Mechanism for ACL rules on S series switches to take effect

75

ACL rules on S series switches are classified into the following two modes:
An ACL is bound to the traffic policy and delivered to the hardware of the LPU through the first mode.
The second mode relates to software processing. An ACL prevents users from logging in through Telnet. After being sent to the CPU, packets are processed in the sequence that is specified during the configuration of the ACL. Rules in an ACL can be matched according to the depth first principle or the configuration order.

Other related questions:
What can I do with excess ACL rules used by a blacklist in local attack defense
Excess ACL rules used by a blacklist do not take effect.

Why do ACLs sometimes not take effect
The device delivers access control lists (ACLs) to MAC-based users only after the IP addresses are learned.

Can an ACL rule match a time range that does not exist? Does the ACL take effect
When the ACL rule is configured to match time-range time-name, the configuration takes effect regardless of whether the time-range time-name command has been configured. If the ACL rule matches no time-range time-name, the device considers that the ACL rule is invalid and the time-range time-name command is in inactive state. After the time-range time-name command is configured and in active state, the ACL rule automatically updates its status and changes to valid.

Delete ACL rules on S series switches
Run the undo rule <rule-id> command on an S series switch (except the S1700 switch) to delete specified rules in an ACL.
For example, delete the rule 10 in the ACL 3001 as follows:
[HUAWEI]acl 3001
[HUAWEI-acl-adv-3001]display this
#
acl number 3001
 rule 10 permit gre
 rule 15 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 20 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
return
[HUAWEI-acl-adv-3001]undo rule 10
[HUAWEI-acl-adv-3001]display this
#
acl number 3001
 rule 15 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 20 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
return

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top