H3C S5500-SI Series Operation Manual
Hide thumbs
Also See for S5500-SI Series:
- Operation manual (1217 pages) ,
- Configuration manual (130 pages) ,
- Installation manual (86 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - ACL
H3C S5500-SI Series Ethernet Switches
Chapter 1 ACL Overview .............................................................................................................. 1-1
1.1 ACL Overview .................................................................................................................... 1-1
1.2 Time-Based ACL................................................................................................................ 1-1
1.3 IPv4 ACL............................................................................................................................ 1-1
1.3.1 IPv4 ACL Classification........................................................................................... 1-2
1.3.2 IPv4 ACL Match Order ............................................................................................ 1-2
1.3.3 IP Fragments Filtering with IPv4 ACL ..................................................................... 1-3
1.3.4 IPv4 ACL Creation .................................................................................................. 1-3
1.4 IPv6 ACL............................................................................................................................ 1-4
1.4.1 IPv6 ACL Classification........................................................................................... 1-4
1.4.2 IPv6 ACL Match Order ............................................................................................ 1-4
1.4.3 IPv6 ACL Creation .................................................................................................. 1-4
Chapter 2 IPv4 ACL Configuration .............................................................................................. 2-1
2.1 Creating a Time Range...................................................................................................... 2-1
2.1.1 Configuration Procedure ......................................................................................... 2-1
2.1.2 Configuration Example............................................................................................ 2-2
2.2 Configuring a Basic IPv4 ACL ........................................................................................... 2-3
2.2.1 Configuration Prerequisites..................................................................................... 2-3
2.2.2 Configuration Procedure ......................................................................................... 2-3
2.2.3 Configuration Example............................................................................................ 2-4
2.3 Configuring an Advanced IPv4 ACL .................................................................................. 2-4
2.3.1 Configuration Prerequisites..................................................................................... 2-5
2.3.2 Configuration Procedure ......................................................................................... 2-5
2.3.3 Configuration Example............................................................................................ 2-6
2.4 Configuring an Ethernet Frame Header ACL .................................................................... 2-6
2.4.1 Configuration Prerequisites..................................................................................... 2-6
2.4.2 Configuration Procedure ......................................................................................... 2-6
2.4.3 Configuration Example............................................................................................ 2-7
2.5 Displaying and Maintaining IPv4 ACLs.............................................................................. 2-8
2.6 IPv4 ACL Configuration Example ...................................................................................... 2-8
2.6.1 Network Requirements............................................................................................ 2-8
2.6.2 Network Diagram..................................................................................................... 2-8
2.6.3 Configuration Procedure ......................................................................................... 2-9
Chapter 3 IPv6 ACL Configuration .............................................................................................. 3-1
3.1 Configuring a Time Range................................................................................................. 3-1
3.2 Configuring a Basic IPv6 ACL ........................................................................................... 3-1
3.2.1 Configuration Prerequisites..................................................................................... 3-1
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S5500-SI Series
Summary of Contents for H3C S5500-SI Series
-
Page 1: Table Of Contents
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Table of Contents Table of Contents Chapter 1 ACL Overview ......................1-1 1.1 ACL Overview ........................1-1 1.2 Time-Based ACL........................ 1-1 1.3 IPv4 ACL..........................1-1 1.3.1 IPv4 ACL Classification................... 1-2 1.3.2 IPv4 ACL Match Order .................... 1-2 1.3.3 IP Fragments Filtering with IPv4 ACL .............. - Page 2 Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Table of Contents 3.2.2 Configuration Procedure ..................3-1 3.2.3 Configuration Example.................... 3-2 3.3 Configuring an Advanced IPv6 ACL .................. 3-3 3.3.1 Configuration Prerequisites..................3-3 3.3.2 Configuration Procedure ..................3-3 3.3.3 Configuration Example.................... 3-4 3.4 Displaying and Maintaining IPv6 ACLs................
-
Page 3: Chapter 1 Acl Overview
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 1 ACL Overview Chapter 1 ACL Overview 1.1 ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. -
Page 4: Ipv4 Acl Classification
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 1 ACL Overview 1.3.1 IPv4 ACL Classification IPv4 ACLs, identified by ACL numbers, fall into the following four categories: Basic IPv4 ACL, based on source IP address. Basic ACLs are numbered 2000 through 2999. -
Page 5: Ip Fragments Filtering With Ipv4 Acl
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 1 ACL Overview If the numbers of zeros in the destination IP address wildcards are the same, compare packets against the rule configured first prior to the other. For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to the rule with the source IP address wildcard 0.0.255.255. -
Page 6: Ipv6 Acl
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 1 ACL Overview 1.4 IPv6 ACL This section covers these topics: IPv6 ACL Classification IPv6 ACL Match Order 1.4.1 IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into the following three categories: Basic IPv6 ACL, based on source IPv6 address. - Page 7 Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 1 ACL Overview After an IPv6 ACL is created, the IPv6 ACL view is displayed.
-
Page 8: Chapter 2 Ipv4 Acl Configuration
Compound time range, which recurs on the day or days of the week within a period. Caution: On the S5500-SI Series Ethernet Switches, the start time of an absolute time range cannot be earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot be later than 2100/12/31 24:00. -
Page 9: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration Periodic time range created using the time-range time-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week. -
Page 10: Configuring A Basic Ipv4 Acl
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration from 15:00 1/28/2000 to 15:00 1/28/2004 2.2 Configuring a Basic IPv4 ACL Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the range 2000 to 2999. -
Page 11: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change. -
Page 12: Configuration Prerequisites
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration Note: When you configure both IP priority and ToS priority for a rule, both priorities are valid. When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid. -
Page 13: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change. -
Page 14: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration To do… Use the command… Remarks Enter system view system-view –– Required Create enter acl number acl-number Ethernet frame header [ match-order { config | The default match order is... -
Page 15: Displaying And Maintaining Ipv4 Acls
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration <Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule deny cos 3 # Verify the configuration. [Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule, ACL's step is 5 rule 0 deny cos excellent-effort(0 times matched) 2.5 Displaying and Maintaining IPv4 ACLs... -
Page 16: Configuration Procedure
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 2 IPv4 ACL Configuration 2.6.3 Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Sysname> system-view [Sysname] time-range trname 8:00 to 18:00 working-day Define an ACL to control accesses to the salary server # Create and enter the view of advanced IPv4 ACL 3000. -
Page 17: Chapter 3 Ipv6 Acl Configuration
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration Chapter 3 IPv6 ACL Configuration This chapter covers these topics: Configuring a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example 3.1 Configuring a Time Range... -
Page 18: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration When configuring a rule, note that: You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules. -
Page 19: Configuring An Advanced Ipv6 Acl
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration 3.3 Configuring an Advanced IPv6 ACL Advanced ACLs filter packets based on the source IPv6 address, destination IPv6 address, upper protocol carried on IP, and other protocol header fields such as the TCP/UDP source port, TCP/UDP destination port, ICMP message type, and ICMP message code. -
Page 20: Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists) Rules created with the auto keyword specified are sorted according to the “depth... -
Page 21: Ipv6 Acl Configuration Example
Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration 3.5 IPv6 ACL Configuration Example 3.5.1 Network Requirements Configure packet filtering on interface GigabitEthernet1/0/2 to deny all IPv6 packets but those with source addresses in the range 4050::9000 to 4050::90FF. - Page 22 Operation Manual – ACL H3C S5500-SI Series Ethernet Switches Chapter 3 IPv6 ACL Configuration [Sysname-GigabitEthernet1/0/2] qos apply policy test inbound...