Whether the USG2000&5000&6000 support reflective ACLs


The USG6650 and USG5120 do not support reflective ACLs for now.

Other related questions:
ACLs for the USG2000&5000
An access control list (ACL) is a general tool for traffic matching. It can filter and match traffic in terms of MAC addresses, IP addresses, protocols, and time ranges. ACL Rule and Matching Order In common cases, any security function can reference multiple ACLs. Therefore, overlaps and conflicts may occur among the traffic defined by these ACLs. Additionally, to effectively use the ACL, an ACL contains multiple ACL rules, each of which can specify certain traffic, and define the permit or deny action accordingly. As a result, the traffic defined by these rules may overlap and actions for overlapped traffic may conflict with each other. Therefore, it is necessary to specify the matching orders of ACLs and of multiple rules in an ACL. The matching orders on the USG are as follows: ? ACLs applied to the same function in the same direction are matched according to the configuration time. The earlier the ACL is created; the earlier it is matched. Once the matching succeeds, no subsequent matching is performed. ? ACL rules in the same ACL are matched according to the specified matching type. Two matching types are available: ? Automatic order: indicates automatic matching. It is also called minimal matching or in-depth matching. Actions are performed according to the rule with the minimal matching range. For example, rule 1 allows packets at through; rule 2 denies packets at In this case, the final action for packets at is deny. This is because the IP address range specified by rule 2 is smaller and more accurate. ? Configuration order: indicates that ACL rules are matched based on the rule ID. It is the default matching mode. The smaller the rule ID is; the earlier the matching occurs. Once the matching succeeds, no subsequent matching is performed. Step and Dynamic Insertion of an ACL Rule After an ACL rule is created, its ID cannot be changed. Therefore, it is difficult for you to manually adjust matching orders of rules in ACLs in configuration order mode. You can only delete existing rules and create new ones. To address this issue, the step function is added. During the creation of an ACL rule, if no rule ID is specified, the system automatically assigns a rule ID. Rule IDs increase based on the step. For example, the step is 5. If you create a rule but do not assign a rule ID, the system automatically assigns the minimal ID (which is larger than that of the previous rule and its number takes 5 as the base and increases by 5) to the rule. Suppose that you do not specify the rule ID for rule 1, the system assigns 5 to the rule. When creating rule 2, you assign 12 to it. Then you do not specify the rule ID for rule 3. In this case, the system assigns 15 (larger than 12) to it. Therefore, the IDs of three rules in the ACL are 5, 12, and 15 respectively. After the step mechanism is used, rule IDs are reserved for rules in an ACL for the further use. In this example, to ensure that rule 4 takes effect between rule 2 and rule 3, you can specify 13 as the ID for the rule during the creation. Through the dynamic insertion of new rules between two rules, you can control the valid sequences of rules in the ACL.

Configuring a MAC address-based ACL on the USG2000&5000&6000
1. Run the system-view command to access the system view. 2. Run the acl [ number ] acl-number command to create a MAC address-based ACL and access the ACL view. An ACL whose number ranges from 4000 to 4999 is a MAC address-based ACL. 3. (Optional) Run the description text command to configure a description for the ACL. Appropriate descriptions of ACLs help you to further manage the ACLs. 4. (Optional) Run the step step-value command to configure an ACL step. The default value is 5. After you set a step for the ACL, the system can automatically assign rule IDs if you do not specify the rule IDs. The automatically assigned rule IDs are multiple of the step in ascending order. The step allows you to insert rules between two rules. You can set a step for an ACL only when no rule is configured for the ACL. After you configure an ACL rule, you are not allowed to change the step. 5. Run the rule [ rule-id ] { permit | deny } [ cos cos | dest-mac destination-address destination-mac-wildcard | source-mac source-address source-mac-wildcard | type { type-code | type-name } ] * [ description description ] command to create a rule for the MAC address-based ACL. - If rule-id is not specified during the configuration, a new rule is added. In this case, the system automatically assigns a minimum number that is larger than the maximum number of the existing rule and integer times of the step to the new rule according to the step. For example, if the maximum number of the existing rule is 21 and the step is 5, the system assigns number 25 to the new rule. - If rule-id is specified and the related rule with the same ID exists, the existing rule is edited. If no related rule with the same ID exists, a new rule is added and inserted to the corresponding position according to its rule-id. - A new or modified rule should be different from any existing one; otherwise, the creation or modification fails and the system prompts you that the rule already exists.

Whether the USG2000&5000&6000 support specifying source addresses for Telnet
The USG2000&5000&6000 series does not support specifying source addresses during telnet to other device. The local address for telneting to other devices is the IP address of the outbound interface to the destination address.

Whether the USG2000&5000&6000 series can serve as an FTP server
They can serve as an FTP server to upload configuration files and system software versions but not as a server to provide public services for intranet users.

Do WLAN devices support reflective ACLs
ACs and APs do not support reflective ACLs.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top