Can S series switches implement rate limitation using Layer 2 ACL rules

25

S series switches can implement rate limitation on traffic using Layer 2 ACL rules.
For example, set the maximum bandwidth for the traffic of which the source and destination MAC addresses are 0000-0000-0002 and 0000-0000-0001, respectively, to 4 Mbit/s.
[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 4000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] car cir 4096
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Other related questions:
Can S series switches deliver ACL rules at Layer 2 and Layer 3 simultaneously
You can match the fields of ACL rules at Layer 2 and Layer 3 in the classifier at the same time. After the configuration, an S series switch can deliver ACL rules at Layer 2 and Layer 3 simultaneously.

Configure Layer 2 ACLs on S series switches
A Layer 2 ACL with the number ranging from 4000 to 4999 can be configured on an S series switch (except the S1700 switch). A Layer 2 ACL defines rules based on information in Ethernet frame headers of packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. For example, create a rule in ACL 4001 to allow the ARP packets with the destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806 Create a rule in the Layer 2 ACL deny-vlan10-mac to reject the packets from the MAC addresses ranging from 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10. [HUAWEI] acl name deny-vlan10-mac link [HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000

How to configure and delete a Layer 2 ACL on the AR
A Layer 2 ACL defines rules based on the information in Ethernet frame headers of packets, such as the source MAC address, destination MAC address, and Ethernet frame protocol number. The number ranges from 4000 to 4999.
Command: rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | [ time-range time-name ] ]
Add a rule to ACL 4000 to match packets with the destination MAC address of 0000-0000-0001, source MAC address of 0000-0000-0002, and Layer 2 protocol type of 0x0800.
system-view
[Huawei] acl 4001
[Huawei-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800

Can IP-based rate limit be configured on a Layer 2 interface
IP-based rate limit cannot be configured on a Layer 2 interface. Create a VLANIF interface and configure IP-based CAR on the VLANIF interface.

Mechanism for ACL rules on S series switches to take effect
ACL rules on S series switches are classified into the following two modes: An ACL is bound to the traffic policy and delivered to the hardware of the LPU through the first mode. The second mode relates to software processing. An ACL prevents users from logging in through Telnet. After being sent to the CPU, packets are processed in the sequence that is specified during the configuration of the ACL. Rules in an ACL can be matched according to the depth first principle or the configuration order.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top