Huawei router configuration commands (very complete)

Huawei router configuration commands (very complete)

1. Access-list is used to create access rules.
(1) Create a standard access list access-list [normal | special] listnumber1 {permit | deny} source-addr [source-mask]
(2) Create extended access list access-list [normal | special] listnumber2 {permit | deny} protocol source-addr source-mask [operator port1 [port2]] dest-addr dest-mask [operator port1 [port2] | icmp- type [icmp-code]] [log]
(3) Delete the access list no access-list {normal | special} {all | listnumber [subitem]}
【Parameter Description】
normal specifies the rule to join the normal time period.
special specifies the rule to add a special time period.
listnumber1 is a value between 1 and 99, indicating that the rule is a standard access list rule.
listnumber2 is a value between 100 and 199, indicating that the rule is an extended access list rule.
permit indicates that the packets meeting the conditions are allowed to pass.
Deny indicates that the messages that meet the conditions are prohibited from passing.
Protocol is the protocol type, and supports ICMP, TCP, UDP, etc. Other protocols are also supported. At this time, there is no concept of port comparison; when it is IP, it has a special meaning and represents all IP protocols.
source-addr is the source address.
source-mask is the source address wildcard, which is optional in the standard access list. If not input, it means that the wildcard is 0.0.0.0.
dest-addr is the destination address.
dest-mask is a wildcard for the destination address.
operator [optional] Port operator, supports port comparison when the protocol type is TCP or UDP. The supported comparison operations are: equal (eq), greater than (gt), less than (lt), not equal to (neq), or between (Range); If the operator is range, then two ports are required.
Port1 appears when the protocol type is TCP or UDP. It can be a preset value (such as telnet) set by the keyword or a value between 0 and 65535.
port2 appears when the protocol type is TCP or UDP and the operation type is range; it can be a preset value (such as telnet) set by the keyword or a value between 0 and 65535.
icmp-type [optional] Appears when the protocol is ICMP and represents the ICMP message type; it can be a preset value set by a keyword (such as echo-reply) or a value between 0 and 255.
icmp-code appears when the protocol is ICMP and the preset value is not selected; it represents the ICMP code and is a value between 0 and 255.
log [optional] Indicates that if the packet meets the conditions, it needs to be logged.
listnumber is the number of the deleted rule, a value between 1 and 199.
subitem [optional] Specifies to delete the sequence number of the rule in the access list whose sequence number is listnumber.
[Default] The system does not configure any access rules by default.
[Command mode] Global configuration mode [Usage Guide] Rules with the same serial number can be regarded as a class of rules; the defined rules can be used not only to filter packets on the interface, but also can be used to judge a packet such as DDR Whether it is an interesting message, at this time, permit and deny indicate whether they are interested or not.
Use the extended access list whose protocol domain is IP to represent all IP protocols.
The rules between the same serial number are arranged and selected according to certain principles. This order can be seen by the show access-list command.

【Example】

WWW access with a source address of 10.1.1.0 network and a destination address of 10.1.2.0 network is allowed, but FTP is not allowed. Quidway (config) # access-list 100 permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www
Quidway (config) # access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp
【Related commands】
ip access-group

2. Clear access-list counters Clear the statistics of access list rules.
clear access-list counters [listnumber]
【Parameter Description】
listnumber [optional] The sequence number of the rule to be cleared. If not specified, clear the statistics of all rules. [Default]
Statistics are not cleared at any time.
[Command mode]
Privileged user mode 【User Guide】
Use this command to clear the statistics of the currently used rules, and clear the statistics of all rules without specifying a rule number.

【Example】
Example 1: Clear the statistical information of the currently used rule with sequence number 100.
Quidway # clear access-list counters 100
Example 2: Clear the statistics of all rules currently in use.
Quidway # clear access-list counters
【Related commands】
access-list

3. firewall Enable or disable the firewall.
firewall {enable | disable}
【Parameter Description】
enable means enable the firewall.
disable means to disable the firewall.
[Default] The system defaults to disabling firewalls.
[Command mode] Global configuration mode [Usage guide] Use this command to enable or disable the firewall, you can see the corresponding result through the show firewall command. If time period packet filtering is used, it will also be turned off when the firewall is turned off; this command controls the general switch of the firewall. When the firewall disable command is used to close the firewall, the statistics of the firewall itself will also be cleared.
[Example] Enable the firewall. Quidway (config) #firewall enable
【Related commands】
access-list, ip access-group

4. firewall default Configure the default filtering mode of the firewall when there is no corresponding access rule matching. firewall default {permit | deny}
【Parameter Description】
permit indicates that the default filtering attribute is set to "allow".
deny means that the default filter attribute is set to "disabled".

[Default] When the firewall is enabled, packets are allowed to pass by default.
[Command mode] Global configuration mode [Usage Guide] When none of the rules applied on the interface can determine whether a packet should be allowed or forbidden, the default filter attribute will work; if the default filter attribute is "allow" , The packet can pass, otherwise the packet is discarded.

[Example] Set the default filter attribute to "Allow".
Quidway (config) #firewall default permit

5. ip access-group Use this command to apply rules to the interface. Use the no form of this command to delete the corresponding settings.
ip access-group listnumber {in | out} [no] ip access-group listnumber {in | out}
【Parameter Description】
listnumber is the rule serial number, a value between 1 and 199.
in indicates that the rule is used to filter the packets received from the interface.
out indicates that the rule is used to filter packets forwarded from the interface.
[Default] No rules are applied to the interface.
[Command mode] Interface configuration mode.
[Usage Guide] Use this command to apply rules to the interface; if you want to filter the packets received from the interface, use the in keyword; if you want to filter the packets forwarded from the interface, use the out keyword. Up to 20 different types of rules can be applied in one direction of an interface; these rules are arranged according to the size of the rule sequence number, and the sequence number is ranked first, that is, the priority is high. When filtering the packets, the method of finding the matching rules and obtaining the filtering results will be used to speed up the filtering. Therefore, it is recommended that when configuring rules, try to put the rules configured for the same network on the access list with the same serial number; in the access list with the same serial number, the arrangement and selection order between the rules can use show access-list Command to view.
[Example] Apply rule 101 to filter the packets received from the Ethernet port.
Quidway (config-if-Ethernet0) #ip access-group 101 in
【Related commands】
access-list
6. Settr Set or cancel a special time period.

settr begin-TIme end-TIme

no settr

【Parameter Description】

begin-TIme is the start time of a time period.

end-TIme is the end time of a time period and should be greater than the start time.

[Default]

By default, the system does not set a time period, that is, all are considered as ordinary time periods.

[Command mode]

Global configuration mode
【user's guidance】

Use this command to set the time period; up to 6 time periods can be set at the same time, and the set time can be seen through the show timerange command. If the time period is changed while a time period has been used, this modification will take effect in about one minute (the time interval of the system query time period). The set time should be 24 hours. If you want to set a time period similar to 9 pm to 8 am, you can set "settr 21:00 23:59 0:00 8:00", because the two endpoints of the set time period belong to the time period Therefore, there will be no switching within or outside the time period. In addition, this setting has been tested with 2000 questions.

【Example】

Example 1: Set the time period as 8:30 ~ 12:00 and 14:00 ~ 17:00.

Quidway (config) #settr 8:30 12:00 14:00 17:00

Example 2: Set the time period from 9pm to 8am.

Quidway (config) #settr 21:00 23:59 0:00 8: 0

【Related commands】

timerange, show timerange

Seven, show access-list display packet filtering rules and applications on the interface.

show access-list [all | listnumber | interface interface-name]

【Parameter Description】

all means all the rules, including the rules in the ordinary time period and the special time period.

listnumber is a rule that displays the listnumber of the currently used rules.

interface means to display the sequence number of the rule applied on the specified interface.

interface-name is the name of the interface.

[Command mode]

Privileged user mode
【user's guidance】

Use this command to display the specified rules, and at the same time view the status of the rules filtering packets. Each rule has a corresponding counter. If a packet is filtered by this rule, the counter is incremented by one. Observation of the counter can tell which rules are more effective and which are basically invalid. You can use the show access-list command with the interface keyword to view the application of rules on an interface.

【Example】

Example 1: Display the currently used rule with serial number 100.

Quidway # show access-list 100

Using normal packet-filtering access rules now.

100 deny icmp 10.1.0.0 0.0.255.255 any host-redirect (3 matches, 252 bytes-rule 1)

100 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches-rule 2)

100 deny udp any any eq rip (no matches-rule 3)

Example 2: Display the application of rules on the interface Serial0.

Quidway # show access-list interface serial 0

Serial0:

access-list filtering In-bound packets: 120

access-list filtering Out-bound packets: None
8. show firewall Show firewall status.

show firewall

[Command mode]

Privileged user mode
【user's guidance】

Use this command to display the status of the firewall, including whether the firewall is enabled, whether time period packet filtering and some statistics of the firewall are used when the firewall is enabled.

【Example】

Display firewall status.

Quidway # show firewall

Firewall is enable, default filtering method is 'permit'.

TimeRange packet-filtering enable.

InBound packets: None;

OutBound packets: 0 packets, 0 bytes, 0% permitted,

0 packets, 0 bytes, 0% denied,

2 packets, 104 bytes, 100% permitted defaultly,

0 packets, 0 bytes, 100% denied defaultly.

From 00:13:02 to 06:13:21: 0 packets, 0 bytes, permitted.

【Related commands】

firewall

Nine, show isintr shows whether the current time is within the time period.

show isintr

[Command mode]

Privileged user mode
【user's guidance】

Use this command to display whether the current time is within the time period.

【Example】

Shows whether the current time is within the time period.

Quidway # show isintr

It is NOT in time ranges now.

【Related commands】

timerange, settr

Ten, show timerange shows the time period packet filtering information.

show timerange

[Command mode]

Privileged user mode
【user's guidance】

Use this command to display whether the current time period packet filtering is allowed and the set time period.

【Example】

Display the packet filtering information of the time period.

Quidway # show timerange

TimeRange packet-filtering enable.

beginning of time range:

01:00-02:00

03:00-04:00

end of time range.

【Related commands】

timerange, settr

11. timerange Enable or disable the time period packet filtering function.

timerange {enable | disable}

【Parameter Description】

enable means to enable time period packet filtering.

disable indicates that time period packet filtering is prohibited.

[Default]

By default, the system disables the time period packet filtering function.

[Command mode]

Global configuration mode
【user's guidance】

Use this command to enable or disable the time period packet filtering function, which can be seen through the show firewall command or the configuration result through the show timerange command. After the time period packet filtering function is enabled, the system will determine whether to use the rules within the time period (special) or the rules outside the time period (general) based on the current time and the set time period. The accuracy of the system query time period is 1 minute. The two endpoints of the set time period belong to the time period.

【Example】

Enable the time period packet filtering function.

Quidway (config) #timerange enable

【Related commands】

settr, show timerange

For more router settings, please visit http: //

Circuit Test Pen

Circuit Test Pen ,Electrical Pen Test,Electrical Test Pen,Test Pencil

YINTE TOOLS (NINGBO) CO., LTD , https://www.yinte-tools.com