criteria in an ACL rule is 36 bytes for an SPE card, available parameters of the default flow template are sip, dip, ip-protocol, sport, dport, icmp-code, icmp-type, tos, dscp, ip-precedence, mpls-exp, tcp-flag, and fragment. Configuring an ACL rule length limit mode The ACL rule length limit mode defines the length of the fields available for an ACL flow template. When a large number of ACL rules are required on the router, you may need to change this mode. To configure an ACL rule length limit mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ACL rule length limit mode. acl mode { } The default setting is 2. NOTE: The limit mode setting is saved automatically, but it takes effect only after you restart your router. The limit mode setting does not take effect on an SPE card with an ATM subcard. The limit mode setting does not take effect for IPv6 ACLs on an SPE card. When configuring IPv6 ACLs for a QoS policy that is to be applied to an SPC card, you must set the ACL rule length limit to 80 bytes. For more information about the ACL rule length limit, see ACL and QoS Command Reference. Displaying and maintaining ACLs Task Command Remarks Display configuration and match statistics for one or all IPv4 ACLs. Display configuration and match statistics for one or all IPv6 ACLs. Display the ACL rule length limit mode. display acl { acl-number all name acl-name } [ { begin exclude include } regular-expression ] display acl ipv6 { acl6-number all name acl6-name } [ { begin exclude include } regular-expression ] display acl mode [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view 13

15 Task Command Remarks Display the usage of ACL rules. Display information about flow templates applied to interfaces. Display the configuration of one or all user-defined flow templates. Display the configuration and status of one or all time ranges. Clear statistics for one or all IPv4 ACLs. Clear statistics for one or all IPv6 basic and advanced ACLs. display acl resource [ { begin exclude include } regular-expression ] display flow-template interface [ interface-type interface-number ] [ { begin exclude include } regular-expression ] display flow-template user-defined [ flow-template-name ] [ { begin exclude include } regular-expression ] display time-range { time-range-name all } [ { begin exclude include } regular-expression ] reset acl counter { acl-number all name acl-name } reset acl ipv6 counter { acl6-number all name acl6-name } Available in any view Available in any view Available in any view Available in any view Available in user view Available in user view ACL configuration examples IPv4 ACL configuration example Network requirements A company interconnects its departments through Device A. Configure an ACL to: Permit access from the President's office at any time to the salary server. Deny access from any other department to the salary server from 8:00 to 18:00. Figure 3 Network diagram Configuration procedure 1. Create a time range for office hours: 14

16 # Create a periodic time range spanning 8:00 to 18:00 in working days. <Device> system-view [Device] time-range trname 8:00 to 18:00 working-day 2. Configure an ACL to control accesses to the salary server: # Create and enter the view of advanced IPv4 ACL [Device] acl number 3000 # Create a rule to control access of the President s Office to the salary server. [Device-acl-adv-3000] rule 1 permit ip source destination [Device-acl-adv-3000] quit # Create and enter the view of advanced IPv4 ACL [Device] acl number 3100 # Create a rule to control accesses of other departments to the salary server. [Device-acl-adv-3100] rule 2 permit ip source any destination time-range trname [Device-acl-adv-3100] quit 3. Apply the ACL: # Configure traffic classification. [Device] traffic classifier c1 [Device-classifier-c1] if-match acl 3000 [Device-classifier-c1] quit [Device] traffic classifier c2 [Device-classifier-c2] if-match acl 3100 [Device-classifier-c2] quit 4. Configure traffic behavior: # Configure traffic behavior. [Device] traffic behavior b1 [Device-behavior-b1] filter permit [Device-behavior-b1] quit [Device] traffic behavior b2 [Device-behavior-b2] filter deny [Device-behavior-b2] quit 5. Associate classification rules and actions: # Configure a QoS policy. [Device] qos policy p1 [Device-qospolicy-p1] classifier c1 behavior b1 [Device-qospolicy-p1] classifier c2 behavior b2 [Device-qospolicy-p1] quit 6. Apply the QoS policy: # Apply the QoS policy to the outbound direction of interface GigabitEthernet 2/1/1. [Device] interface GigabitEthernet 2/1/1 [Device-GigabitEthernet2/1/1] qos apply policy p1 outbound 15

17 IPv6 ACL configuration example Network requirements Perform packet filtering in the inbound direction of interface GigabitEthernet 2/1/1 to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF. Configuration procedure 1. Create ACLs: # Create an IPv6 ACL <Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule permit source 4050::9000/120 # Create an IPv6 ACL [Sysname] acl ipv6 number 2100 [Sysname-acl6-basic-2100] rule permit source any [Sysname-acl6-basic-2000] quit 2. Apply the ACL: # Configure traffic classification. [Sysname] traffic classifier c1 [Sysname-classifier-c1] if-match acl ipv [Sysname-classifier-c1] quit [Sysname] traffic classifier c2 [Sysname-classifier-c2] if-match acl ipv [Sysname-classifier-c2] quit 3. Configure traffic behaviors: # Configure traffic behavior. [Sysname] traffic behavior b1 [Sysname-behavior-b1] filter permit [Sysname-behavior-b1] quit [Sysname] traffic behavior b2 [Sysname-behavior-b2] filter deny [Sysname-behavior-b2] quit 4. Associate traffic classification rules and actions: # Configure a QoS policy. [Sysname] qos policy p1 [Sysname-qospolicy-p1] classifier c1 behavior b1 [Sysname-qospolicy-p1] classifier c2 behavior b2 [Sysname-qospolicy-p1] quit 5. Apply the QoS policy: # Apply QoS policy to the outbound direction of interface GigabitEthernet2/1/1. [Sysname] interface GigabitEthernet 2/1/1 [Sysname-GigabitEthernet2/1/1] qos apply policy p1 outbound 16

18 Flow template configuration example Network requirements Create flow templates and apply them to interfaces. Configuration procedure # Create basic user-defined flow template aaa. <Sysname> system-view [Sysname] flow-template aaa basic smac customer-vlan-id # Reference user-defined flow template aaa on interface GigabitEthernet 2/1/1. [Sysname] interface Gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] flow-template aaa # Display information about user-defined flow template aaa. [Sysname] display flow-template user-defined aaa user-defined flow template: basic name:aaa, index:1, total reference counts:1 fields: smac customer-vlan-id # Display information about all user-defined flow templates. [Sysname] display flow-template user-defined user-defined flow template: basic name:aaa, index:1, total reference counts:1 fields: smac customer-vlan-id user-defined flow template: basic name:1, index:2, total reference counts:0 fields: service-cos user-defined flow template: basic name:2, index:3, total reference counts:0 fields: ip-protocol dscp # Display information about the user-defined flow templates referenced to interfaces. [Sysname] display flow-template interface Interface: GigabitEthernet2/1/1 user-defined flow template: basic name:aaa, index:1, total reference counts:1 fields: smac customer-vlan-id # Delete user-defined flow template aaa. As it is being referenced by interface Gigabitethernet 2/1/1, remove it from the interface first. [Sysname] interface Gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] undo flow-template [Sysname-GigabitEthernet2/1/1] quit [Sysname] undo flow-template name aaa ACL rule length limit mode configuration example Network requirements Configure the ACL rule length limit for an SPE card to 18 bytes and that for an SPC card to 80 bytes. 17

19 Configuration procedure # Set the ACL rule length limit mode to 3. <Sysname> system-view [Sysname] acl mode 3 ACL has been set to mode 3, and will take effect after the next system reboot. # Display the ACL rule length limit mode. [Sysname] display acl mode Current ACL mode : mode 2 (SPE ACL key long, SPC ACL key short) Acl mode after system restart : mode 3 (SPE ACL key short, SPC ACL key long) Notice: Changing ACL mode will take effect only after system restart. # Restart the router. [Sysname] return <Sysname> reboot 18