05 ip oc305 2_e1_1 zxr10 m6000&t8000 acl configuration (v1.00.30) 31
TRANSCRIPT
ZXR10 M6000/T8000 ACL Configuration
Course Objectives
Through learning this Course, you mayLearn about the M6000/T8000 ACL features
Master the ACL configuration steps
Learn about the ACL configuration examplesLearn about the M6000/T8000 ACL fault treatment
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration ExampleACL Maintain& Fault Treatment
ZXR10 M6000/T8000 ACL Features
IPv4-ACLsource address-based ACLTCP based ACLUDP based ACLICMP based ACL
Link-ACLMAC-based ACL MAC and VLAN based ACL link protocol and MAC based ACL link protocol, VLAN and MAC based ACL
IPv6 ACL
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration Example ACL Maintain& Fault Treatment
ACL Configuration Step
(Option) Configure time range module.
1. Create a ACL ipv4–access-list. User can name the list. 2. Enter IPv4 ACL configuration mode after the list is created. Add rules in IPv4 ACL configuration mode. Each rule can designate a kind of packets, and define this kind of packets is denied or permitted.3. According to the requirements for traffic filtering, bind the customized ACL ipv4–access-list to the egress or ingress of interface to be filtered the traffic.
Time Range Module Introduction
Time range module is mainly used to provide awakening and hypnotizing service for other application modules. For example, a company forbids that employees browse Internet webs during working time, but the employees are permitted to browse Internet webs in free time. We can bind the time range to ACL.
User can configure multiple time ranges. Every time range has its own name. A time range can define multiple relative time segments and an absolute time segment.
The time range is active currently when the current time is within the absolute time segment or satisfies any relative time segment.
Time Range Module Introduction (Cont.)
Time range takes effect at the following three situations,
Absolute time segment is configured only, and the current system time is within the configured absolute time segment.Relative time segment is configured only. No matter how many relative time segments are configured, time range is effective if the current system time meets any relative time segment.Both absolute and relative time segments are configured. Time range is effective only when the current system time meets both absolute time segment and any relative time segment.
Time Range Module Configuration1. Enable the function of time range
ZXR10(config)#time-range {enable | diable}
2. Create and name a time range, and enter time range configuration mode.
ZXR10(config)# time-range <time-range-name>
3. Configure time segment rules.absolute time segment
ZXR10(config-tr)#absolute [start <time-data>][end <time-data>]
relative time segment
ZXR10(config-tr)#periodic [<days-of-weeks>] <hh:mm:ss> to [< days-of-weeks >] < hh:mm:ss >
Time Range Module Configuration Example
ZXR10(config)# time-range enableZXR10(config)# time-range testZXR10(config)# absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010ZXR10(config)# periodic daily 09:00:00 to 12:00:00ZXR10(config)# periodic daily 14:00:00 to 17:00:00
ZXR10(config)#show time-rangeCurrent time is 08:36:03 08-14-2009 Fridaytime-range test <inactive>absolute start 10:10:15 11-12-2010 end 10:10:15 12-12-2010periodic daily 09:00:00 to 12:00:00periodic daily 14:00:00 to 17:00:00
Example
Configuration check
1. Configure IPv4-ACL list.
ZXR10(config)#ipv4-access-list <name>
ZXR10(config-ipv4-acl)#rule [<rule-id>]{permit | deny}{ source [<source- wildcard>]| any|[ time-range <name>] |[log]}
IPv4-ACL Configuration Step
2. Configure standard ACL rule.
Configure extended ACL rule.ZXR10(config-ipv4-acl)#rule [ < rule-id> ] { permit | deny} protocol { source [ < source-wildcard> ] | any } { destination [ <destination-wildcard> ] | any } [ { tos < value> | precedence < value>| dscp < value> } ] |[ time-range <name>]|[log]}]
ZXR10(config)#ipv4-access-group < interface-name> { ingress | egress} < acl- name>
3. Bind the ACL to an interface.
Maintaining IPv4-ACL
Show ACL list and its brief information.
Show the binding information.
ZXR10#show ipv4-access-lists [{name <acl-name>|brief [name <acl-name>]}]
ZXR10#show ipv4-access-groups [[by-access-list <acl-name>][by-direction {ingress | egress}][by-interface<interface-name>]]
1. Configure LINK-ACL list.
ZXR10(config)#link-access-list <name>
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit | deny} { source-mac[ < source mac-wildcard> ] | any | } { time-range < name>}
LINK-ACL Configuration Step
2. Configure MAC-based ACL rule.
Configure MAC and VLAN -based ACL rule.
ZXR10(config-link-acl)#rule[<rule-id>] {permit | deny} {source-mac [<source-mac-wildcard> ]| any}{ destination-mac [< destination-mac- wildcard>] | any}[{ inner-cos <value>|inner-vlan <value> | outer-cos <value>| outer-vlan <value>]|time-range < name>}
LINK-ACL Configuration Step (Cont.)
Configure link protocol and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any | } { time-range < name> }
ZXR10(config)#link-access-group interface< interface-name> { ingress | egress} < acl-name>
3. Bind the ACL to an interface.
Configure link protocol, VLAN and MAC -based ACL rule.
ZXR10(config-link-acl)#rule [ < rule-id> ] { permit| deny} link-protocal< value> { source-mac[ < source mac-wildcard> ] | any |} [ { inner-cos < value> | inner- vlan < value> | outer-cos < value> |outer- vlan < value> ] | time-range < name> }
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step
Time Range ModuleIPv4-ACLLINK-ACL
ACL Configuration ExampleACL Maintain& Fault Treatment
Example 1— Filter telnet access to router
Use ACL to restrict access from vty
ZXR10(config)#line telnet access-class < acl-name>
ZXR10(config)#ipv4-access-list test1ZXR10(config-ipv4-acl)#rule 11 permit 192.89.55.0 0.0.0.255ZXR10(config)#line telnet access-class test1
Only permit telnet access from 192.89.55.0 segment
172.16.3.0 172.16.4.0
172.16.4.13S0
Non 172.16.0.0segment
ZXR10(config)#ipv4-access-list testZXR10(config-ipv4-acl)#rule 11 permit 172.16.0.0 0.0.255.255
ZXR10(config-ipv4-acl)#exitZXR10(config)#ipv4-access-group gei-0/1/0/1 egress test
Example 2 — Standard ACL
gei-0/1/0/2 gei-0/1/0/1
ZXR10(config)# ipv4-access-list test2ZXR10(config-ipv4-acl)# rule 12 permit 172.16.0.0 0.0.255.255ZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/1 egress test2ZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test2
Permit two side networks to communicate
172.16.3.0 172.16.4.0
172.16.4.13S0
non172.16.0.0segment
Deny the access of 172.16.4.13 to 172.16.3.0 segment
Example 3 — Standard ACL
ZXR10(config)# ipv4-access-list test3ZXR10(config-ipv4-acl)# rule 13 deny 172.16.4.13 0.0.0.0ZXR10(config-ipv4-acl)# rule 14 permit anyZXR10(config-ipv4-acl)# exitZXR10(config)# ipv4-access-group gei-0/1/0/2 egress test3
gei-0/1/0/2 gei-0/1/0/1
Example 4 — extend ACL
PC1 and PC2 both send Telnet requests to R1 through R2, but R1 only wants to receive the Telnet request coming from PC1 but not PC2. To realize the requirement of R1, bind ACL to ingress of gei-0/1/0/1 to filter the Telnet packets coming from PC2 (The ACL also can be bound to egress of gei-0/1/0/2).
R130.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
Configuration on R2
R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet R2(config-ipv4-acl)#rule 20 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/1 ingress test
R130.20.10.1
gei-0/1/0/2 gei-0/1/0/1
R2
PC1
PC2
10.20.30.20
R2(config)#show ipv4-access-groupsInterface name Direction ACl name---------------------------------------------------------gei-0/1/0/1 Ingress test
R2(config)#show ipv4-access-lists name testipv4-access-list test2/2 (showed/total)
rule 10 deny tcp 10.20.30.20 0.0.0.0 30.20.10.1 0.0.0.0 eq telnet rule 20 permit any
Configuration Check
Show configured ACL:
Show the binding information.
1. PC1 is forbidden to telnet R1 during 09:00:00 to 12:00:00 and 14:00:00 to 17:00:00 daily.2. PC1 is forbidden to telnet R1 from 10:10:15 11-12-2010 to 10:10:15 12-12-2010.
R130.20.10.1
gei-0/1/0/1
gei-0/1/0/2
gei-0/1/0/3R2
PC1
Example 5 — time range ACL
1. Create a time-range.
R2(config)#time-range enableR2(config)#time-range test /*This creates a time-range and names it test.*/
R2(config-tr)#absolute start 10:10:15 11-12-2010 end 10:10:15 12-12- 2010R2(config-tr)#periodic daily 09:00:00 to 12:00:00R2(config-tr)#periodic daily 14:00:00 to 17:00:00
Configuration on R2
2. Add time segment to the time-range.
3. Create ACL and bind it to the time-range.
R2(config)#ipv4-access-list testR2(config-ipv4-acl)#rule 1 deny tcp 10.20.30.20 0.0.0.0eq telnet 30.20.10.1 0.0.0.0 time-range testR2(config-ipv4-acl)#rule 2 permit anyR2(config-ipv4-acl)#exitR2(config)#ipv4-access-group gei-0/1/0/3 ingress test
/*The binding is successful. ACL only takes effect in the specified timesegment.*/
Configuration on R2 (Cont.)
Contents
ZXR10 M6000/T8000 ACL FeaturesACL Configuration Step and Example
Time Range ModuleIPv4-ACLLINK-ACL
ACL Maintain& Fault Treatment
ACL Malfunctions
The following ACL configuration faults are likely to appear:
Fail to create ACL List according to the specified name.Fail to bind ACL to an interface.ACL filtering is improperly that the traffic to be permitted is denied while the traffic to be denied is still be forwarded by device.
ACL Troubleshooting
To locate and solve the faults, perform the following inspections.
The name of ACL supports 31 characters at most, which can not contain quotation mark, question mark or space.ACL name is case sensitive.It is not recommended that perform binding before creating ACL, even if ZXR10 M6000 support this function.Binding an empty ACL list to interface that means all packets are permitted.A rule deny any is added into the end of the list automatically if a non-empty ACL list is bound to an interface, which means the packets that can not match with all the rules will be denied.If an ACL rule is bound with time-range, it will take effect only when the time-range is in active state.
Assume that the packets with the source address 1.1.1.1/32 should be permitted. However, these packets cannot be forwarded.
Treatment Scheme
Treatment Steps1. To view whether the packets to be filtered are covered by ACL
rule, use show ipv4-access-list name <acl-name> command.
2. Inspect the command output of show time-range <name>. Compare the action attributes of rules. View whether the sequence of rules is correct.
3. If the ACL is already bound with time-range, inspect the state of the time-range.
4. To view the correctness of binding relationship (name and direction), use show ipv4-access-group command.
5. To view whether the interface configurations are incompatible, use show running command.
Course Review
ZXR10 M6000/T8000 ACL featuresWhat’s the function of time range module?ACL configuration stepsACL troubleshooting