Common knowledge about ACL of Huawei 3COM vro configuration list

This article introduces the ACL knowledge of the Huawei 3COM router configuration list. The following is A question: Q: What is the first knowledge of the Huawei 3COM standard access control list (ACL)?: there are many types of access control list ACLs in Huawei 3COM devices. Different types of ACLs are applied in different scenarios. The simplest of them is the standard access control list. It uses the source IP address in the IP package for filtering and uses the access control list numbers 1 to 99 to create the corresponding ACL.

Standard Access Control List format:

The standard access control list is the simplest ACL. The specific format of Huawei 3COM router configuration is as follows:
◆ Acl ID
◆ // Enter the ACL settings page
◆ Rule permit | deny source IP address reverse Subnet Mask

For example, the command rule deny source 192.168.1.1 0.0.0.0 discards all data packets from the 192.168.1.1 address. Of course, we can also use CIDR blocks to filter a CIDR block. The command is as follows: rule deny source 192.168.1.0 0.0.255.

// Filter and discard all computer data packets from 192.168.1.0/24. Why does the subnet mask in the backend represent 0.0.0.255? This is because Huawei devices and CISCO require that the subnet mask be represented by the reverse mask in the ACL. The reverse mask 0.0.0.255 indicates that the subnet mask is 255.255.255.0.

Huawei 3COM vro configuration instance:

To make the standard ACL take effect, we need to configure two commands:
◆ Configure the ACL itself to add detailed rules to the ACL.
◆ Declare the ACL and add the configured ACL to the corresponding port.

Introduction to network environment configuration for Huawei 3COM vrouters:

We use the network structure shown in Figure 1. The vro is connected to two CIDR blocks 172.16.4.0/24,172.16 .3.0/24. One server in the CIDR Block 172.16.4.0/24 provides the WWW Service and the IP address is 172.16.4.13. Instance 1: Disable the computer except 172.16.4.13 in the 172.16.4.0/24 network segment to access the computer 172.16.3.0/24. 172.16.4.13 can access 172.16.3.0/24 normally.

Huawei 3COM vro configuration command:
◆ Acl 1
◆ // Set ACL 1 and enter the ACL Setting Mode
◆ Rule deny source any
◆ // Set the ACL to prevent communication between all other IP addresses.
◆ Int e1
◆ // Enter port E1.
◆ Firewall packet-filter 1 inbound
◆ // Declare ACL 1.

After the preceding settings, port E1 only allows data packets from the IP address 172.16.4.13 to be transmitted. Data packets from other IP addresses cannot be transmitted through E1.

Note: Because the permit ANY statement is added to the device of Huawei 3COM by default in each ACL, the preceding rule deny source any command can be added, otherwise, the configured ACL will not take effect, and all data packets will be forwarded normally due to the end of the permit statement. In addition, you can use the firewall packet-filter 1 outbound command on port E0 when the vro is not connected to the network. The result is the same as that of the last two statements. Instance 2: Disable access from the computer 172.16.4.13 to the CIDR Block 172.16.3.0/24, while other computers in 172.16.4.0/24 can access the CIDR Block normally.

Huawei 3COM vro configuration command:
◆ Acces
◆ S-list 1
◆ // Set the ACL To Go To The ACL1 settings page.
◆ Rule deny source 172.16.4.13 0.0.0.0
◆ // Block access from the computer 172.16.4.13.
◆ Rule permit source any such as 2)
◆ // Set the ACL to allow computers with other addresses to communicate
◆ Int e1
◆ // Enter port E1
◆ Firewall packet-filter 1 inbound
◆ // Advertise ACL1. Similarly, you can use firewall packet-filter 1 outbound after entering E0.

After configuring the Huawei 3COM vro, all IP addresses except 172.16.4.13 can communicate with the vro and transmit data packets. Note that by default, the Huawei device adds the rule permit source any statement at the end of the ACL. Therefore, this statement can be left blank in this example, and the effect is the same.

 

Huawei 3COM router configuration

Summary: The standard ACL configured for the Huawei 3COM vro occupies very few vro resources. It is the most basic and simple Access Control List format. It is widely used and is often used when the control level is low. For more complex control of data packet transmission, you need to use the extended access control list, which can meet our requirements at the port level.