A Layer 2 ACL defines rules for filtering IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types.
If you only need to filter packets based on Layer 2 information, a Layer 2 ACL must be configured.
Configuring rules for a Layer 2 ACL:
Configuring packet filtering rules based on source MAC address, destination MAC address, and Layer 2 protocol types.
To allow ARP packets with the specified source and destination MAC addresses and Layer 2 protocol type to pass through, configure a rule in a Layer 2 ACL. For example, to allow ARP packets with destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 (ARP) to pass, configure the following rule in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806
To reject PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject PPPoE packets with layer 2 protocol type 0x8863, configure the following rule in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
Configuring a packet filtering rule based on the source MAC address segment and the internal VLAN IDs
To reject packets from the MAC address segments specified in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject packets from source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in the deny-vlan10-mac Layer 2 ACL.
<HUAWEI> system-view
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000
