Configure ACL validity time range on S series switch

1

An S series switch, except S1700, supports two types of validity time of ACL rules:
1. Periodic time range: defines a time range based on weeks. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday.
Format: time-range time-name start-time to end-time { days } &<1-7>
2. Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period.
Format: time-range time-name from time1 date1 [ to time2 date2 ]
Create a time range working-time (8:00-18:00 from Monday to Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the period working-time.
[HUAWEI] time-range working-time 8:00 to 18:00 working-day
[HUAWEI] acl name work-acl basic
[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

Other related questions:
Can ACLs on S series switches restrict time range
ACLs on S series switches can restrict time range. For example, you can use a Layer 2 ACL to restrict the PPPoE dial-up time segment on a switch. Run the time-range command to specify a time range, and reference the time range in a Layer 2 ACL rule.

How to configure an ACL time range on a WLAN device
If some services or functions need to be started at intervals or a specific period of time, run the time-range command on a WLAN device. When configuring ACL rules, you can use the name of a time range to reference this time range. You can associate a time range with ACL rules in either of the following ways: Mode 1 �?Periodic time range: defines a time range by week. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday. Format: time-range time-name start-time to end-time { days } &<1-7> Mode 2 �?Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period. Format: time-range time-name from time1 date1 [ to time2 date2 ] Create time range working-time (8:00�?8:00 from Monday to Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment 192.168.1.0/24 within the period of the working time. [HUAWEI] time-range working-time 8:00 to 18:00 working-day [HUAWEI] acl name work-acl basic [HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

Configure advanced ACLs on S series switches
A numbered ACL with the number ranging from 3000 to 3999 can be configured on an S series switch (except the S1700 switch). An advanced ACL defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges. For example, configure a rule in ACL 3001 to allow the ICMP packets from 192.168.1.3 and destined to network segment 192.168.2.0/24 to pass. [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 For another example, configure a rule in the advanced ACL no-web to forbid hosts 192.168.1.3 and 192.168.1.4 from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), and configure the description for the ACL as Web access restrictions. [HUAWEI] acl name no-web [HUAWEI-acl-adv-no-web] description Web access restrictions [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0 [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top