SlideShare une entreprise Scribd logo

05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31

L
legasu zemene

erdwqkkjhddxnnhd

Ingénierie
1  sur  31
Télécharger pour lire hors ligne
ZXR10 M6000/T8000 ACL Configuration
Course Objectives Through learning this Course, you may Learn about the M6000/T8000 ACL features Master the ACL configuration steps Learn about the ACL configuration examples Learn about the M6000/T8000 ACL fault treatment
Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
ZXR10 M6000/T8000 ACL Features IPv4-ACL source address-based ACL TCP based ACL UDP based ACL ICMP based ACL Link-ACL MAC-based ACL MAC and VLAN based ACL link protocol and MAC based ACL link protocol, VLAN and MAC based ACL IPv6 ACL
Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
ACL Configuration Step (Option) Configure time range module. 1. Create a ACL ipv4–access-list. User can name the list. 2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL configuration mode. Each rule can designate a kind of packets, and define this kind of packets is denied or permitted. 3. According to the requirements for traffic filtering, bind the customized ACL ipv4–access-list to the egress or ingress of interface to be filtered the traffic.
Time Range Module Introduction Time range module is mainly used to provide awakening and hypnotizing service for other application modules. For example, a company forbids that employees browse Internet webs during working time, but the employees are permitted to browse Internet webs in free time. We can bind the time range to ACL. User can configure multiple time ranges. Every time range has its own name. A time range can define multiple relative time segments and an absolute time segment. The time range is active currently when the current time is within the absolute time segment or satisfies any relative time segment.
Time Range Module Introduction (Cont.) Time range takes effect at the following three situations, Absolute time segment is configured only, and the current system time is within the configured absolute time segment. Relative time segment is configured only. No matter how many relative time segments are configured, time range is effective if the current system time meets any relative time segment. Both absolute and relative time segments are configured. Time range is effective only when the current system time meets both absolute time segment and any relative time segment.
Time Range Module Configuration 1. Enable the function of time range ZXR10(config)#time-range {enable | diable} 2. Create and name a time range, and enter time range configuration mode. ZXR10(config)# time-range <time-range-name> 3. Configure time segment rules. absolute time segment ZXR10(config-tr)#absolute [start <time-data>][end <time-data>] relative time segment ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >] < hh:mm:ss >
Time Range Module Configuration Example ZXR10(config)# time-range enable ZXR10(config)# time-range test ZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010 ZXR10(config)# periodic daily 09:00:00 to 12:00:00 ZXR10(config)# periodic daily 14:00:00 to 17:00:00 ZXR10(config)#show time-range Current time is 08:36:03 08-14-2009 Friday time-range test <inactive> absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010 periodic daily 09:00:00 to 12:00:00 periodic daily 14:00:00 to 17:00:00 Example Configuration check
1. Configure IPv4-ACL list. ZXR10(config)#ipv4-access-list <name> ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source [<source- wildcard>]| any|[ time-range <name>] |[log]} IPv4-ACL Configuration Step 2. Configure standard ACL rule. Configure extended ACL rule. ZXR10(config-ipv4-acl)#rule [ < rule-id> ] { permit | deny} protocol { source [ < source-wildcard> ] | any } { destination [ <destination-wildcard> ] | any } [ { tos < value> | precedence < value>| dscp < value> } ] |[ time-range <name>]|[log]}] ZXR10(config)#ipv4-access-group < interface-name> { ingress | egress} < acl- name> 3. Bind the ACL to an interface.
Maintaining IPv4-ACL Show ACL list and its brief information. Show the binding information. ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}] ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction {ingress | egress}][by-interface<interface-name>]]
1. Configure LINK-ACL list. ZXR10(config)#link-access-list <name> ZXR10(config-link-acl)#rule [ < rule-id> ] { permit | deny} { source-mac[ < source mac-wildcard> ] | any | } { time-range < name>} LINK-ACL Configuration Step 2. Configure MAC-based ACL rule. Configure MAC and VLAN -based ACL rule. ZXR10(config-link-acl)#rule[<rule-id>] {permit | deny} {source-mac [<source-mac-wildcard> ]| any}{ destination-mac [< destination-mac- wildcard>] | any}[{ inner-cos <value>|inner-vlan <value> | outer-cos <value>| outer-vlan <value>]|time-range < name>}
LINK-ACL Configuration Step (Cont.) Configure link protocol and MAC -based ACL rule. ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> } ZXR10(config)#link-access-group interface< interface-name> { ingress | egress} < acl-name> 3. Bind the ACL to an interface. Configure link protocol, VLAN and MAC -based ACL rule. ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner- vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }
Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
Example 1— Filter telnet access to router Use ACL to restrict access from vty ZXR10(config)#line telnet access-class < acl-name> ZXR10(config)#ipv4-access-list test1 ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255 ZXR10(config)#line telnet access-class test1 Only permit telnet access from 192.89.55.0 segment
172.16.3.0 172.16.4.0 172.16.4.13 S0 Non 172.16.0.0segment ZXR10(config)#ipv4-access-list test ZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255 ZXR10(config-ipv4-acl)#exit ZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test Example 2 — Standard ACL gei-0/1/0/2 gei-0/1/0/1 ZXR10(config)# ipv4-access-list test2 ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255 ZXR10(config-ipv4-acl)# exit ZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2 ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2 Permit two side networks to communicate
172.16.3.0 172.16.4.0 172.16.4.13 S0 non172.16.0.0segment Deny the access of 172.16.4.13 to 172.16.3.0 segment Example 3 — Standard ACL ZXR10(config)# ipv4-access-list test3 ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0 ZXR10(config-ipv4-acl)# rule 14 permit any ZXR10(config-ipv4-acl)# exit ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3 gei-0/1/0/2 gei-0/1/0/1
Example 4 — extend ACL PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2). R1 30.20.10.1 gei-0/1/0/2 gei-0/1/0/1 R2 PC1 PC2 10.20.30.20
Configuration on R2 R2(config)#ipv4-access-list test R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet R2(config-ipv4-acl)#rule 20 permit any R2(config-ipv4-acl)#exit R2(config)#ipv4-access-group gei-0/1/0/1 ingress test R1 30.20.10.1 gei-0/1/0/2 gei-0/1/0/1 R2 PC1 PC2 10.20.30.20
R2(config)#show ipv4-access-groups Interface name Direction ACl name --------------------------------------------------------- gei-0/1/0/1 Ingress test R2(config)#show ipv4-access-lists name test ipv4-access-list test 2/2 (showed/total) rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet rule 20 permit any Configuration Check Show configured ACL: Show the binding information.
1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and 14:00:00 to 17:00:00 daily. 2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15 12-12-2010. R1 30.20.10.1 gei-0/1/0/1 gei-0/1/0/2 gei-0/1/0/3 R2 PC1 Example 5 — time range ACL
1. Create a time-range. R2(config)#time-range enable R2(config)#time-range test /*This creates a time-range and names it test.*/ R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12- 2010 R2(config-tr)#periodic daily 09:00:00 to 12:00:00 R2(config-tr)#periodic daily 14:00:00 to 17:00:00 Configuration on R2 2. Add time segment to the time-range.
3. Create ACL and bind it to the time-range. R2(config)#ipv4-access-list test R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0 time-range test R2(config-ipv4-acl)#rule 2 permit any R2(config-ipv4-acl)#exit R2(config)#ipv4-access-group gei-0/1/0/3 ingress test /*The binding is successful. ACL only takes effect in the specified time segment.*/ Configuration on R2 (Cont.)
Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step and Example Time Range Module IPv4-ACL LINK-ACL ACL Maintain& Fault Treatment
ACL Malfunctions The following ACL configuration faults are likely to appear: Fail to create ACL List according to the specified name. Fail to bind ACL to an interface. ACL filtering is improperly that the traffic to be permitted is denied while the traffic to be denied is still be forwarded by device.
ACL Troubleshooting To locate and solve the faults, perform the following inspections. The name of ACL supports 31 characters at most, which can not contain quotation mark, question mark or space. ACL name is case sensitive. It is not recommended that perform binding before creating ACL, even if ZXR10 M6000 support this function. Binding an empty ACL list to interface that means all packets are permitted. A rule deny any is added into the end of the list automatically if a non-empty ACL list is bound to an interface, which means the packets that can not match with all the rules will be denied. If an ACL rule is bound with time-range, it will take effect only when the time-range is in active state.
Assume that the packets with the source address 1.1.1.1/32 should be permitted. However, these packets cannot be forwarded. Treatment Scheme
Treatment Steps 1. To view whether the packets to be filtered are covered by ACL rule, use show ipv4-access-list name <acl-name> command. 2. Inspect the command output of show time-range <name>. Compare the action attributes of rules. View whether the sequence of rules is correct. 3. If the ACL is already bound with time-range, inspect the state of the time-range. 4. To view the correctness of binding relationship (name and direction), use show ipv4-access-group command. 5. To view whether the interface configurations are incompatible, use show running command.
Course Review ZXR10 M6000/T8000 ACL features What’s the function of time range module? ACL configuration steps ACL troubleshooting
05 ip oc305 2_e1_1 zxr10 m6000&amp;t8000 acl configuration (v1.00.30) 31

Recommandé

01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)
01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)
01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)legasu zemene
 
9210 commissioning manual
9210 commissioning manual9210 commissioning manual
9210 commissioning manualHARRY CHAN PUTRA
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 
10 Command Line quan trọng để giao tiếp với Cisco IOs
10 Command Line quan trọng để giao tiếp với Cisco IOs10 Command Line quan trọng để giao tiếp với Cisco IOs
10 Command Line quan trọng để giao tiếp với Cisco IOsNhóc Nhóc
 
Useful Linux commands
Useful Linux commandsUseful Linux commands
Useful Linux commandsSukanta Pradhan
 
Ccna command
Ccna commandCcna command
Ccna commandSiddhartha Rajbhatt
 
Ccna Commands In 10 Minutes
Ccna Commands In 10 MinutesCcna Commands In 10 Minutes
Ccna Commands In 10 MinutesCCNAResources
 
Ccna command
Ccna commandCcna command
Ccna commandSudhir Maherwal
 

Recommandé

01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)
01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)
01 ip oc180 e1_1 zxr10 m6000_t8000 basic operation (v1.00.20)legasu zemene
 
9210 commissioning manual
9210 commissioning manual9210 commissioning manual
9210 commissioning manualHARRY CHAN PUTRA
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 
10 Command Line quan trọng để giao tiếp với Cisco IOs
10 Command Line quan trọng để giao tiếp với Cisco IOs10 Command Line quan trọng để giao tiếp với Cisco IOs
10 Command Line quan trọng để giao tiếp với Cisco IOsNhóc Nhóc
 
Useful Linux commands
Useful Linux commandsUseful Linux commands
Useful Linux commandsSukanta Pradhan
 
Ccna command
Ccna commandCcna command
Ccna commandSiddhartha Rajbhatt
 
Ccna Commands In 10 Minutes
Ccna Commands In 10 MinutesCcna Commands In 10 Minutes
Ccna Commands In 10 MinutesCCNAResources
 
Ccna command
Ccna commandCcna command
Ccna commandSudhir Maherwal
 
Session 2
Session 2Session 2
Session 2ahmed elmeghiny
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commandsRobin Rohit
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
Cisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configurationCisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configuration3Anetwork com
 
Chapter 04 - Router Conf
Chapter 04 - Router ConfChapter 04 - Router Conf
Chapter 04 - Router Confphanleson
 
Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)Netwax Lab
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commandsnanker phelge
 
CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host securityShiv Koppad
 
Cisco Commands
Cisco CommandsCisco Commands
Cisco CommandsFredrick Hall
 
Ccna commands
Ccna commands Ccna commands
Ccna commands bunthon oun
 
Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer Selamet Hariadi
 
Xb30330.xb30350 management guide
Xb30330.xb30350 management guideXb30330.xb30350 management guide
Xb30330.xb30350 management guideDanilo Eduardo Miranda
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Juniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500sJuniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500sAshutosh Patel
 
How to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionHow to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionSaroj Sahu
 
Labmannual
LabmannualLabmannual
LabmannualMatiullah Jamil
 
Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 2404 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24legasu zemene
 
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 2408 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24legasu zemene
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 2611 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26legasu zemene
 
Access control list
Access control listAccess control list
Access control listNarendra Kumar
 

Contenu connexe

Tendances

Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commandsRobin Rohit
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
Cisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configurationCisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configuration3Anetwork com
 
Chapter 04 - Router Conf
Chapter 04 - Router ConfChapter 04 - Router Conf
Chapter 04 - Router Confphanleson
 
Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)Netwax Lab
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commandsnanker phelge
 
CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host securityShiv Koppad
 
Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer Selamet Hariadi
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Juniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500sJuniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500sAshutosh Patel
 
How to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionHow to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionSaroj Sahu
 

Tendances (17)

Session 2
Session 2Session 2
Session 2
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commands
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands
 
Cisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configurationCisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configuration
 
Chapter 04 - Router Conf
Chapter 04 - Router ConfChapter 04 - Router Conf
Chapter 04 - Router Conf
 
Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)Cisco Internetworking Operating System (ios)
Cisco Internetworking Operating System (ios)
 
370410176 moshell-commands
370410176 moshell-commands370410176 moshell-commands
370410176 moshell-commands
 
CIsco ACL- Network and host security
CIsco ACL- Network and host securityCIsco ACL- Network and host security
CIsco ACL- Network and host security
 
Cisco Commands
Cisco CommandsCisco Commands
Cisco Commands
 
Ccna commands
Ccna commands Ccna commands
Ccna commands
 
Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer Trik singkat STATIC ROUTING via cli Packet Tracer
Trik singkat STATIC ROUTING via cli Packet Tracer
 
Xb30330.xb30350 management guide
Xb30330.xb30350 management guideXb30330.xb30350 management guide
Xb30330.xb30350 management guide
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
Juniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500sJuniper Chassis Cluster Configuration with SRX-1500s
Juniper Chassis Cluster Configuration with SRX-1500s
 
How to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionHow to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 version
 
Labmannual
LabmannualLabmannual
Labmannual
 
Acl cisco
Acl ciscoAcl cisco
Acl cisco
 

En vedette

04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 2404 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24legasu zemene
 
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 2408 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24legasu zemene
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 2611 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26legasu zemene
 
Zxsdr bs8900 a product description 20101026
Zxsdr bs8900 a product description 20101026Zxsdr bs8900 a product description 20101026
Zxsdr bs8900 a product description 20101026Adeep Asaad
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
MPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet NetworksMPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet NetworksAPNIC
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 

En vedette (13)

04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 2404 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
 
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 2408 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 2611 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
11 zxr10 b-en-bgp-mpls-vpn configuration-2-ppt-201105 26
 
Access control list
Access control listAccess control list
Access control list
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 acl
 
Zxsdr bs8900 a product description 20101026
Zxsdr bs8900 a product description 20101026Zxsdr bs8900 a product description 20101026
Zxsdr bs8900 a product description 20101026
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010
 
MPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet NetworksMPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet Networks
 
ZXSDR Trainning
ZXSDR TrainningZXSDR Trainning
ZXSDR Trainning
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
Cis82 e2-1-packet forwarding
Cis82 e2-1-packet forwardingCis82 e2-1-packet forwarding
Cis82 e2-1-packet forwarding
 

Similaire à 05 ip oc305 2_e1_1 zxr10 m6000&amp;t8000 acl configuration (v1.00.30) 31

Chapter 4 overview
Chapter 4 overviewChapter 4 overview
Chapter 4 overviewali raza
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
5 ip security ipsec gre
5 ip security ipsec gre5 ip security ipsec gre
5 ip security ipsec greSagarR24
 
A10_CompactTrainingv5.pdf (1).pdf
A10_CompactTrainingv5.pdf (1).pdfA10_CompactTrainingv5.pdf (1).pdf
A10_CompactTrainingv5.pdf (1).pdfneoalt
 
Рекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС CiscoРекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС CiscoCisco Russia
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
 
5 ip security copp-mpp
5 ip security copp-mpp5 ip security copp-mpp
5 ip security copp-mppSagarR24
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
commandes_CHEAT_SH_2.pdf
commandes_CHEAT_SH_2.pdfcommandes_CHEAT_SH_2.pdf
commandes_CHEAT_SH_2.pdfAchRaf264021
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...abdenour boussioud
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterpriseInfluxData
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...Tarun Khaneja
 
Conceitos de Capacity Planning e Sysplex por Fernando Ferreira
Conceitos de Capacity Planning e Sysplex por Fernando FerreiraConceitos de Capacity Planning e Sysplex por Fernando Ferreira
Conceitos de Capacity Planning e Sysplex por Fernando FerreiraJoao Galdino Mello de Souza
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control listdiah risqiwati
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfadityacommunication1
 

Similaire à 05 ip oc305 2_e1_1 zxr10 m6000&amp;t8000 acl configuration (v1.00.30) 31 (20)

Chapter 4 overview
Chapter 4 overviewChapter 4 overview
Chapter 4 overview
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
 
5 ip security ipsec gre
5 ip security ipsec gre5 ip security ipsec gre
5 ip security ipsec gre
 
Catena
CatenaCatena
Catena
 
A10_CompactTrainingv5.pdf (1).pdf
A10_CompactTrainingv5.pdf (1).pdfA10_CompactTrainingv5.pdf (1).pdf
A10_CompactTrainingv5.pdf (1).pdf
 
Acl
AclAcl
Acl
 
Рекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС CiscoРекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС Cisco
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx
 
5 ip security copp-mpp
5 ip security copp-mpp5 ip security copp-mpp
5 ip security copp-mpp
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
commandes_CHEAT_SH_2.pdf
commandes_CHEAT_SH_2.pdfcommandes_CHEAT_SH_2.pdf
commandes_CHEAT_SH_2.pdf
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterprise
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and Architecture
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
Conceitos de Capacity Planning e Sysplex por Fernando Ferreira
Conceitos de Capacity Planning e Sysplex por Fernando FerreiraConceitos de Capacity Planning e Sysplex por Fernando Ferreira
Conceitos de Capacity Planning e Sysplex por Fernando Ferreira
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
 

Dernier

Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organizationchnrketan
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfManish Kumar
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectGayathriM270621
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 

Dernier (20)

Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organization
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subject
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 

05 ip oc305 2_e1_1 zxr10 m6000&amp;t8000 acl configuration (v1.00.30) 31

  • 2. Course Objectives Through learning this Course, you may Learn about the M6000/T8000 ACL features Master the ACL configuration steps Learn about the ACL configuration examples Learn about the M6000/T8000 ACL fault treatment
  • 3. Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
  • 4. ZXR10 M6000/T8000 ACL Features IPv4-ACL source address-based ACL TCP based ACL UDP based ACL ICMP based ACL Link-ACL MAC-based ACL MAC and VLAN based ACL link protocol and MAC based ACL link protocol, VLAN and MAC based ACL IPv6 ACL
  • 5. Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
  • 6. ACL Configuration Step (Option) Configure time range module. 1. Create a ACL ipv4–access-list. User can name the list. 2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL configuration mode. Each rule can designate a kind of packets, and define this kind of packets is denied or permitted. 3. According to the requirements for traffic filtering, bind the customized ACL ipv4–access-list to the egress or ingress of interface to be filtered the traffic.
  • 7. Time Range Module Introduction Time range module is mainly used to provide awakening and hypnotizing service for other application modules. For example, a company forbids that employees browse Internet webs during working time, but the employees are permitted to browse Internet webs in free time. We can bind the time range to ACL. User can configure multiple time ranges. Every time range has its own name. A time range can define multiple relative time segments and an absolute time segment. The time range is active currently when the current time is within the absolute time segment or satisfies any relative time segment.
  • 8. Time Range Module Introduction (Cont.) Time range takes effect at the following three situations, Absolute time segment is configured only, and the current system time is within the configured absolute time segment. Relative time segment is configured only. No matter how many relative time segments are configured, time range is effective if the current system time meets any relative time segment. Both absolute and relative time segments are configured. Time range is effective only when the current system time meets both absolute time segment and any relative time segment.
  • 9. Time Range Module Configuration 1. Enable the function of time range ZXR10(config)#time-range {enable | diable} 2. Create and name a time range, and enter time range configuration mode. ZXR10(config)# time-range <time-range-name> 3. Configure time segment rules. absolute time segment ZXR10(config-tr)#absolute [start <time-data>][end <time-data>] relative time segment ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >] < hh:mm:ss >
  • 10. Time Range Module Configuration Example ZXR10(config)# time-range enable ZXR10(config)# time-range test ZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010 ZXR10(config)# periodic daily 09:00:00 to 12:00:00 ZXR10(config)# periodic daily 14:00:00 to 17:00:00 ZXR10(config)#show time-range Current time is 08:36:03 08-14-2009 Friday time-range test <inactive> absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010 periodic daily 09:00:00 to 12:00:00 periodic daily 14:00:00 to 17:00:00 Example Configuration check
  • 11. 1. Configure IPv4-ACL list. ZXR10(config)#ipv4-access-list <name> ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source [<source- wildcard>]| any|[ time-range <name>] |[log]} IPv4-ACL Configuration Step 2. Configure standard ACL rule. Configure extended ACL rule. ZXR10(config-ipv4-acl)#rule [ < rule-id> ] { permit | deny} protocol { source [ < source-wildcard> ] | any } { destination [ <destination-wildcard> ] | any } [ { tos < value> | precedence < value>| dscp < value> } ] |[ time-range <name>]|[log]}] ZXR10(config)#ipv4-access-group < interface-name> { ingress | egress} < acl- name> 3. Bind the ACL to an interface.
  • 12. Maintaining IPv4-ACL Show ACL list and its brief information. Show the binding information. ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}] ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction {ingress | egress}][by-interface<interface-name>]]
  • 13. 1. Configure LINK-ACL list. ZXR10(config)#link-access-list <name> ZXR10(config-link-acl)#rule [ < rule-id> ] { permit | deny} { source-mac[ < source mac-wildcard> ] | any | } { time-range < name>} LINK-ACL Configuration Step 2. Configure MAC-based ACL rule. Configure MAC and VLAN -based ACL rule. ZXR10(config-link-acl)#rule[<rule-id>] {permit | deny} {source-mac [<source-mac-wildcard> ]| any}{ destination-mac [< destination-mac- wildcard>] | any}[{ inner-cos <value>|inner-vlan <value> | outer-cos <value>| outer-vlan <value>]|time-range < name>}
  • 14. LINK-ACL Configuration Step (Cont.) Configure link protocol and MAC -based ACL rule. ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> } ZXR10(config)#link-access-group interface< interface-name> { ingress | egress} < acl-name> 3. Bind the ACL to an interface. Configure link protocol, VLAN and MAC -based ACL rule. ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner- vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }
  • 15. Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step Time Range Module IPv4-ACL LINK-ACL ACL Configuration Example ACL Maintain& Fault Treatment
  • 16. Example 1— Filter telnet access to router Use ACL to restrict access from vty ZXR10(config)#line telnet access-class < acl-name> ZXR10(config)#ipv4-access-list test1 ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255 ZXR10(config)#line telnet access-class test1 Only permit telnet access from 192.89.55.0 segment
  • 17. 172.16.3.0 172.16.4.0 172.16.4.13 S0 Non 172.16.0.0segment ZXR10(config)#ipv4-access-list test ZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255 ZXR10(config-ipv4-acl)#exit ZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test Example 2 — Standard ACL gei-0/1/0/2 gei-0/1/0/1 ZXR10(config)# ipv4-access-list test2 ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255 ZXR10(config-ipv4-acl)# exit ZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2 ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2 Permit two side networks to communicate
  • 18. 172.16.3.0 172.16.4.0 172.16.4.13 S0 non172.16.0.0segment Deny the access of 172.16.4.13 to 172.16.3.0 segment Example 3 — Standard ACL ZXR10(config)# ipv4-access-list test3 ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0 ZXR10(config-ipv4-acl)# rule 14 permit any ZXR10(config-ipv4-acl)# exit ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3 gei-0/1/0/2 gei-0/1/0/1
  • 19. Example 4 — extend ACL PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2). R1 30.20.10.1 gei-0/1/0/2 gei-0/1/0/1 R2 PC1 PC2 10.20.30.20
  • 20. Configuration on R2 R2(config)#ipv4-access-list test R2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet R2(config-ipv4-acl)#rule 20 permit any R2(config-ipv4-acl)#exit R2(config)#ipv4-access-group gei-0/1/0/1 ingress test R1 30.20.10.1 gei-0/1/0/2 gei-0/1/0/1 R2 PC1 PC2 10.20.30.20
  • 21. R2(config)#show ipv4-access-groups Interface name Direction ACl name --------------------------------------------------------- gei-0/1/0/1 Ingress test R2(config)#show ipv4-access-lists name test ipv4-access-list test 2/2 (showed/total) rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet rule 20 permit any Configuration Check Show configured ACL: Show the binding information.
  • 22. 1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and 14:00:00 to 17:00:00 daily. 2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15 12-12-2010. R1 30.20.10.1 gei-0/1/0/1 gei-0/1/0/2 gei-0/1/0/3 R2 PC1 Example 5 — time range ACL
  • 23. 1. Create a time-range. R2(config)#time-range enable R2(config)#time-range test /*This creates a time-range and names it test.*/ R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12- 2010 R2(config-tr)#periodic daily 09:00:00 to 12:00:00 R2(config-tr)#periodic daily 14:00:00 to 17:00:00 Configuration on R2 2. Add time segment to the time-range.
  • 24. 3. Create ACL and bind it to the time-range. R2(config)#ipv4-access-list test R2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0 eq telnet 30.20.10.1 0.0.0.0 time-range test R2(config-ipv4-acl)#rule 2 permit any R2(config-ipv4-acl)#exit R2(config)#ipv4-access-group gei-0/1/0/3 ingress test /*The binding is successful. ACL only takes effect in the specified time segment.*/ Configuration on R2 (Cont.)
  • 25. Contents ZXR10 M6000/T8000 ACL Features ACL Configuration Step and Example Time Range Module IPv4-ACL LINK-ACL ACL Maintain& Fault Treatment
  • 26. ACL Malfunctions The following ACL configuration faults are likely to appear: Fail to create ACL List according to the specified name. Fail to bind ACL to an interface. ACL filtering is improperly that the traffic to be permitted is denied while the traffic to be denied is still be forwarded by device.
  • 27. ACL Troubleshooting To locate and solve the faults, perform the following inspections. The name of ACL supports 31 characters at most, which can not contain quotation mark, question mark or space. ACL name is case sensitive. It is not recommended that perform binding before creating ACL, even if ZXR10 M6000 support this function. Binding an empty ACL list to interface that means all packets are permitted. A rule deny any is added into the end of the list automatically if a non-empty ACL list is bound to an interface, which means the packets that can not match with all the rules will be denied. If an ACL rule is bound with time-range, it will take effect only when the time-range is in active state.
  • 28. Assume that the packets with the source address 1.1.1.1/32 should be permitted. However, these packets cannot be forwarded. Treatment Scheme
  • 29. Treatment Steps 1. To view whether the packets to be filtered are covered by ACL rule, use show ipv4-access-list name <acl-name> command. 2. Inspect the command output of show time-range <name>. Compare the action attributes of rules. View whether the sequence of rules is correct. 3. If the ACL is already bound with time-range, inspect the state of the time-range. 4. To view the correctness of binding relationship (name and direction), use show ipv4-access-group command. 5. To view whether the interface configurations are incompatible, use show running command.
  • 30. Course Review ZXR10 M6000/T8000 ACL features What’s the function of time range module? ACL configuration steps ACL troubleshooting