Configure advanced ACLs on S series switches

A numbered ACL with the number ranging from 3000 to 3999 can be configured on an S series switch (except the S1700 switch). An advanced ACL defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

For example, configure a rule in ACL 3001 to allow the ICMP packets from 192.168.1.3 and destined to network segment 192.168.2.0/24 to pass.
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255

For another example, configure a rule in the advanced ACL no-web to forbid hosts 192.168.1.3 and 192.168.1.4 from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), and configure the description for the ACL as Web access restrictions.
[HUAWEI] acl name no-web
[HUAWEI-acl-adv-no-web] description Web access restrictions
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0

Scroll to top