HP FlexNetwork MSR Series User manual
HPE FlexNetwork MSR Router Series
Comware 7 ACL and QoS Configuration Guide
Part number: 5200-2385
Software version: MSR-CMW710-R0411
Document version: 6W101-20161114
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
1
Contents
Configuring ACLs·············································································6
Overview····································································································································6
ACL types····························································································································6
Numbering and naming ACLs··································································································6
Match order··························································································································6
Rule numbering ····················································································································7
Fragment filtering with ACLs····································································································8
Command and hardware compatibility······························································································8
Configuration restrictions and guidelines ··························································································8
Configuration task list····················································································································9
Configuring a basic ACL················································································································9
Configuring an IPv4 basic ACL ································································································9
Configuring an IPv6 basic ACL ······························································································ 10
Configuring an advanced ACL······································································································ 10
Configuring an IPv4 advanced ACL ························································································ 11
Configuring an IPv6 advanced ACL ························································································ 12
Configuring a Layer 2 ACL··········································································································· 13
Copying an ACL ························································································································ 14
Configuring packet filtering with ACLs···························································································· 15
Applying an ACL to an interface for packet filtering ····································································15
Applying an ACL to a zone pair for packet filtering····································································· 15
Configuring logging and SNMP notifications for packet filtering ····················································15
Setting the packet filtering default action·················································································· 16
Enabling hardware-count for the packet filtering default action····················································· 16
Enabling ACL acceleration··········································································································· 16
Displaying and maintaining ACLs·································································································· 17
ACL configuration examples········································································································· 18
Interface-based packet filter configuration example····································································18
Zone pair-based packet filter configuration example···································································20
QoS overview················································································24
QoS service models ··················································································································· 24
Best-effort service model ······································································································ 24
IntServ model····················································································································· 24
DiffServ model···················································································································· 24
QoS techniques overview············································································································ 24
Deploying QoS in a network ·································································································· 25
QoS processing flow in a device····························································································· 25
Command and hardware compatibility···························································································· 26
Configuring a QoS policy ·································································27
Non-MQC approach ··················································································································· 27
MQC approach·························································································································· 27
Configuration procedure diagram·································································································· 27
Defining a traffic class················································································································· 28
Defining a traffic behavior············································································································ 28
Defining a QoS policy ················································································································· 28
Configuring a parent policy···································································································· 28
Configuring a child policy······································································································ 29
Applying the QoS policy ·············································································································· 29
Applying the QoS policy to an interface or PVC·········································································30
Applying the QoS policy to a PW···························································································· 30
Applying the QoS policy to a control plane ··············································································· 31
Applying the QoS policy to the management interface control plane··············································32
Applying the QoS policy to a user profile·················································································· 33
Setting the QoS policy-based traffic rate statistics collection period for an interface ································33
Displaying and maintaining QoS policies ························································································ 34
2
Configuring priority mapping·····························································37
Overview·································································································································· 37
Introduction to priorities ········································································································ 37
Priority maps ······················································································································ 37
Priority mapping configuration tasks ······························································································ 37
Configuring a priority map············································································································ 38
Configuring priority maps······································································································ 38
Configuring a port to trust packet priority for priority mapping······························································38
Changing the port priority of an interface ························································································ 39
Displaying and maintaining priority mapping···················································································· 39
Priority mapping configuration examples ························································································ 40
Priority trust mode configuration example················································································· 40
Priority mapping table and priority marking configuration example ················································ 41
Configuring traffic policing, GTS, and rate limit ·····································44
Overview·································································································································· 44
Traffic evaluation and token buckets ······················································································· 44
Traffic policing ···················································································································· 45
GTS·································································································································· 46
Rate limit ··························································································································· 47
Command and hardware compatibility···························································································· 48
Configuring traffic policing············································································································ 48
Configuring traffic policing by using the MQC approach······························································ 48
Configuring traffic policing by using the non-MQC approach························································ 50
Configuring GTS························································································································ 51
Configuring GTS by using the MQC approach ··········································································51
Configuring GTS by using the non-MQC approach ···································································· 52
Configuring the rate limit·············································································································· 53
Configuring the rate limit for an interface·················································································· 53
Configuring the rate limit for a PW ·························································································· 53
Displaying and maintaining traffic policing, GTS, and rate limit···························································· 54
Traffic policing, GTS, and rate limit configuration examples································································55
Traffic policing and GTS configuration example········································································· 55
Per-IP-address traffic policing configuration example ·································································56
Configuring congestion management··················································58
Overview·································································································································· 58
FIFO································································································································· 58
PQ···································································································································· 59
CQ ··································································································································· 59
WFQ································································································································· 60
CBQ ································································································································· 61
RTPQ ······························································································································· 62
Congestion management technique comparison ······································································· 63
Command and hardware compatibility···························································································· 64
Setting the FIFO queue size········································································································· 65
Setting the FIFO queue size for an interface or PVC ·································································· 65
Setting the FIFO queue size for a PW ····················································································· 65
Configuring PQ·························································································································· 66
Configuration restrictions and guidelines·················································································· 66
Configuration procedure ······································································································· 67
PQ configuration example····································································································· 68
Configuring CQ·························································································································· 69
Configuration restrictions and guidelines·················································································· 69
Configuration procedure ······································································································· 69
Configuring WFQ······················································································································· 70
Configuring WFQ for an interface or PVC················································································· 70
Configuring WFQ for a PW···································································································· 71
Configuring CBQ························································································································ 71
Predefined classes, traffic behaviors, and policies ····································································· 71
Defining a class ·················································································································· 72
3
Defining a traffic behavior ····································································································· 72
Defining a QoS policy··········································································································· 76
Applying the QoS policy········································································································ 76
Setting the maximum available interface bandwidth··································································· 77
Setting the maximum reserved bandwidth as a percentage of available bandwidth ··························77
CBQ configuration example··································································································· 78
Configuring RTPQ······················································································································ 79
Enabling packet information pre-extraction······················································································ 80
Configuring QoS tokens ·············································································································· 80
Displaying and maintaining congestion management········································································ 81
Configuring congestion avoidance ·····················································83
Overview·································································································································· 83
Tail drop···························································································································· 83
RED and WRED ················································································································· 83
Relationship between WRED and queuing mechanisms·····························································84
WRED parameters ·············································································································· 84
Configuring WRED on an interface································································································ 85
Configuration procedure ······································································································· 85
Configuration example ········································································································· 85
Displaying and maintaining WRED································································································ 86
Configuring traffic filtering ································································87
Configuration procedure·············································································································· 87
Configuration example ················································································································ 87
Network requirements·········································································································· 87
Configuration procedure ······································································································· 88
Configuring priority marking······························································89
Configuration procedure·············································································································· 89
Configuration example ················································································································ 90
Network requirements·········································································································· 90
Configuration procedure ······································································································· 90
Configuring traffic redirecting ····························································93
Feature and hardware compatibility······························································································· 93
Configuration procedure·············································································································· 93
Configuration example ················································································································ 94
Network requirements·········································································································· 94
Configuration procedure ······································································································· 94
Configuring QPPB··········································································96
Overview·································································································································· 96
QPPB fundamentals··················································································································· 96
QPPB configuration task list········································································································· 97
Configuring the route sender········································································································ 97
Configuring basic BGP functions···························································································· 97
Creating a routing policy······································································································· 97
Configuring the route receiver······································································································· 97
Configuring basic BGP functions···························································································· 97
Configuring a routing policy···································································································97
Enabling QPPB on the route receiving interface········································································ 98
Configuring a QoS policy ······································································································ 98
Applying the QoS policy to an interface ··················································································· 98
QPPB configuration examples······································································································ 98
QPPB configuration example in an IPv4 network······································································· 98
QPPB configuration example in an MPLS L3VPN···································································· 101
QPPB configuration example in an IPv6 network····································································· 108
Appendixes················································································· 113
Appendix A Acronym ················································································································ 113
Appendix B Default priority maps ································································································ 114
4
Appendix C Introduction to packet precedences············································································· 115
IP precedence and DSCP values ························································································· 115
802.1p priority··················································································································· 116
EXP values ······················································································································ 117
Configuring MPLS QoS ································································· 118
Overview································································································································ 118
Feature and hardware compatibility····························································································· 118
Configuration prerequisites ········································································································ 119
Configuring MPLS CAR············································································································· 119
Configuring MPLS priority marking ······························································································ 119
MPLS QoS configuration example······························································································· 120
Network requirements········································································································ 120
Configuration procedure ····································································································· 121
Verifying the configuration··································································································· 123
Configuring FR QoS ····································································· 124
FR QoS parameters ················································································································· 124
FRTS····································································································································· 124
Functionality····················································································································· 124
How FRTS works ·············································································································· 125
FRTP····································································································································· 126
FR queuing····························································································································· 126
FR interface queuing·········································································································· 127
FR PVC queuing··············································································································· 127
FR DE rule list························································································································· 127
Feature and hardware compatibility····························································································· 128
FR QoS configuration task list ···································································································· 128
Creating and configuring an FR class··························································································· 128
Configuring FRTS ···················································································································· 129
Configuration restrictions and guidelines················································································ 129
Configuration procedure ····································································································· 129
Configuring FRTP ···················································································································· 130
Configuration restrictions and guidelines················································································ 130
Configuration procedure ····································································································· 130
Configuring FR queuing ············································································································ 131
Configuring PVC queuing as FIFO, PQ, CQ, WFQ, or RTPQ····················································· 131
Configuring PVC queuing as CBQ························································································ 131
Configuring interface queuing as PVC PQ·············································································· 132
Configuring an FR DE rule list ···································································································· 132
Configuring Frame Relay FRF.12 fragmentation for an FR class······················································· 133
Displaying and maintaining FR QoS ···························································································· 133
FRTS configuration example······································································································ 134
Network requirements········································································································ 134
Configuration procedure ····································································································· 134
Verifying the configuration··································································································· 134
Configuring time ranges································································· 136
Configuration procedure············································································································ 136
Displaying and maintaining time ranges ······················································································· 136
Time range configuration example······························································································· 136
Document conventions and icons ···················································· 138
Conventions···························································································································· 138
Network topology icons ············································································································· 139
Support and other resources··························································· 140
Accessing Hewlett Packard Enterprise Support·············································································· 140
Accessing updates··················································································································· 140
Websites ························································································································· 141
Customer self repair ·········································································································· 141
Remote support ················································································································ 141
6
Configuring ACLs
Overview
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP
address, destination IP address, and port number. The rules are also called permit or deny
statements.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The
packet drop or forwarding decisions depend on the modules that use ACLs.
ACL types
Type
ACL number
IP version
Match criteria
Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.
IPv6 Source IPv6 address.
Advanced ACLs 3000 to 3999
IPv4 Source IPv4 address,
destination IPv4
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
IPv6 Source IPv6 address,
destination IPv6
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Layer 2 ACLs 4000 to 4999 IPv4 and IPv6
Layer 2 header fields, such as source and
destination MAC
addresses, 802.1p priority,
and link layer protocol type.
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an
existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6
basic or advanced ACL, its ACL number and name must be unique in IPv6. For an ACL of a type
other than IPv4 or IPv6, its ACL number or name must be globally unique.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops
the match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
•
config—Sorts ACL rules in ascending order of rule ID. Arule with a lower ID is matched before
a rule with a higher ID. If you use this method, check the rules and their order carefully.
•
auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule
is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
7
Table 1 Sort ACL rules in depth-first order
ACL type
Sequence of tie breakers
IPv4 basic ACL
1. VPN instance.
2. More 0s in the source IPv4 address wildcard (more 0s means a
narrower IPv4 address range).
3. Rule configured earlier.
IPv4 advanced ACL
4. VPN instance.
5. Specific protocol number.
6. More 0s in the source IPv4 address wildcard mask.
7. More 0s in the destination IPv4 address wildcard.
8. Narrower TCP/UDP service port number range.
9. Rule configured earlier.
IPv6 basic ACL
10. VPN instance.
11. Longer prefix for the source IPv6 address (a longer prefix means a
narrower IPv6 address range).
12. Rule configured earlier.
IPv6 advanced ACL
13. VPN instance.
14. Specific protocol number.
15. Longer prefix for the source IPv6 address.
16. Longer prefix for the destination IPv6 address.
17. Narrower TCP/UDP service port number range.
18. Rule configured earlier.
Layer 2 ACL
19. More 1s in the source MAC address mask(more1s means a smaller
MAC address).
20. More 1s in the destination MAC address mask.
21. Rule configured earlier.
A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care"
bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the
"do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are
ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a
valid wildcard mask.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how
automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For
example, the default ACLrule numbering step is 5. If you do not assign IDs to rules you are creating,
they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more
rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
8
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.
Fragment filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.
Command and hardware compatibility
Commands and descriptions for centralized devices apply to the following routers:
•
MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).
•
MSR958 (JH300A/JH301A).
•
MSR1002-4/1003-8S.
•
MSR2003.
•
MSR2004-24/2004-48.
•
MSR3012/3024/3044/3064.
Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.
Configuration restrictions and guidelines
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or
has functions enabled in addition to the following match criteria and functions:
•
Source and destination IP addresses.
•
Source and destination ports.
•
Transport layer protocol.
•
ICMP or ICMPv6 message type, message code, and message name.
•
VPN instance.
•
Logging.
•
Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation,
which affects the device forwarding performance.
9
Configuration task list
Tasks at a glance
(Required.) Perform one or more of the following tasks:
•Configuring a basic ACL
•Configuring an advanced ACL
•Configuring a Layer 2 ACL
(Optional.) Copying an ACL
(Optional.) Configuring packet filtering with ACLs
(Optional.) Enabling ACL acceleration
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
Step
Command
Remarks
22. Enter system view. system-view N/A
23. Create an IPv4
basic ACL
and enter its view. acl basic { acl-number | name
acl-name } [ match-order { auto |
config } ]
By default, no ACLs exist.
The value range for a numbered
IPv4 basic ACL is 2000 to 2999.
Use the acl basic acl-number
command to enter the view of a
numbered IPv4 basic ACL.
Use the acl basic name
acl-name command to enter the
view of a named IPv4 basic ACL.
24. (Optional.) Configure a
description forthe IPv4 basic
ACL. description text
By default, an IPv4 basic ACL
does not have a description.
25. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
10
Step
Command
Remarks
26. Create or edit a rule.
rule [ rule-id ] { deny | permit }
[ counting | fragment |logging |
source {object-group
address-group-name |
source-address source-wildcard |
any } | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
B
y default, no IPv4 basic ACL
rules exist.
The logging keyword takes effect
only when the module (for
example, packet filtering) that
uses the ACL supports logging.
27. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comment is
configured.
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
Step
Command
Remarks
1. Enter system view. system-view N/A
2. Create an IPv6
basic ACL
view and enter its view. acl ipv6 basic { acl-number |
name acl-name } [ match-order
{ auto | config } ]
By default, no ACLs exist.
The value range for a numbered
IPv6 basic ACL is 2000 to 2999.
Use the acl ipv6 basic
acl-number command to enter the
view of a numbered IPv6 basic
ACL.
Use the acl ipv6 basic name
acl-name
command to enter the
view of a named IPv6 basic ACL.
3. (Optional.) Configure a
description for the IPv6 basic
ACL. description text By default, an IPv6 basic ACL
does not have a description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
[ counting | fragment |logging |
routing [ type routing-type ] |
source { object-group
address-group-name |
source-address source-prefix |
source-address/source-prefix |
any } | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
B
y default, no IPv6 basic ACL
rules exist.
The logging keyword takes effect
only when the module (for
example, packet filtering) that
uses the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comment is
configured.
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
11
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
•
Source IP addresses.
•
Destination IP addresses.
•
Packet priorities.
•
Protocol numbers.
•
Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Step
Command
Remarks
1. Enter system view. system-view N/A
2.
Create an IPv4 advanced
ACL and enter its view. acl advanced { acl-number |
name acl-name } [ match-order
{ auto | config } ]
By default, no ACLs exist.
The value range for a numbered
IPv4 advanced ACL is
3000 to
3999.
Use the acl advanced
acl-number command to enter the
view of a numbered IPv4
advanced ACL.
Use the acl advanced name
acl-name command to enter the
view of a named IPv4 advanced
ACL.
3. (Optional.) Configure a
description
for the IPv4
advanced ACL. description text
By default, an IPv4 advanced
ACL does not have a description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
12
Step
Command
Remarks
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established
} |
counting | destination
{ object-group
address-group-name |
dest-address dest-wildcard | any }
| destination-port
{ object-group port-group-name |
operator port1 [ port2 ] } | { dscp
dscp | { precedence precedence |
tos tos } * } | fragment |
icmp-type { icmp-type
[ icmp-code ] | icmp-message } |
logging | source { object-group
address-group-name |
source-address source-wildcard |
any } | source-port
{ object-group port-group-name |
operator port1 [ port2 ]
} |
time-range time-range-name |
vpn-instance
vpn-instance-name ] *
By default
, no IPv4 advanced
ACL rules exist.
The logging keyword takes effect
only when the module (for
example, packet filtering) that
uses the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comment is
configured.
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the following criteria:
•
Source IPv6 addresses.
•
Destination IPv6 addresses.
•
Packet priorities.
•
Protocol numbers.
•
Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination
port number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Step
Command
Remarks
1. Enter system view. system-view N/A
13
Step
Command
Remarks
2.
Create an IPv6 advanced
ACL and enter its view. acl ipv6 advanced { acl-number |
name acl-name } [ match-order
{ auto | config } ]
By default, no ACLs exist.
The value range for a numbered
IPv6 advanced ACL is
3000 to
3999.
Use the acl ipv6 advanced
acl-number command to enter the
view of a numbered IPv6
advanced ACL.
Use the acl ipv6 advanced
name acl-name
command to
enter the view of a named IPv6
advanced ACL.
3. (Optional.) Configure a
description for the IPv6
advanced ACL. description text By default, an IPv6 advanced
ACL does not have a description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established
} |
counting | destination
{object-group
address-group-name |
dest-address dest-prefix |
dest-address/dest-prefix |any } |
destination-port { object-group
port-group-name | operator port1
[port2 ] } | dscp dscp |flow-label
flow-label-value | fragment |
icmp6-type { icmp6-type
icmp6-code | icmp6-message } |
logging | routing [ type
routing-type ] | hop-by-hop [ type
hop-type ] | source
{object-group
address-group-name |
source-address source-prefix |
source-address/source-prefix |
any } | source-port
{ object-group port-group-name |
operator port1 [ port2 ] } |
time-range time-range-name |
vpn-instance
vpn-instance-name ] *
By default
, no IPv6 advanced
ACL rules exist.
The logging keyword takes effect
only w
hen the module (for
example, packet filtering) that
uses the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comment is
configured.
Configuring a Layer 2 ACL
Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet
header fields, such as:
•
Source MAC address.
•
Destination MAC address.
14
•
802.1p priority (VLAN priority).
•
Link layer protocol type.
To configure a Layer 2 ACL:
Step
Command
Remarks
1. Enter system view. system-view N/A
2.
Create a Layer 2 ACL and
enter its view. acl mac { acl-number | name
acl-name } [ match-order { auto |
config } ]
By default, no ACLs exist.
The value range for a numbered
Layer 2 ACL is 4000 to 4999.
Use the acl mac acl-number
command to enter the view of a
numbered Layer 2 ACL.
Use the acl mac name acl-name
command to enter the view of a
named Layer 2 ACL.
3. (Optional.) Configure a
description for the
Layer 2
ACL. description text By default, a Layer 2 ACL does
not have a description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
[ cos dot1p | counting |
dest-mac dest-address
dest-mask | { lsap lsap-type
lsap-type-mask | type
protocol-type
protocol-type-mask } |
source-mac source-address
source-mask | time-range
time-range-name ] *
By default,no Layer 2 ACL rules
exist.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comment is
configured.
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL)
has the same properties and content as the source ACL, but uses a different number or name than
the source ACL.
To successfully copy an ACL, make sure:
•
The destination ACL number is from the same type as the source ACL number.
•
The source ACL already exists, but the destination ACL does not.
To copy an ACL:
Step
Command
1. Enter system view. system-view
2. Copy an existing ACL to create a new ACL. acl [ ipv6 | mac ] copy { source-acl-number | name
source-acl-name } to { dest-acl-number | name
dest-acl-name }
15
Configuring packet filtering with ACLs
This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6
packets on the specified interface.
Applying an ACL to an interface for packet filtering
Step
Command
Remarks
1. Enter system view. system-view N/A
2. Enter interface view. interface interface-type
interface-number
Layer 2 interfaces are not
supported.
3. Apply an ACLto the interface
to filter packets. packet-filter [ ipv6 | mac ]
{ acl-number | name acl-name }
{ inbound | outbound }
By default, an interface does not
filter packets.
You can apply up to 32 ACLs to
the same direction of an interface.
Applying an ACL to a zone pair for packet filtering
Step
Command
Remarks
1. Enter system view. system-view N/A
2. Enter zone pair view. zone-pair security source
source-zone-name destination
destination-zone-name N/A
3.
Apply an ACL to the zone
pair to filter packets. packet-filter [ ipv6 ] { acl-number
| name acl-name }
By default
, a zone pair does not
filter packets.
You can apply up to 32 ACLs to
the same zone pair.
For more information about zone
pair, see Fundamentals
Configuration Guide.
Configuring logging and SNMP notifications for packet
filtering
You can configure the ACL module to generate log entries or SNMP notifications for packet filtering
and output them to the information center or SNMP module at the output interval. The log entry or
notification records the number of matching packets and the matched ACL rules. If an ACL is
matched for the first time, the device immediately outputs a log entry or notification to record the
matching packet.
For more information about the information center and SNMP, see Network Management and
Monitoring Configuration Guide.
To configure logging and SNMP notifications for packet filtering:
Step
Command
Remarks
1. Enter system view. system-view N/A
16
Step
Command
Remarks
2. Set the interval for outputting
packet filtering logs or
notifications. acl { logging | trap } interval
interval
The default setting is 0 minutes.
By default, the
device does not
generate log entries or SNMP
notifications for packet filtering.
Setting the packet filtering default action
Step
Command
Remarks
1. Enter system view. system-view N/A
2.
Set the packet filtering
default action to deny. packet-filter default deny By default, the packet filter
permits packets that do not match
any ACL rule to pass.
NOTE:
The packet filtering default action does not take effect on zone pair packet filtering. The default
action for zone pair packet filtering is deny.
Enabling hardware-count for the packet filtering default
action
When you enable hardware-count for the packet filtering default action on an interface, the interface
counts how many times the packet filtering default action is performed.
To enable the hardware-count feature for the packet filtering default action on an interface, make
sure you have applied ACLs to the interface for packet filtering.
To enable hardware-count for the packet filtering default action:
Step
Command
Remarks
1. Enter system view. system-view N/A
2. Enter interface view. interface interface-type
interface-number N/A
3. Enable hardware-
count for
the packet filtering default
action on the interface. packet-filter default { inbound |
outbound } hardware-count
By default, hardware-
count is
disabled for the packet filtering
default action.
Enabling ACL acceleration
ACL acceleration speeds up ACL rule lookup. The acceleration effect increases with the number of
ACL rules. For example, when a large ACL is used for a session-based service, such as NAT or
ASPF, ACL acceleration can avoid session timeouts caused by ACL processing delays.
To enable ACL acceleration:
Step
Command
Remarks
1. Enter system view. system-view N/A
17
Step
Command
Remarks
2. Create an ACL and enter its
view.
acl { [ ipv6 ] {advanced |basic }
{acl-number | name acl-name } |
mac { acl-number | name
acl-name } } [ match-order { auto
| config } ]
N/A
3. Enable ACL acceleration for
the ACL. accelerate B
y default, ACL acceleration is
disabled.
Displaying and maintaining ACLs
Execute display commands in any view and reset commands in user view.
Task
Command
Display ACL acceleration status
(centralized devices in standalone mode). display acl accelerate{ summary [ ipv6 | mac ] | verbose
[ ipv6 | mac ] { acl-number | name acl-name } }
Display ACL acceleration status
(distributed devices in standalone
mode/centralized devices in IRF mode).
display acl accelerate{ summary [ ipv6 | mac ] | verbose
[ ipv6 | mac ] { acl-number | name acl-name } slot
slot-number }
Display ACL acceleration status
(distributed devices in IRF mode).
display acl accelerate{ summary [ ipv6 | mac ] | verbose
[ ipv6 | mac ] { acl-number | name acl-name } chassis
chassis-number slot slot-number }
Display ACL configuration and match
statistics. display acl [ ipv6 | mac ] { acl-number | all | name acl-name }
Display ACL application information for
packet filtering (cen
tralized devices in
standalone mode).
display packet-filter { interface [ interface-type
interface-number ] [ inbound | outbound ] | zone-pair
security [ source source-zone-name destination
destination-zone-name ] }
Display ACL application information for
packet filtering
(distributed devices in
standalone mode/centralized devices in
IRF mode).
display packet-filter { interface [ interface-type
interface-number ] [ inbound | outbound ] | zone-pair
security [ source source-zone-name destination
destination-zone-name ] } [ slot slot-number ]
Display ACL application information for
packet filtering (distributed devices in IRF
mode).
display packet-filter { interface [ interface-type
interface-number ] [ inbound | outbound ] | zone-pair
security [ source source-zone-name destination
destination-zone-name ] } [ chassis chassis-number slot
slot-number ]
Display match statistics and default action
statistics for packet filtering ACLs.
display packet-filter statistics { interface interface-type
interface-number { inbound | outbound } [ default | [ ipv6 |
mac ] { acl-number | name acl-name } ] | zone-pair security
source source-zone-name destination
destination-zone-name [ [ ipv6 ] { acl-number | name
acl-name } ] } [ brief ]
Display
the accumulated statistics for
packet filtering ACLs. display packet-filter statistics sum { inbound | outbound }
[ ipv6 | mac ] { acl-number | name acl-name } [ brief ]
18
Task
Command
Display detailed
ACL packet filtering
information (c
entralized devices in
standalone mode).
display packet-filter verbose { interface interface-type
interface-number { inbound | outbound } [ [ ipv6 | mac ]
{ acl-number | name acl-name } ] | zone-pair security
source source-zone-name destination
destination-zone-name [ [ ipv6 ] { acl-number | name
acl-name } ] }
Display detailed
ACL packet filtering
information (distributed devices in
standalone mode/c
entralized devices in
IRF mode).
display packet-filter verbose { interface interface-type
interface-number { inbound | outbound } [ [ ipv6 | mac ]
{ acl-number | name acl-name } ] | zone-pair security
source source-zone-name destination
destination-zone-name [ [ ipv6 ] { acl-number | name
acl-name } ] } [ slot slot-number ]
Display detailed
ACL packet filtering
information (distributed devices i
n IRF
mode).
display packet-filter verbose { interface interface-type
interface-number { inbound | outbound } [ [ ipv6 | mac ]
{ acl-number | name acl-name } ] | zone-pair security
source source-zone-name destination
destination-zone-name [ [ ipv6 ] { acl-number | name
acl-name } ] } [ chassis chassis-number slot slot-number ]
Clear ACL statistics. reset acl [ ipv6 | mac ] counter { acl-number | all | name
acl-name }
Clear match statistics (including the
accumulated statistics) and default action
statistics for packet filtering ACLs.
reset packet-filter statistics { interface [ interface-type
interface-number ] { inbound | outbound } [ default | [ ipv6 |
mac ] { acl-number | name acl-name } ] | zone-pair security
[ source source-zone-name destination
destination-zone-name ] [ [ ipv6 ] { acl-number | name
acl-name } ] }
ACL configuration examples
Interface-based packet filter configuration example
Network requirements
A company interconnects its departments through the device. Configure a packet filter to:
•
Permit access from the President's office at any time to the financial database server.
•
Permit access from the Financial department to the database server only during working hours
(from 8:00 to 18:00) on working days.
•
Deny access from any other department to the database server.
Other manuals for FlexNetwork MSR Series
2
Table of contents
Other HP Network Router manuals
HP
HP FlexNetwork HSR6800 Installation manual
HP
HP 3600 v2 Series User manual
HP
HP MSR930 Series User manual
HP
HP A-MSR20 User manual
HP
HP A-MSR900 Series User manual
HP
HP J3138A User manual
HP
HP A6602 User manual
HP
HP HPE FlexNetwork MSR Router Series User manual
HP
HP MSR930 Series Assembly instructions
HP
HP MSR2000 Series User manual
HP
HP A8800 Series User manual
HP
HP N1200 - StorageWorks Network Storage Router User manual
HP
HP A-MSR30-16 Installation instructions
HP
HP A5500 EI Switch Series Installation manual
HP
HP MSR SERIES User manual
HP
HP FlexNetwork MSR3044 Assembly instructions
HP
HP MSR4080 User manual
HP
HP FlexFabric 12500E User manual
HP
HP A8800 Series Installation manual
HP
HP FlexNetwork HSR6800 User manual
