|
常见的ACL操作 1.删除生效时间段:需要先删除关联生效时间段的ACL规则或者整个ACL [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] undo rule 5 //先删除rule [HUAWEI] undo time-range time1 //在删除时间段 [HUAWEI] undo acl 2001 //先删除ACL [HUAWEI] undo time-range time1 //在删除时间段 2. 配置基于时间的ACL规则 [HUAWEI] time-range working-time 8:00 to 18:00 working-day [HUAWEI]acl name work-acl basic [HUAWEI-acl-basic-work-acl]rule deny source 192.168.1.0 0.0.0.255 time-range working-time 3. 配置基于源IP地址(主机地址)过滤报文的规则 [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001]rule permit source 192.168.1.3 0 4. 配置基于源IP地址(网段地址)过滤报文的规则 [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001]rule permit source 192.168.1.3 0 [HUAWEI-acl-basic-2001]rule deny source 192.168.1.0 0.0.0.255 [HUAWEI-acl-basic-2001]description Permit only 192.168.1.3 through 5. 配置基于IP分片信息、源IP地址(网段地址)过滤报文的规则 [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001]rule deny source 192.168.1.0 0.0.0.255 fragment 6. 配置基于ICMP协议类型、源IP地址(主机地址)和目的IP地址(网段地址)过滤报文的规则 [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 7. 配置基于TCP协议类型、TCP目的端口号、源IP地址(主机地址)和目的IP地址(网段地址)过滤报文的规则 [HUAWEI] acl name deny-telnet [HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 [HUAWEI] acl name no-web [HUAWEI-acl-adv-no-web] description Web access restrictions [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0 [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0 8. 配置基于TCP协议类型、源IP地址(网段地址)和TCP标志信息过滤报文的规则 (1)先配置两条permit规则,允许192.168.2.0/24网段的ACK=1或RST=1的报文通过,再配置一条deny规则,拒绝该网段的其他TCP报文通过 [HUAWEI] acl 3002 [HUAWEI-acl-adv-3002]rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack [HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through [HUAWEI-acl-adv-3002]rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst [HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through [HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255 [HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through (2)通过配置established参数,允许192.168.2.0/24网段的ACK=1或RST=1的报文通过,再配置一条deny规则,拒绝该网段的其他TCP报文通过。 [HUAWEI] acl 3002 [HUAWEI-acl-adv-3002]rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established [HUAWEI-acl-adv-3002]rule 5 description Allow the Established TCP packets through [HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255 [HUAWEI-acl-adv-3002] rule 10 description Do not Allow the other TCP packet through 9. 配置基于源MAC地址(单个MAC地址)、目的MAC地址(单个MAC地址)和二层协议类型过滤报文的规则 [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806 //允许目的MAC地址是0000-0000-0001、源MAC地址是0000-0000-0002的ARP报文(二层协议类型值为0x0806)通过 [HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863 //绝PPPoE报文(二层协议类型值为0x8863)通过 10. 配置基于源MAC地址(MAC地址段)和内层VLAN过滤报文的规则 [HUAWEI] acl name deny-vlan10-mac link [HUAWEI-acl-L2-deny-vlan10-mac]rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000 11. 配置基于报文的二层头、偏移位置、字符串掩码和用户自定义字符串过滤报文的规则 [HUAWEI] acl 5001 [HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26 0x00020000 0xffff0000 30 [HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26 0x00020000 0xffff0000 30 拒绝源IP地址为192.168.0.2的ARP报文通过。以下规则中的0x00000806是ARP帧类型,0x0000ffff是字符串掩码,10是设备内部处理不含VLAN信息的ARP报文中的协议类型字段的偏移量,c0a80002是192.168.0.2的十六进制形式,26和30分别是设备内部处理不含VLAN信息的ARP报文中源IP地址字段高两个字节和低两个字节的偏移量(ARP报文的源IP地址字段从二层头第28个字节开始占4个字节,受到用户自定义ACL规定二层头偏移位置只能是“4n+2”(n是整数)的限制,因此针对源IP地址,需要拆分成两段进行匹配,即偏移量为4×6+2=26的位置开始往后匹配4个字节的低两个字节以及偏移量为4×7+2=30的位置开始往后匹配4个字节的高两个字节)。如果要对携带VLAN信息的ARP报文进行过滤,则要将以下规则中的三个偏移量值再分别加上4
|