Basic configuration of the H3C device ACL

ACL Configuration
1. ACL Configuration:
------------------------
| Category of the access control list | number range |
| -----------------------
| Basic access control list | 2000-2999 |
| -----------------------
| Extended access control list | 3000-3999 |
| -----------------------
| Layer-2 Access Control List | 4000-4999 |
| -----------------------
| User-defined access control list | 5000-5999 |
------------------------
● Basic ACL: Rules are formulated only based on the source IP address information of the message;
● Advanced ACL: based on the source IP address, destination IP address, protocol type carried by the IP address, and Protocol features of the packet
Level 3 and Level 4 Information Development Rules;
● L2 ACL: based on the source MAC address, destination MAC address, VLAN priority, L2 Protocol
Type and other information formulation rules;
● User-Defined ACL: Based on the header and IP address first, you can specify the number of bytes starting with the mask.
Perform the "and" operation to compare the string extracted from the message with the User-Defined string to find the matched message.
● Specify a name for the ACL. Note that the name must be created at the time of creation. After the creation is complete, the name cannot start. The same name as the number can also identify an ACL. The command is as follows:
Acl number 3000 name xiaoshoubu
● Set the acl description: When configuring the acl, you can use the command "description text" in the acl state to add description information to the ACL.
● Set the acl step, that is, the default growth rate when no rule number is specified. Command: step-value is 5 by default
The ACL matching sequence is as follows: config: match according to the user's configuration order.
Auto: the parameter is matched first according to the "depth first" rule, that is, if the address range is small. However, by default, the matching is performed according to the user's configuration order.
--------------------------------------------------------------------------
The following problems are encountered in actual work:
If your version is Release 2208, you can directly packet-filter acl_number inbound/outbound under the interface. if the version is earlier than R2208, You need to issue the ACL through QOS. The configuration method is as follows:
Acl number 3000 // define the traffic. The permit and deny in the request are meaningless and only used to match the traffic.
Rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
Quit
Traffic classifier 1 // define class, match acl 3000
If-match acl 3000:
Quit
Traffic behavior 1 // define as popular, and the action is to reject deny
Filter deny
Quit
Qos policy 1 // define QOS policies and bind classes and popular ones (note that classifier 2 behavior 2 can appear if multiple classes are associated with popular ones)
Classifier 1 behavior 1
Quit
Interface GigabitEthernet1/0/41 // route to interface inbound
Qos apply policy 1 inbound
----------------------------------------------------------------------
For example:
Basic ACL:
Acl number 2000
Rule 0 deny source 192.168.2.0 0.0.255
Advanced ACL:
Acl number 3000
Rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.3.1 0.0.0.0 destination-port eq 80
Second, the packet filtering Firewall function:
[H3c] firewall enable ------- enable the package filtering function, which is disabled by default.
[H3c] firewal default permit/deny ------- set the default rule. The default rule is permit.
Apply the ACL to the interface before the configured ACL takes effect. That is, the inbound/outbound
[H3c-Ethernet0/1] firewall packet-filter 3000 inbound/outbound
Display and debug the ACL package filtering
Display firewall-statistics all
Display acl all
Clear IPV4 ACL statistics
Reset acl counter (all)
 
This article is from the "my love and love" blog