First, Access-List is used to create access rules.
(1) Creating a standard access list
Access-list [Normal | Special] ListNumber1 {Permit | de Neny} Source-Addr [Source-Mask]
(2) Creating an extended access list
Access-list [Normal | Special] ListNumber2 {Permit | Deny} protocol source-addr source-mask [operator port1 [port2]] dest-addr dest-mask [operator port1 [port2] | ICMP-TYPE [ICMP-CODE]] [log]
(3) Delete access list
NO Access-List {Normal | Special} {All | ListNumber [SubItem]}
【Parameter Description】
Normal specifies the rule to join the normal time period.
Special Specifies Rule Add to Special Time.
ListNumber1 is a value between 1 to 99, indicating that the rule is the standard access list rule.
ListNumber2 is a value between 100 to 199, indicating that the rules are extended access list rules.
Permit indicates that the message allows the condition to pass.
Deny indicates that a message that is banned from satisfying the condition.
Protocol is the protocol type, support ICMP, TCP, UDP, etc., other protocols are also supported, there is no concept of port comparison; there is a special meaning for IP, representing all IP protocols.
Source-addr is the source address.
Source-Mask is a source address communication, which is optional in the Standard Access List, and does not input, the representative library is 0.0.0.0.
Dest-Addr is the destination address.
Dest-Mask is a destination address communication.
Operator [optional] port operator, support port comparison when protocol type TCP or UDP, supported comparison operations are: equal to (EQ), greater than (gt), less than (lt), not equal to (neq) or (RANGE); if the operator is Range, then you need to follow the two ports.
Port1 appears when the protocol type is TCP or UDP, and a value (such as a telnet) or 0 to 65535 can be set for the keyword.
Port2 appears when the protocol type is TCP or UDP and the type of operation is RANGE; the preset value (such as telnet) or 0 ~ 65535 can be set.
ICMP-TYPE [Optional] When the protocol is ICMP, represents the ICMP packet type; can be a preset value of the keyword (such as echo-reply) or a value between 0 to 255.
ICMP-CODE appears when the protocol is ICMP and does not select the set preset value; represents an ICMP code, a value between 0 to 255.
Log [Optional] means that if the message meets the conditions, you need to do logs.
ListNumber is a value between 1 to 199, which is a value between 1 to 199.
SubItem [Optional] Specifies the serial number of the rule in the access list of the delete serial number.
[By default]
Any access rules are not configured by default.
[Command Mode]
Global configuration mode
【user's guidance】
The rules of the same serial number can be seen as a type of rules; the defined rules can not only be used to filter packets on the interface, or they can be used to determine if a message is interested in packets, at this time, Permit and Deny said it is interested or not interested. Use the protocol domain to expand the IP's extended access list to represent all IP protocols.
Rules between the same serial number are arranged and selected in accordance with certain principles, which can be seen by the show access-list command.
Examples
The allowed source address is 10.1.1.0 network, the destination address is 10.1.2.0 network WWW access, but does not allow FTP.
Quidway (config) # Access-list 100 permit TCP 10.1.0 0.0.0.255 10.1.2.0 0.0.0.255 EQ WWW
Quidway (config) # Access-list 100 deny TCP 10.1.0 0.0.0.255 10.1.2.0 0.0.0.255 EQ FTP
[Related commands]
IP Access-Group
Second, Clear Access-List Counters Clears statistics for access list rules.
Clear Access-List Counters [listNumber]
【Parameter Description】
ListNumber [Optional] To clear the serial number of the rules of the statistics, if not specified, clear all rules statistics.
[By default]
Statistics are not cleared at all times.
[Command Mode]
Privileged user mode
【user's guidance】
Use this command to clear the statistics of the current rules used, and do not specify the rule number to clear all rules of statistics.
Examples
Example 1: Clear statistics for rules currently used in the currently used.
Quidway # Clear Access-List Counters 100
Example 2: Clear statistics for all rules currently used.
Quidway # Clear Access-List Counters
[Related commands]
Access-list
Third, FireWall is enabled or prohibited from firewall.
FireWall {enable | disable}
【Parameter Description】
Enable means that the firewall is enabled.
Disable means that the firewall is prohibited.
[By default]
The system is default for the firewall.
[Command Mode]
Global configuration mode
【user's guidance】
Use this command to enable or disable firewalls, you can see the corresponding results via the show firewall command. If a time-package filter is used, it will be closed when the firewall is turned off; the command controls the total switch of the firewall. When using the FireWall Disable command to turn off the firewall, the statistics of the firewall itself will also be cleared.
Examples
Enable firewall.
Quidway (config) #firewall enable
[Related commands]
Access-List, IP Access-Group
4. FireWall Default configuration firewall is default filtration when there is no corresponding access rule.
FireWall Default {Permit | de Neny}
【Parameter Description】
Permit indicates that the default filtration property is set to "Allow".
DENY indicates that the default filtration property is set to "disable".
[By default]
In the case of a firewall, the packet is allowed to pass the default.
[Command Mode]
Global configuration mode
【user's guidance】
When the rule applied in the interface does not determine if a message should be allowed or disabled, the default filtration attribute will work; if the default filtering property is "allowed", the message can be passed, otherwise the message is throw away.
Examples
Setting the default filtration property is "allowed".
Quidway (config) #firewall default permit
5. IP Access-Group Use this command to apply the rules to the interface. Use this command to delete the corresponding settings.
IP access-group listnumber {in | out} [no] ip access-group listnumber {in | out}
【Parameter Description】
ListNumber is a rule number, a value between 1 to 199.
IN expiration rules are used to filter packets from the interface.
OUT indicates that the rule is used to filter packets forwarded from the interface.
[By default]
No rules apply to interfaces.
[Command Mode]
Interface configuration mode.
【user's guidance】
Use this command to apply the rules to the interface; if you want to filter the packets received from the interface, use the IN keyword; if you want to filter the packet forwarded from the interface, use the OUT keyword. One direction of an interface can apply up to 20 different rules; these rules are arranged in accordance with the size of the rule serial number, and the serial numbers are in front, that is, high priority. When filtration of packets, a method of finding the rules that meet the compliance will be used to speed up the filtering speed. Therefore, it is recommended that when configuring the rules, try to place the rules of the same network configuration in the access list of the same serial number; in the access list of the same serial number, the arrangement and selection order between the rules can be used for SHOW Access-List Command to view.
Examples
Applying rule 101 to messages from the Ethernet port.
Quidway (config-if-ethernet0) #ip access-group 101 in
[Related commands]
Access-list
Six, settr settings or cancel the special time period.
Settr begin-time end-time
NO settr
【Parameter Description】
Begin-Time is the start time of a time period.
End-time is the end time of a time period, which should be greater than the start time.
[By default]
The system defaults are not set in time, that is, all of them are normal time periods.
[Command Mode]
Global configuration mode
【user's guidance】
Use this command to set the time period; you can set up the 6 time segment at the same time, and you can see the set time via the show timeRange command. If the time period has been changed in the case where a time period has been used, this modification will take effect at about one minute (the time interval of the system query time period). The set time should be a 24-hour system. If you want to set a time period similar to 8 pm to 8:00, you can set it to "Settr 21:00 23:59 0:00 8:00", because the two endpoints of the set period are within time, Therefore, it does not generate switching inside and outside the time period. In addition, this setting has also been tested by 2000 issues.
Examples
Example 1: Setting the time period of 8:30 to 12:00, 14: 00 ~ 17:00.
Quidway (config) #settr 8:30 12:00 14:00 17:00
Example 2: Setting the time period to 8pm to 8 pm.
Quidway (config) #settr 21:00 23:59 0:00 8: 0
[Related commands]
TimeraNGe, show timerange
7. SHOW Access-List Displays the package filter rules and the application on the interface.
Show access-list [all | listnumber | interface interface-name]
【Parameter Description】
All represents all rules, including rules within a normal time period and a special time period.
ListNumber is a rule that displays the number ListNumber in the rule currently used.
Interface indicates the rule serial number to display on the specified interface.
INTERFACE-name is the name of the interface.
[Command Mode]
Privileged user mode
【user's guidance】
Use this command to display the specified rules while viewing the rules filtering packets. Each rule has a corresponding counter. If you filter a message with this rule, the counter plus 1; through the observation of the counter, it can be seen in the configured rule, which rules are more effective, and which is basically invalid. You can view the situation of an interface application rule by using the show access-list command with the interface keyword. Examples
Example 1: Displays a rule that is currently 100 used.
Quidway # show access-list 100
Using Normal Packet-Filtering Access Rules Now.
100 deny ICMP 10.1.0.0 0.0.255.255 Any Host-Redirect (3 matches, 252 bytes - rule 1)
100 permit ICMP 10.1.0.0 0.0.255.255 Any Echo (no matches - rule 2)
100 denY UDP Any Any EQ RIP (No Matches - Rule 3)
Example 2: Displays the application rule on the interface serial0.
Quidway # show access-list interface serial 0
Serial0:
Access-List filtering in-bound packets: 120
Access-list filtering out-bound packets: NONE
[Related commands]
Access-list
Eight, show firewall shows the firewall state.
SHOW FireWall
[Command Mode]
Privileged user mode
【user's guidance】
Use this command to display the status of the firewall, including whether the firewall is enabled, and whether the firewall is used to filter some statistics for the time package filtering and firewall.
Examples
Show the firewall status.
Quidway # show firewall
FireWall Is Enable, Default Filtering Method IS / 'PERMIT /'.
TIMERANGE PACKET-FILTERING ENABLE.
Inbound Packets: None
Outbound Packets: 0 Packets, 0 Bytes, 0% Permitted,
0 packets, 0 bytes, 0% DENIED,
2 packets, 104 bytes, 100% permitted defaultly,
0 Packets, 0 bytes, 100% Denied Defaultly.
From 00:13:02 to 06:13:21: 0 packets, 0 bytes, permitted.
[Related commands]
Firewall
Nine, show isintr displays whether the current time is within time.
Show isintr
[Command Mode]
Privileged user mode
【user's guidance】
Use this command to display whether the current time is within time.
Examples
Displays whether the current time is within the time period.
Quidway # show isintr
It is not in time ranges now.
[Related commands]
TimeRange, settr
Ten, show timeRange Displays the information of the time period package filtering.
Show timerange
[Command Mode]
Privileged user mode
【user's guidance】
Use this command to display whether or not the time period package is allowed to filter and the set period of time.
Examples
Display information of the time period package filtering.
Quidway # show timeralge
TIMERANGE PACKET-FILTERING ENABLE.
Beginning of Time Range:
01:00 - 02:00
03:00 - 04:00
End of time range.
[Related commands]
TimeRange, settr eleven, timeRange enables or disables time package filtering function.
TimeRange {enable | disable}
【Parameter Description】
Enable means that the time period package is enabled.
Disable means that it is forbidden to use a time period filter.
[By default]
The system default is forbidden time-package filtering function.
[Command Mode]
Global configuration mode
【user's guidance】
Use this command to enable or disable the time-packet filtering, you can see the display through the show fire command, you can also see the configuration results via the show timeRange command. After the time period package filtering function is enabled, the system will determine the rules (special) rules (special) (ordinary) rules (ordinary) according to the current time and settings. The accuracy of the system query time period is 1 minute. The two endpoints of the set periods are within the time period.
Examples
Enable time-package filtering function.
Quidway (config) #TimeRange enable
[Related commands]
Settr, Show Timerange
