![Page 1: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/1.jpg)
ZXR10 M6000/T8000 ACL Configuration
![Page 2: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/2.jpg)
Course Objectives
Through learning this Course, you mayLearn about the M6000/T8000 ACL features
Master the ACL configuration steps
Learn about the ACL configuration examplesLearn about the M6000/T8000 ACL fault treatment
![Page 3: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/3.jpg)
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration ExampleACL Maintain& Fault Treatment
![Page 4: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/4.jpg)
ZXR10 M6000/T8000 ACL Features
IPv4-ACLsource address-based ACLTCP based ACLUDP based ACLICMP based ACL
Link-ACLMAC-based ACL MAC and VLAN based ACL link protocol and MAC based ACL link protocol, VLAN and MAC based ACL
IPv6 ACL
![Page 5: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/5.jpg)
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration Example ACL Maintain& Fault Treatment
![Page 6: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/6.jpg)
ACL Configuration Step
(Option) Configure time range module.
1. Create a ACL ipv4–access-list. User can name the list. 2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL configuration mode. Each rule can designate a kind of packets, and define this kind of packets is denied or permitted.3. According to the requirements for traffic filtering, bind the customized ACL ipv4–access-list to the egress or ingress of interface to be filtered the traffic.
![Page 7: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/7.jpg)
Time Range Module Introduction
Time range module is mainly used to provide awakening and hypnotizing service for other application modules. For example, a company forbids that employees browse Internet webs during working time, but the employees are permitted to browse Internet webs in free time. We can bind the time range to ACL.
User can configure multiple time ranges. Every time range has its own name. A time range can define multiple relative time segments and an absolute time segment.
The time range is active currently when the current time is within the absolute time segment or satisfies any relative time segment.
![Page 8: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/8.jpg)
Time Range Module Introduction (Cont.)
Time range takes effect at the following three situations,
Absolute time segment is configured only, and the current system time is within the configured absolute time segment.Relative time segment is configured only. No matter how many relative time segments are configured, time range is effective if the current system time meets any relative time segment.Both absolute and relative time segments are configured. Time range is effective only when the current system time meets both absolute time segment and any relative time segment.
![Page 9: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/9.jpg)
Time Range Module Configuration1. Enable the function of time range
ZXR10(config)#time-range {enable | diable}
2. Create and name a time range, and enter time range configuration mode.
ZXR10(config)# time-range <time-range-name>
3. Configure time segment rules.absolute time segment
ZXR10(config-tr)#absolute [start <time-data>][end <time-data>]
relative time segment
ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >] < hh:mm:ss >
![Page 10: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/10.jpg)
Time Range Module Configuration Example
ZXR10(config)# time-range enableZXR10(config)# time-range testZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010ZXR10(config)# periodic daily 09:00:00 to 12:00:00ZXR10(config)# periodic daily 14:00:00 to 17:00:00
ZXR10(config)#show time-rangeCurrent time is 08:36:03 08-14-2009 Fridaytime-range test <inactive>absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010periodic daily 09:00:00 to 12:00:00periodic daily 14:00:00 to 17:00:00
Example
Configuration check
![Page 11: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/11.jpg)
1. Configure IPv4-ACL list.
ZXR10(config)#ipv4-access-list <name>
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source [<source- wildcard>]| any|[ time-range <name>] |[log]}
IPv4-ACL Configuration Step
2. Configure standard ACL rule.
Configure extended ACL rule.ZXR10(config-ipv4-acl)#rule [ < rule-id> ] { permit | deny} protocol { source [ < source-wildcard> ] | any } { destination [ <destination-wildcard> ] | any } [ { tos < value> | precedence < value>| dscp < value> } ] |[ time-range <name>]|[log]}]
ZXR10(config)#ipv4-access-group < interface-name> { ingress | egress} < acl- name>
3. Bind the ACL to an interface.
![Page 12: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/12.jpg)
Maintaining IPv4-ACL
Show ACL list and its brief information.
Show the binding information.
ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}]
ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction {ingress | egress}][by-interface<interface-name>]]
![Page 13: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/13.jpg)
1. Configure LINK-ACL list.
ZXR10(config)#link-access-list <name>
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit | deny} { source-mac[ < source mac-wildcard> ] | any | } { time-range < name>}
LINK-ACL Configuration Step
2. Configure MAC-based ACL rule.
Configure MAC and VLAN -based ACL rule.
ZXR10(config-link-acl)#rule[<rule-id>] {permit | deny} {source-mac [<source-mac-wildcard> ]| any}{ destination-mac [< destination-mac- wildcard>] | any}[{ inner-cos <value>|inner-vlan <value> | outer-cos <value>| outer-vlan <value>]|time-range < name>}
![Page 14: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/14.jpg)
LINK-ACL Configuration Step (Cont.)
Configure link protocol and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> }
ZXR10(config)#link-access-group interface< interface-name> { ingress | egress} < acl-name>
3. Bind the ACL to an interface.
Configure link protocol, VLAN and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner- vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }
![Page 15: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/15.jpg)
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration ExampleACL Maintain& Fault Treatment
![Page 16: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/16.jpg)
Example 1— Filter telnet access to router
Use ACL to restrict access from vty
ZXR10(config)#line telnet access-class < acl-name>
ZXR10(config)#ipv4-access-list test1ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255ZXR10(config)#line telnet access-class test1
Only permit telnet access from 192.89.55.0 segment
![Page 17: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/17.jpg)
172.16.3.0 172.16.4.0
172.16.4.13S0
Non 172.16.0.0segment
ZXR10(config)#ipv4-access-list testZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255
ZXR10(config-ipv4-acl)#exitZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test
Example 2 — Standard ACL
gei-0/1/0/2 gei-0/1/0/1
ZXR10(config)# ipv4-access-list test2ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255ZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2
Permit two side networks to communicate
![Page 18: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/18.jpg)
172.16.3.0 172.16.4.0
172.16.4.13S0
non172.16.0.0segment
Deny the access of 172.16.4.13 to 172.16.3.0 segment
Example 3 — Standard ACL
ZXR10(config)# ipv4-access-list test3ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0ZXR10(config-ipv4-acl)# rule 14 permit anyZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3
gei-0/1/0/2 gei-0/1/0/1
![Page 19: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/19.jpg)
Example 4 — extend ACL
PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2).
R130.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
![Page 20: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/20.jpg)
Configuration on R2
R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet R2(config-ipv4-acl)#rule 20 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/1 ingress test
R130.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
![Page 21: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/21.jpg)
R2(config)#show ipv4-access-groupsInterface name Direction ACl name---------------------------------------------------------gei-0/1/0/1 Ingress test
R2(config)#show ipv4-access-lists name testipv4-access-list test2/2 (showed/total)
rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet rule 20 permit any
Configuration Check
Show configured ACL:
Show the binding information.
![Page 22: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/22.jpg)
1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and 14:00:00 to 17:00:00 daily.2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15 12-12-2010.
R130.20.10.1
gei-0/1/0/1
gei-0/1/0/2
gei-0/1/0/3R2
PC1
Example 5 — time range ACL
![Page 23: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/23.jpg)
1. Create a time-range.
R2(config)#time-range enableR2(config)#time-range test /*This creates a time-range and names it test.*/
R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12- 2010R2(config-tr)#periodic daily 09:00:00 to 12:00:00R2(config-tr)#periodic daily 14:00:00 to 17:00:00
Configuration on R2
2. Add time segment to the time-range.
![Page 24: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/24.jpg)
3. Create ACL and bind it to the time-range.
R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0eq telnet 30.20.10.1 0.0.0.0 time-range testR2(config-ipv4-acl)#rule 2 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/3 ingress test
/*The binding is successful. ACL only takes effect in the specified timesegment.*/
Configuration on R2 (Cont.)
![Page 25: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/25.jpg)
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step and Example
Time Range ModuleIPv4-ACLLINK-ACL
ACL Maintain& Fault Treatment
![Page 26: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/26.jpg)
ACL Malfunctions
The following ACL configuration faults are likely to appear:
Fail to create ACL List according to the specified name.Fail to bind ACL to an interface.ACL filtering is improperly that the traffic to be permitted is denied while the traffic to be denied is still be forwarded by device.
![Page 27: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/27.jpg)
ACL Troubleshooting
To locate and solve the faults, perform the following inspections.
The name of ACL supports 31 characters at most, which can not contain quotation mark, question mark or space.ACL name is case sensitive.It is not recommended that perform binding before creating ACL, even if ZXR10 M6000 support this function.Binding an empty ACL list to interface that means all packets are permitted.A rule deny any is added into the end of the list automatically if a non-empty ACL list is bound to an interface, which means the packets that can not match with all the rules will be denied.If an ACL rule is bound with time-range, it will take effect only when the time-range is in active state.
![Page 28: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/28.jpg)
Assume that the packets with the source address 1.1.1.1/32 should be permitted. However, these packets cannot be forwarded.
Treatment Scheme
![Page 29: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/29.jpg)
Treatment Steps1. To view whether the packets to be filtered are covered by ACL
rule, use show ipv4-access-list name <acl-name> command.
2. Inspect the command output of show time-range <name>. Compare the action attributes of rules. View whether the sequence of rules is correct.
3. If the ACL is already bound with time-range, inspect the state of the time-range.
4. To view the correctness of binding relationship (name and direction), use show ipv4-access-group command.
5. To view whether the interface configurations are incompatible, use show running command.
![Page 30: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/30.jpg)
Course Review
ZXR10 M6000/T8000 ACL featuresWhat’s the function of time range module?ACL configuration stepsACL troubleshooting
![Page 31: 05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31](https://reader038.vdocument.in/reader038/viewer/2022102521/58ed82371a28ab0f0a8b4791/html5/thumbnails/31.jpg)