1. access-list is used to create access rules.
1) create a standard access list
Access-list [normal | special] listnumber1 {permit | deny} source-addr [source-mask]
2) create an extended access list
Access-list [normal | specia l] listnumber2 {permit | deny} protocol source-addr source-mask [operator port1 [port2] dest-addr dest-mask [operator port1 [port2] | icmp-type [icmp-code] [log]
3) Delete the access list
No access-list {normal | special} {all | listnumber [subitem]}
Parameter description]
Normal specifies that the rule is added to the normal time period.
Special specifies that the rule is added to a special time period.
Listnumber1 is a value between 1 and 99, indicating that the rule is a standard access list rule.
Listnumber2 is a value between 100 and 199, indicating that the rule is an extended access list rule.
Permit indicates that packets that meet the conditions are allowed to pass.
Deny indicates that packets that meet the conditions are prohibited from passing through.
Protocol is a protocol type that supports ICMP, TCP, UDP, and other protocols. At this time, there is no port comparison concept. It has a special meaning for IP addresses, representing all IP protocols.
Source-addr is the source address.
Source-mask is the source address configuration bit. It is optional in the standard access list. If it is not input, it indicates that the configuration bit is 0.0.0.0.
Dest-addr is the destination address.
Dest-mask is the wildcard location of the target address.
Operator [Optional] port operators. Port comparison is supported when the protocol type is TCP or UDP. supported comparison operations include: equal to eq), greater than gt), and less than lt), not equal to neq) or between range); If the operator is range, it is followed by two ports.
When the protocol type of port1 is TCP or UDP, you can set the default value for the keyword, such as telnet) or 0 ~ A value between 65535.
Port2 appears when the protocol type is TCP or UDP and the operation type is range. You can set the default value for the keyword, such as telnet) or 0 ~ A value between 65535.
Icmp-type [Optional] indicates the ICMP Message type when the protocol is ICMP. It can be a preset value set by the keyword, such as echo-reply) or 0 ~ A value between 255. Icmp-code appears when the protocol is ICMP and the preset value is not selected; it indicates the ICMP code, which is 0 ~ A value between 255.
Log [Optional] indicates that logs are required if the packets meet the conditions.
Listnumber is the sequence number of the deleted rule, which is 1 ~ A value between 199.
Subitem [Optional] specifies the sequence number of the rule in the access list with the delete sequence number as listnumber.
Default condition]
By default, no access rules are configured.
Command mode]
Global Configuration Mode
User Guide]
Rules of the same serial number can be considered as a type of rule. The defined rule can be used not only to filter packets on the interface, but also to identify whether a packet is a message of interest, such as DDR, at this time, permit and deny indicate whether they are interested or not.
Use the Extended IP address access list for all IP addresses.
Rules of the same sequence number are arranged and selected according to certain principles. In this order, you can see it through the show access-list command.
Example]
Access from WWW with the source address 10.1.1.0 and destination address 10.1.2.0 is allowed, but FTP is not allowed.
Quidway (config) # access-list 100 permit tcp 10.1.1.0 0.0.255 10.1.2.0 0.0.0.255 eq www
Quidway (config) # access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp
Related commands]
Ip access-group
2. clear access-list counters clears the statistics of access list rules.
Clear access-list counters [listnumber]
Parameter description]
Listnumber [Optional] sequence number of the rule for which statistics are to be cleared. If no rule is specified, statistics of all rules are cleared.
Default condition]
Statistics are not cleared at any time.
Command mode]
Privileged user mode
User Guide]
Use this command to clear the statistics of the currently used rules. If no rule number is specified, the statistics of all rules are cleared.
Example 1: Clear the statistics of the rule with the serial number 100 currently used.
Quidway # clear access-list count 100
Example 2: Clear the statistics of all currently used rules.
Quidway # clear access-list counters
Related commands]
Access-list
3. enable or disable firewall.
Firewall {enable | disable}
Parameter description]
Enable indicates that the firewall is enabled.
Disable indicates that the firewall is disabled.
Default condition]
The firewall is disabled by default.
Command mode]
Global Configuration Mode
User Guide]
Use this command to enable or disable the firewall. You can view the result through the show firewall command. If time packet filtering is adopted, the firewall is also disabled when it is disabled. This command controls the firewall's overall switch. When you use the firewall disable command to disable the firewall, the firewall's statistics will also be cleared.
Example]
Enable Firewall.
Quidway (config) # firewall enable
Related commands]
Access-list, ip access-group
4. firewall default: the default filtering method when the firewall does not match the corresponding access rules.
Firewall default {permit | deny}
Parameter description]
Permit indicates that the default filter attribute is "allowed ".
Deny indicates that the default filter attribute is disabled ".
Default condition]
When the firewall is enabled, packets are allowed to pass by default.
Command mode]
Global Configuration Mode
User Guide]
When none of the rules applied to the interface can determine whether a packet should be allowed or disabled, the default filter attribute will take effect. If the default filter attribute is "Allowed ", the packet can pass, otherwise the packet is discarded.
Example]
Set the default filter attribute to "allowed ".
Quidway (config) # firewall default permit
5. Use the ip access-group command to apply the rule to the interface. Use the no command to delete the corresponding settings.
Ip access-group listnumber {in | out}
[No] ip access-group listnumber {in | out}
Parameter description]
Listnumber is the rule serial number, which is 1 ~ A value between 199.
In indicates that the rule is used to filter packets received from interfaces.
Out indicates that the rule is used to filter packets forwarded from the API.
Default condition]
No rules apply to the interface.
Command mode]
Interface Configuration Mode.
User Guide]
Use this command to apply rules to interfaces. If you want to filter packets received from interfaces, use the in keyword. If you want to filter packets forwarded from interfaces, use the out keyword. Up to 20 different rules can be applied in one direction of an interface. These rules are arranged according to the sequence number, and the sequence number is higher than the rule number, that is, the priority is higher. When a packet is filtered, the filtering result is obtained by finding the matching rules to speed up the filtering. Therefore, when configuring rules, we recommend that you put the rules configured for the same network in the access list of the same serial number; In the access list of the same serial number, you can use the show access-list command to view the order of the rules.
Example]
Apply Rule 101 to filter packets received from the Ethernet port.
Quidway (config-if-Ethernet0) # ip access-group 101 in
Related commands]
Access-list
6. settr sets or cancels special time periods.
Settr begin-time end-time
No settr
Parameter description]
Begin-time is the start time of a time period.
End-time is the end time of a time period, which must be later than the start time.
Default condition]
The system does not set the time period by default, that is, all of them are considered normal time periods.
Command mode]
Global Configuration Mode
User Guide]
Use this command to set the time period. You can set up to six time periods at the same time. You can see the time set through the show timerange command. If you have used a time period to change the time period, the modification takes effect within one minute ). The set time is in the 24-hour format. If you want to set a time period similar to PM to AM, you can set it to "settr" because the two endpoints of the configured time period are within the time period, therefore, there will be no internal and external switchover. In addition, this setting has also been tested with a 2000 problem.
Example]
Example 1: set the time range ~ ~ 17: 00.
Quidway (config) # settr
Example 2: set the time range to PM to AM.
Quidway (config) # settr
Related commands]
Timerange, show timerange
7. show access-list: Display packet filtering rules and applications on interfaces.
Show access-list [all | listnumber | interface-name]
Parameter description]
All indicates all rules, including rules in common periods and special periods.
Listnumber indicates the rule with the serial number of listnumber in the currently used rule.
Interface indicates the sequence number of the rule to be applied on the specified interface.
Interface-name indicates the interface name.
Command mode]
Privileged user mode
User Guide]
Use this command to display the specified rule and view the rule packet filtering status. Each rule has a corresponding counter. If a packet is filtered by this rule, the counter is added with 1. The observation of the counter shows that in the configured rule, which rules are valid and which are basically invalid. You can use the show access-list command with the interface keyword to view the application rules of an interface.
Example]
Example 1: display the rule with the serial number 100 currently used.
Quidway # show access-list 100 Using normal packet-filtering access rules notes100 deny icmp 10.1.0.0 0.0.20.255 any host-redirect (3 matches, 252 bytes -- rule 1) 100 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches -- rule 2) 100 deny udp any eq rip (no matches -- rule 3)
Example 2: displays the application of the rule on interface Serial0.
Quidway # show access-list interface serial 0Serial0: access-list filtering In-bound packets: 120access-list filtering Out-bound packets: None
Related commands]
Access-list
8. show firewall displays the firewall Status.
Show firewall
Command mode]
Privileged user mode
User Guide]
Use this command to display the firewall status, including whether the firewall is enabled, whether time packet filtering is used when the firewall is enabled, and some firewall statistics.
Example]
Displays the Firewall Status.
Quidway # show firewallFirewall is enable, default filtering method is permit. timeRange packet-filtering enable. inBound packets: None; OutBound packets: 0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 2 packets, 104 bytes, 100% permitted defaultly, 0 packets, 0 bytes, 100% denied defaultly. from 00:13:02 to 06: 13: 21: 0 packets, 0 bytes, permitted.
Related commands]
Firewall
9. show isintr shows whether the current time is within the time range.
Show isintr
Command mode]
Privileged user mode
User Guide]
Use this command to show whether the current time is within the time range.
Example]
Shows whether the current time is within the time range.
Quidway # show isintr
It is NOT in time ranges now.
Related commands]
Timerange, settr
10. show timerange displays the information filtered by the time range package.
Show timerange
Command mode]
Privileged user mode
User Guide]
Use this command to show whether to allow time period package filtering and the set time period.
Example]
Display the information filtered by the time range package.
Quidway # show timerangeTimeRange packet-filtering enable. beginning of time range: 01: 00-0:000:00-04: 00end of time range.
Related commands]
Timerange, settr
11. enable or disable the time period package filtering function in timerange.
Timerange {enable | disable}
Parameter description]
Enable indicates that time packet filtering is enabled.
Disable indicates that time packet filtering is prohibited.
Default condition]
By default, the time range package filtering function is disabled.
Command mode]
Global Configuration Mode
User Guide]
You can use the show firewall command to enable or disable the time period package filtering function, or use the show timerange command to view the configuration result. After the time period package filtering function is enabled, the system will determine the rules that are used in special periods of time based on the current time and the set time period) or general rules outside the time period. The precision of the system query time period is 1 minute. The two endpoints of the set time period belong to the time period.
Example]
Enable time period package filtering.
Quidway (config) # timerange enable
Related commands]
Settr, show timerange