H3CSecPathU系列安全产品访问控制配置指导杭州华三通信技术有限公司资料版本:6PW104-20111209产品版本:SECPATH200US&200UCS&200UCM-CMW520-R5116P20SECPATH200UA&200UM&200UCA-CMW520-R5116P20Copyright©2008-2011杭州华三通信技术有限公司及其许可者版权所有,保留一切权利。未经本公司书面许可,任何单位和个人不得擅自摘抄、复制本书内容的部分或全部,并不得以任何形式传播。H3C、、Aolynk、、H3Care、、TOPG、、IRF、NetPilot、Neocean、NeoVTL、SecPro、SecPoint、SecEngine、SecPath、Comware、Secware、Storware、NQA、VVG、V2G、VnG、PSPT、XGbus、N-Bus、TiGem、InnoVision、HUASAN、华三均为杭州华三通信技术有限公司的商标。对于本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。由于产品版本升级或其他原因,本手册内容有可能变更。H3C保留在没有任何通知或者提示的情况下对本手册的内容进行修改的权利。本手册仅作为使用指导,H3C尽全力在本手册中提供准确的信息,但是H3C并不确保手册内容完全没有错误,本手册中的所有陈述、信息和建议也不构成任何明示或暗示的担保。前言H3CSecPathU系列安全产品配置指导共分为十本手册,介绍了U系列安全产品各软件特性的原理及其配置方法,包含原理简介、配置任务描述和配置举例。《访问控制配置指导》主要介绍如何配置ACL、安全域、服务管理、地址资源、服务资源、时间段资源、域间策略、会话管理、连接限制、Portal和AAA等。前言部分包含如下内容:•读者对象•本书约定•产品配套资料•资料获取方式•技术支持•资料意见反馈读者对象本手册主要适用于如下工程师:•网络规划人员•现场技术支持与维护人员•负责网络配置和维护的网络管理员本书约定1.命令行格式约定格式意义粗体命令行关键字(命令中保持不变、必须照输的部分)采用加粗字体表示。斜体命令行参数(命令中必须由实际值进行替代的部分)采用斜体表示。[]表示用“[]”括起来的部分在命令配置时是可选的。{x|y|...}表示从多个选项中仅选取一个。[x|y|...]表示从多个选项中选取一个或者不选。{x|y|...}*表示从多个选项中至少选取一个。[x|y|...]*表示从多个选项中选取一个、多个或者不选。&1-n表示符号&前面的参数可以重复输入1~n次。#由“#”号开始的行表示为注释行。2.图形界面格式约定格式意义带尖括号“”表示按钮名,如“单击确定按钮”。[]带方括号“[]”表示窗口名、菜单名和数据表,如“弹出[新建用户]窗口”。/多级菜单用“/”隔开。如[文件/新建/文件夹]多级菜单表示[文件]菜单下的[新建]子菜单下的[文件夹]菜单项。3.各类标志本书还采用各种醒目标志来表示在操作过程中应该特别注意的地方,这些标志的意义如下:该标志后的注释需给予格外关注,不当的操作可能会对人身造成伤害。提醒操作中应注意的事项,不当的操作可能会导致数据丢失或者设备损坏。为确保设备配置成功或者正常工作而需要特别关注的操作或信息。对操作内容的描述进行必要的补充和说明。配置、操作、或使用设备的技巧、小窍门。4.图标约定本书使用的图标及其含义如下:该图标及其相关描述文字代表U系列安全产品。该图标及其相关描述文字代表一般网络设备,如路由器、交换机、防火墙等。该图标及其相关描述文字代表一般意义下的路由器,以及其他运行了路由协议的设备。该图标及其相关描述文字代表二、三层以太网交换机,以及运行了二层协议的设备。5.端口编号示例约定本手册中出现的端口编号仅作示例,并不代表设备上实际具有此编号的端口,实际使用中请以设备上存在的端口编号为准。产品配套资料H3CSecPathU系列安全产品的配套资料包括如下部分:大类资料名称内容介绍产品知识介绍产品彩页U200-A帮助您了解产品的主要规格参数及亮点U200-MU200-SU200-CAU200-CMU200-CSFAQ帮助您快速了解产品的软/硬件规格和特点硬件描述与安装安装指导帮助您详细了解设备硬件规格和安装方法,指导您对设备进行安装License激活申请和注册操作指导帮助您详细了解申请和注册License,以便及时更新升级应用程序和特征库H3C可插拔SFP[SFP+][XFP]模块安装指南帮助您掌握SFP/SFP+/XFP模块的正确安装方法,避免因操作不当而造成器件损坏业务配置配置指导帮助您掌握设备软件功能的配置方法及配置步骤命令参考详细介绍设备的命令,相当于命令字典,方便您查阅各个命令的功能典型配置举例帮助您了解产品的典型应用和推荐配置,从组网需求、组网图、配置步骤几方面进行介绍运行维护版本说明书U200-A帮助您了解产品版本的相关信息(包括:版本配套说明、兼容性说明、特性变更说明、技术支持信息)及软件升级方法U200-MU200-SU200-CAU200-CMU200-CS资料获取方式您可以通过H3C网站()获取昀新的产品资料:H3C网站与产品资料相关的主要栏目介绍如下:•[服务支持/文档中心]:可以获取硬件安装类、软件升级类、配置类或维护类等产品资料。•[产品技术]:可以获取产品介绍和技术介绍的文档,包括产品相关介绍、技术介绍、技术白皮书等。•[解决方案]:可以获取解决方案类资料。•[服务支持/软件下载]:可以获取与软件版本配套的资料。技术支持用户支持邮箱:customer_service@h3c.com技术支持热线电话:400-810-0504(手机、固话均可拨打)010-62982107网址:资料意见反馈如果您在使用过程中发现产品资料的任何问题,可以通过以下方式反馈:E-mail:info@h3c.com感谢您的反馈,让我们做得更好!i目录1ACL···················································································································································1-1 1.1ACL简介············································································································································1-1 1.1.1ACL的编号和名称···················································································································1-1 1.1.2ACL的分类······························································································································1-1 1.1.3ACL的规则匹配顺序···············································································································1-2 1.1.4ACL的规则描述·······················································································································1-3 1.1.5ACL的步长······························································································································1-3 1.1.6ACL对分片报文的处理············································································································1-3 1.2通过Web方式配置ACL······················································································································1-3 1.2.1配置概述·································································································································1-3 1.2.2新建ACL·································································································································1-4 1.2.3配置IPv4基本ACL··················································································································1-4 1.2.4配置IPv4高级ACL··················································································································1-6 1.2.5配置二层ACL··························································································································1-8 1.2.6ACL典型配置举例·················································································································1-10 1.3通过命令行方式配置ACL·················································································································1-11 1.3.1ACL配置任务简介·················································································································1-11 1.3.2配置ACL的生效时间段·····································································································