05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31

ZXR10 M6000/T8000 ACL Configuration

Course Objectives

Through learning this Course, you mayLearn about the M6000/T8000 ACL features

Master the ACL configuration steps

Learn about the ACL configuration examplesLearn about the M6000/T8000 ACL fault treatment

Contents

ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step

Time Range ModuleIPv4-ACLLINK-ACL

ACL Configuration ExampleACL Maintain& Fault Treatment

ZXR10 M6000/T8000 ACL Features

IPv4-ACLsource address-based ACLTCP based ACLUDP based ACLICMP based ACL

Link-ACLMAC-based ACL MAC and VLAN based ACL link protocol and MAC based ACL link protocol, VLAN and MAC based ACL

IPv6 ACL

Contents

ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step

Time Range ModuleIPv4-ACLLINK-ACL

ACL Configuration Example ACL Maintain& Fault Treatment

ACL Configuration Step

(Option) Configure time range module.

1. Create a ACL ipv4–access-list. User can name the list. 2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL configuration mode. Each rule can designate a kind of packets, and define this kind of packets is denied or permitted.3. According to the requirements for traffic filtering, bind the customized ACL ipv4–access-list to the egress or ingress of interface to be filtered the traffic.

Time Range Module Introduction

Time range module is mainly used to provide awakening and hypnotizing service for other application modules. For example, a company forbids that employees browse Internet webs during working time, but the employees are permitted to browse Internet webs in free time. We can bind the time range to ACL.

User can configure multiple time ranges. Every time range has its own name. A time range can define multiple relative time segments and an absolute time segment.

The time range is active currently when the current time is within the absolute time segment or satisfies any relative time segment.

Time Range Module Introduction (Cont.)

Time range takes effect at the following three situations,

Absolute time segment is configured only, and the current system time is within the configured absolute time segment.Relative time segment is configured only. No matter how many relative time segments are configured, time range is effective if the current system time meets any relative time segment.Both absolute and relative time segments are configured. Time range is effective only when the current system time meets both absolute time segment and any relative time segment.

Time Range Module Configuration1. Enable the function of time range

ZXR10(config)#time-range {enable | diable}

2. Create and name a time range, and enter time range configuration mode.

ZXR10(config)# time-range <time-range-name>

3. Configure time segment rules.absolute time segment

ZXR10(config-tr)#absolute [start <time-data>][end <time-data>]

relative time segment

ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >] < hh:mm:ss >

Time Range Module Configuration Example

ZXR10(config)# time-range enableZXR10(config)# time-range testZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010ZXR10(config)# periodic daily 09:00:00 to 12:00:00ZXR10(config)# periodic daily 14:00:00 to 17:00:00

ZXR10(config)#show time-rangeCurrent time is 08:36:03 08-14-2009 Fridaytime-range test <inactive>absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010periodic daily 09:00:00 to 12:00:00periodic daily 14:00:00 to 17:00:00

Example

Configuration check

1. Configure IPv4-ACL list.

ZXR10(config)#ipv4-access-list <name>

ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source [<source- wildcard>]| any|[ time-range <name>] |[log]}

IPv4-ACL Configuration Step

2. Configure standard ACL rule.

Configure extended ACL rule.ZXR10(config-ipv4-acl)#rule [ < rule-id> ] { permit | deny} protocol { source [ < source-wildcard> ] | any } { destination [ <destination-wildcard> ] | any } [ { tos < value> | precedence < value>| dscp < value> } ] |[ time-range <name>]|[log]}]

ZXR10(config)#ipv4-access-group < interface-name> { ingress | egress} < acl- name>

3. Bind the ACL to an interface.

Maintaining IPv4-ACL

Show ACL list and its brief information.

Show the binding information.

ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}]

ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction {ingress | egress}][by-interface<interface-name>]]

1. Configure LINK-ACL list.

ZXR10(config)#link-access-list <name>

ZXR10(config-link-acl)#rule [ < rule-id> ] { permit | deny} { source-mac[ < source mac-wildcard> ] | any | } { time-range < name>}

LINK-ACL Configuration Step

2. Configure MAC-based ACL rule.

Configure MAC and VLAN -based ACL rule.

ZXR10(config-link-acl)#rule[<rule-id>] {permit | deny} {source-mac [<source-mac-wildcard> ]| any}{ destination-mac [< destination-mac- wildcard>] | any}[{ inner-cos <value>|inner-vlan <value> | outer-cos <value>| outer-vlan <value>]|time-range < name>}

LINK-ACL Configuration Step (Cont.)

Configure link protocol and MAC -based ACL rule.

ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> }

ZXR10(config)#link-access-group interface< interface-name> { ingress | egress} < acl-name>

3. Bind the ACL to an interface.

Configure link protocol, VLAN and MAC -based ACL rule.

ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner- vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }

Contents

ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step

Time Range ModuleIPv4-ACLLINK-ACL

ACL Configuration ExampleACL Maintain& Fault Treatment

Example 1— Filter telnet access to router

Use ACL to restrict access from vty

ZXR10(config)#line telnet access-class < acl-name>

ZXR10(config)#ipv4-access-list test1ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255ZXR10(config)#line telnet access-class test1

Only permit telnet access from 192.89.55.0 segment

172.16.3.0 172.16.4.0

172.16.4.13S0

Non 172.16.0.0segment

ZXR10(config)#ipv4-access-list testZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255

ZXR10(config-ipv4-acl)#exitZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test

Example 2 — Standard ACL

gei-0/1/0/2 gei-0/1/0/1

ZXR10(config)# ipv4-access-list test2ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255ZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2

Permit two side networks to communicate

172.16.3.0 172.16.4.0

172.16.4.13S0

non172.16.0.0segment

Deny the access of 172.16.4.13 to 172.16.3.0 segment

Example 3 — Standard ACL

ZXR10(config)# ipv4-access-list test3ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0ZXR10(config-ipv4-acl)# rule 14 permit anyZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3

gei-0/1/0/2 gei-0/1/0/1

Example 4 — extend ACL

PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2).

R130.20.10.1

gei-0/1/0/2 gei-0/1/0/1

R2

PC1

PC2

10.20.30.20

Configuration on R2

R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet R2(config-ipv4-acl)#rule 20 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/1 ingress test

R130.20.10.1

gei-0/1/0/2 gei-0/1/0/1

R2

PC1

PC2

10.20.30.20

R2(config)#show ipv4-access-groupsInterface name Direction ACl name---------------------------------------------------------gei-0/1/0/1 Ingress test

R2(config)#show ipv4-access-lists name testipv4-access-list test2/2 (showed/total)

rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet rule 20 permit any

Configuration Check

Show configured ACL：

Show the binding information.

1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and 14:00:00 to 17:00:00 daily.2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15 12-12-2010.

R130.20.10.1

gei-0/1/0/1

gei-0/1/0/2

gei-0/1/0/3R2

PC1

Example 5 — time range ACL

1. Create a time-range.

R2(config)#time-range enableR2(config)#time-range test /*This creates a time-range and names it test.*/

R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12- 2010R2(config-tr)#periodic daily 09:00:00 to 12:00:00R2(config-tr)#periodic daily 14:00:00 to 17:00:00

Configuration on R2

2. Add time segment to the time-range.

3. Create ACL and bind it to the time-range.

R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0eq telnet 30.20.10.1 0.0.0.0 time-range testR2(config-ipv4-acl)#rule 2 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/3 ingress test

/*The binding is successful. ACL only takes effect in the specified timesegment.*/

Configuration on R2 (Cont.)

Contents

ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step and Example

Time Range ModuleIPv4-ACLLINK-ACL

ACL Maintain& Fault Treatment

ACL Malfunctions

The following ACL configuration faults are likely to appear：

Fail to create ACL List according to the specified name.Fail to bind ACL to an interface.ACL filtering is improperly that the traffic to be permitted is denied while the traffic to be denied is still be forwarded by device.

ACL Troubleshooting

To locate and solve the faults, perform the following inspections.

The name of ACL supports 31 characters at most, which can not contain quotation mark, question mark or space.ACL name is case sensitive.It is not recommended that perform binding before creating ACL, even if ZXR10 M6000 support this function.Binding an empty ACL list to interface that means all packets are permitted.A rule deny any is added into the end of the list automatically if a non-empty ACL list is bound to an interface, which means the packets that can not match with all the rules will be denied.If an ACL rule is bound with time-range, it will take effect only when the time-range is in active state.

Assume that the packets with the source address 1.1.1.1/32 should be permitted. However, these packets cannot be forwarded.

Treatment Scheme

Treatment Steps1. To view whether the packets to be filtered are covered by ACL

rule, use show ipv4-access-list name <acl-name> command.

2. Inspect the command output of show time-range <name>. Compare the action attributes of rules. View whether the sequence of rules is correct.

3. If the ACL is already bound with time-range, inspect the state of the time-range.

4. To view the correctness of binding relationship (name and direction), use show ipv4-access-group command.

5. To view whether the interface configurations are incompatible, use show running command.

Course Review

ZXR10 M6000/T8000 ACL featuresWhat’s the function of time range module?ACL configuration stepsACL troubleshooting