How to configure and delete a basic ACL on the AR

24

Configure and delete the basic ACL.
A basic ACL can define rules based on the source IP address of IPv4 packets, VPN instance, fragment flag, and time range. Basic IPv4 ACLs are short for basic ACLs. The number ranges from 2000 to 2999.
Command: rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | logging | time-range time-name ] *

descriptions of parameters
rule-id: The value is an integer that ranges from 0 to 4294967294. The device automatically generates a rule ID starting from the step value. By default, the step value is 5. That is, the rule ID starts from 5 and subsequent rule IDs are multiples of 5, that is, 5, 10, 15, and so on.
The specified rule-id is valid only when the configuration mode is used. In automatic mode, the device automatically allocates a rule ID based on the depth-first algorithm.
deny: rejects the packets that meet conditions.
permit: permits the packets that meet conditions.
The source address is in dotted decimal notation.
The wildcard of the source IP address is in dotted decimal notation. The wildcard of the source IP address can be 0, which is equivalent to 0.0.0.0, indicating that the source IP address is a host address.
The wildcard is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is 192.168.1.169 and the wildcard is 0.0.0.172, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
Example
#  Add a rule to ACL 2001 to permit the packets with the source address 192.168.32.1 to pass through.
 system-view
[Huawei] acl 2001
[Huawei-acl-basic-2001] rule permit source 192.168.32.1 0
#  Delete rule 5 from ACL 2001.
<Huawei> system-view
[Huawei] acl 2001
[Huawei-acl-basic-2001] undo rule 5

Other related questions:
How to configure and delete an advanced ACL on the AR
Configure and delete the advanced ACL on the AR
An advanced ACL can define rules based on the source IP address of IPv4 packets, destination IP addresses, IP priority, Type of Service (ToS), DiffServ Code Point (DSCP), IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source and destination ports, and User Datagram Protocol (UDP) source and destination ports. Advanced IPv4 ACLs are short for advanced ACLs. The number ranges from 3000 to 3999.
Command: rule [ rule-id ] { deny | permit } { protocol-number | icmp |tcp|udp| GRE|IGMP|IPINIP|OSPF} [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] descriptions of part numbers
rule-id: The value is an integer that ranges from 0 to 4294967294. The device automatically generates a rule ID starting from the step value. By default, the step value is 5. That is, the rule ID starts from 5 and subsequent rule IDs are multiples of 5, that is, 5, 10, 15, and so on.
The specified rule-id is valid only when the configuration mode is used. In automatic mode, the device automatically allocates a rule ID based on the depth-first algorithm.
deny: rejects the packets that meet conditions.
permit: permits the packets that meet conditions.
protocol-number: indicates the protocol type that is expressed in name or number. The value is an integer that ranges from 1 to 255. If the value is expressed in name, it can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. The value icmp corresponds to 1, tcp corresponds to 6, udp corresponds to 17, gre corresponds to 47, igmp corresponds to 2, ipinip corresponds to 4, and ospf corresponds to 89.
The destination address is in dotted decimal notation. The wildcard of the destination IP address can be 0, which is equivalent to 0.0.0.0, indicating that the destination IP address is a host address.
The wildcard is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is 192.168.1.169 and the wildcard is 0.0.0.172, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
For example, add a rule to ACL 3001 to match the packets with source UDP port 128 from 129.9.8.0 to 202.38.160.0.
<Huawei> system-view
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule permit udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port eq 128
Delete a rule from ACL 3000.
<Huawei> system-view
[Huawei] acl 3000 
[Huawei-acl-adv-3000] undo rule 1

How to configure an ACL through the web NMS on an AR router
Log in to the web NMS, and choose Security > ACL. Click a tab page to configure basic ACL, advanced ACL, or Layer 2 ACL. Configure a basic ACL so that the AR router can categorize IPv4 or IPv6 packets based on the source and destination IP addresses as well as time period carried in the packets. Configure an advanced ACL so that the AR router can categorize IPv4 or IPv6 packets based on the source and destination IP addresses, source and destination interface numbers, protocol type, priorities, as well as time period carried in the packets. Configure a Layer 2 ACL so that the AR router can categorize packets based on link layer information such as the source and destination MAC addresses and Layer 2 protocol type. Select a tab page, and click new on the configuration list. In the displayed dialog box, enter an ACL name. For the basic ACL and advanced ACL, an ACL type must be set. In the new configuration entry, click add and configure parameters. For details, see the URL: The AR router configures the VLANIF interface to implement inter-VLAN communication.

How to configure and delete a Layer 2 ACL on the AR
A Layer 2 ACL defines rules based on the information in Ethernet frame headers of packets, such as the source MAC address, destination MAC address, and Ethernet frame protocol number. The number ranges from 4000 to 4999.
Command: rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range time-name ] ]
Add a rule to ACL 4000 to match packets with the destination MAC address of 0000-0000-0001, source MAC address of 0000-0000-0002, and Layer 2 protocol type of 0x0800.
system-view
[Huawei] acl 4001
[Huawei-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800

Method used to configure the mask in the ACL on the AR
Masks in ACL rules configured on the AR series routers and S series switches are wildcard masks. The wildcard mask is also called wildcard and is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is 192.168.1.169 and the wildcard is 0.0.0.172, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
Example:  system-view
[Huawei] acl number 2000
[Huawei-acl-basic-2000] rule permit source 192.168.32.1 0 //Permit only a specific IP address, with the wildcard mask of 0.0.0.0 that is abbreviated as 0.
[Huawei-acl-basic-2000] rule permit source 192.168.32.0 0.0.0.255 //Permit a network segment (mask 255.255.255.0), with the wildcard mask of 0.0.0.255. The wildcard mask is used in an ACL.

Configure the basic firewall functions on an AR router
The basic firewall functions of an AR router include: creating a security zone and adding interfaces into the security zone, creating an interzone and enabling the firewall functions in the interzone, configuring session table aging time, and checking the configuration result. For details about the configuration, see the following content: [Creating a security zone and adding interfaces into the security zone on an AR router] Create a security zone and add interfaces into the security zone on an AR router. [Enabling the firewall functions on an AR router] Enable the firewall functions on an AR router. [Configuring session table aging time of the firewall on an AR router] Configure session table aging time of the firewall on an AR router. For details about configuration of basic firewall functions on AR series routers, see the URL: AR router configuration firewall basic functions.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top