2. Course Objectives
Through learning this Course, you may
Learn about the M6000/T8000 ACL features
Master the ACL configuration steps
Learn about the ACL configuration examples
Learn about the M6000/T8000 ACL fault treatment
3. Contents
ZXR10 M6000/T8000 ACL Features
ACL Configuration Step
Time Range Module
IPv4-ACL
LINK-ACL
ACL Configuration Example
ACL Maintain& Fault Treatment
4. ZXR10 M6000/T8000 ACL Features
IPv4-ACL
source address-based ACL
TCP based ACL
UDP based ACL
ICMP based ACL
Link-ACL
MAC-based ACL
MAC and VLAN based ACL
link protocol and MAC based ACL
link protocol, VLAN and MAC based ACL
IPv6 ACL
5. Contents
ZXR10 M6000/T8000 ACL Features
ACL Configuration Step
Time Range Module
IPv4-ACL
LINK-ACL
ACL Configuration Example
ACL Maintain& Fault Treatment
6. ACL Configuration Step
(Option) Configure time range module.
1. Create a ACL ipv4–access-list. User can name the list.
2. Enter IPv4 ACL configuration mode after the list is
created. Add rules in IPv4 ACL configuration mode. Each
rule can designate a kind of packets, and define this kind
of packets is denied or permitted.
3. According to the requirements for traffic filtering, bind
the customized ACL ipv4–access-list to the egress or
ingress of interface to be filtered the traffic.
7. Time Range Module Introduction
Time range module is mainly used to provide awakening
and hypnotizing service for other application modules. For
example, a company forbids that employees browse
Internet webs during working time, but the employees are
permitted to browse Internet webs in free time. We can
bind the time range to ACL.
User can configure multiple time ranges. Every time range
has its own name. A time range can define multiple relative
time segments and an absolute time segment.
The time range is active currently when the current time is
within the absolute time segment or satisfies any relative
time segment.
8. Time Range Module Introduction (Cont.)
Time range takes effect at the following three
situations,
Absolute time segment is configured only, and the
current system time is within the configured absolute
time segment.
Relative time segment is configured only. No matter
how many relative time segments are configured, time
range is effective if the current system time meets any
relative time segment.
Both absolute and relative time segments are
configured. Time range is effective only when the
current system time meets both absolute time segment
and any relative time segment.
9. Time Range Module Configuration
1. Enable the function of time range
ZXR10(config)#time-range {enable | diable}
2. Create and name a time range, and enter time range
configuration mode.
ZXR10(config)# time-range <time-range-name>
3. Configure time segment rules.
absolute time segment
ZXR10(config-tr)#absolute [start <time-data>][end <time-data>]
relative time segment
ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >]
< hh:mm:ss >
10. Time Range Module Configuration Example
ZXR10(config)# time-range enable
ZXR10(config)# time-range test
ZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010
ZXR10(config)# periodic daily 09:00:00 to 12:00:00
ZXR10(config)# periodic daily 14:00:00 to 17:00:00
ZXR10(config)#show time-range
Current time is 08:36:03 08-14-2009 Friday
time-range test <inactive>
absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010
periodic daily 09:00:00 to 12:00:00
periodic daily 14:00:00 to 17:00:00
Example
Configuration check
12. Maintaining IPv4-ACL
Show ACL list and its brief information.
Show the binding information.
ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}]
ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction
{ingress | egress}][by-interface<interface-name>]]
14. LINK-ACL Configuration Step (Cont.)
Configure link protocol and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal<
value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> }
ZXR10(config)#link-access-group interface< interface-name> { ingress | egress}
< acl-name>
3. Bind the ACL to an interface.
Configure link protocol, VLAN and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value>
{ source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner-
vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }
15. Contents
ZXR10 M6000/T8000 ACL Features
ACL Configuration Step
Time Range Module
IPv4-ACL
LINK-ACL
ACL Configuration Example
ACL Maintain& Fault Treatment
16. Example 1— Filter telnet access to router
Use ACL to restrict access from vty
ZXR10(config)#line telnet access-class < acl-name>
ZXR10(config)#ipv4-access-list test1
ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255
ZXR10(config)#line telnet access-class test1
Only permit telnet access from 192.89.55.0 segment
17. 172.16.3.0 172.16.4.0
172.16.4.13
S0
Non 172.16.0.0segment
ZXR10(config)#ipv4-access-list test
ZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test
Example 2 — Standard ACL
gei-0/1/0/2 gei-0/1/0/1
ZXR10(config)# ipv4-access-list test2
ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255
ZXR10(config-ipv4-acl)# exit
ZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2
ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2
Permit two side networks to communicate
18. 172.16.3.0 172.16.4.0
172.16.4.13
S0
non172.16.0.0segment
Deny the access of 172.16.4.13 to 172.16.3.0 segment
Example 3 — Standard ACL
ZXR10(config)# ipv4-access-list test3
ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0
ZXR10(config-ipv4-acl)# rule 14 permit any
ZXR10(config-ipv4-acl)# exit
ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3
gei-0/1/0/2 gei-0/1/0/1
19. Example 4 — extend ACL
PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants
to receive the Telnet request coming from PC1 but not PC2.
To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the
Telnet packets coming from PC2 (The ACL also can be bound to egress of
gei-0/1/0/2).
R1
30.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
20. Configuration on R2
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1
0.0.0.0 eq telnet
R2(config-ipv4-acl)#rule 20 permit any
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-group gei-0/1/0/1 ingress test
R1
30.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
21. R2(config)#show ipv4-access-groups
Interface name Direction ACl name
---------------------------------------------------------
gei-0/1/0/1 Ingress test
R2(config)#show ipv4-access-lists name test
ipv4-access-list test
2/2 (showed/total)
rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet
rule 20 permit any
Configuration Check
Show configured ACL:
Show the binding information.
22. 1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and
14:00:00 to 17:00:00 daily.
2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15
12-12-2010.
R1
30.20.10.1
gei-0/1/0/1
gei-0/1/0/2
gei-0/1/0/3
R2
PC1
Example 5 — time range ACL
23. 1. Create a time-range.
R2(config)#time-range enable
R2(config)#time-range test /*This creates a time-range and names it test.*/
R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-
2010
R2(config-tr)#periodic daily 09:00:00 to 12:00:00
R2(config-tr)#periodic daily 14:00:00 to 17:00:00
Configuration on R2
2. Add time segment to the time-range.
24. 3. Create ACL and bind it to the time-range.
R2(config)#ipv4-access-list test
R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0
eq telnet 30.20.10.1 0.0.0.0 time-range test
R2(config-ipv4-acl)#rule 2 permit any
R2(config-ipv4-acl)#exit
R2(config)#ipv4-access-group gei-0/1/0/3 ingress test
/*The binding is successful. ACL only takes effect in the specified time
segment.*/
Configuration on R2 (Cont.)
25. Contents
ZXR10 M6000/T8000 ACL Features
ACL Configuration Step and Example
Time Range Module
IPv4-ACL
LINK-ACL
ACL Maintain& Fault Treatment
26. ACL Malfunctions
The following ACL configuration faults are likely to
appear:
Fail to create ACL List according to the specified name.
Fail to bind ACL to an interface.
ACL filtering is improperly that the traffic to be permitted
is denied while the traffic to be denied is still be
forwarded by device.
27. ACL Troubleshooting
To locate and solve the faults, perform the following
inspections.
The name of ACL supports 31 characters at most, which can not
contain quotation mark, question mark or space.
ACL name is case sensitive.
It is not recommended that perform binding before creating ACL,
even if ZXR10 M6000 support this function.
Binding an empty ACL list to interface that means all packets are
permitted.
A rule deny any is added into the end of the list automatically if a
non-empty ACL list is bound to an interface, which means the
packets that can not match with all the rules will be denied.
If an ACL rule is bound with time-range, it will take effect only when
the time-range is in active state.
28. Assume that the packets with the source address 1.1.1.1/32
should be permitted. However, these packets cannot be
forwarded.
Treatment Scheme
29. Treatment Steps
1. To view whether the packets to be filtered are covered by ACL
rule, use show ipv4-access-list name <acl-name> command.
2. Inspect the command output of show time-range <name>.
Compare the action attributes of rules. View whether the
sequence of rules is correct.
3. If the ACL is already bound with time-range, inspect the state of
the time-range.
4. To view the correctness of binding relationship (name and
direction), use show ipv4-access-group command.
5. To view whether the interface configurations are incompatible,
use show running command.
30. Course Review
ZXR10 M6000/T8000 ACL features
What’s the function of time range module?
ACL configuration steps
ACL troubleshooting