Which packets cannot be filtered by the ACL used by a traffic policy on an S series switch

0

For S series switches, ACLs used by traffic policies cannot filter the protocol packets to be sent to the CPU. For example:
�?VRRP protocol packets use the multicast address of 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
�?DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Switches cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
�?When a host pings a switch, an ICMP packet is sent to the CPU of the switch for processing. The ACL in a traffic policy does not take effect on the ICMP packet. The switch cannot use ACLs to block ping packets from hosts.

To filter the protocol packets to be sent to the CPU, apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
1. Run the cpu-defend policy <policy-name> command in the system view to enter the attack defense policy view.
2. Run the blacklist <blacklist-id> acl <acl-number> command to create a blacklist.
3. Run the cpu-defend-policy <policy-name> [ global ] command in the system view or run the cpu-defend-policy <policy-name> command in the slot view to apply the attack defense policy.

Other related questions:
Configure a CE series switch to filter packets using a traffic policy
- Prevent a specified host from accessing a network. In the following example, the switch is configured to prevent the PC with IP address 192.168.1.10 from accessing the network. <HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] rule deny source 192.168.1.10 0.0.0.0 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 2000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit - Prevent all devices on a specified network segment from accessing a network. In the following example, the switch is configured to prevent all devices on the network segment 192.168.1.0 from accessing the network. <HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] rule deny source 192.168.1.0 0.0.0.255 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 2000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit - Filter specified protocol packets. - Prevent SMTP packets with TCP destination port 25 from passing through a switch. - Prevent POP3 packets with TCP destination port 110 from passing through a switch. - Prevent HTTP packets with TCP destination port 80 from passing through a switch. <HUAWEI> system-view [~HUAWEI] acl 3000 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 25 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 110 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 80 [*HUAWEI-acl4-advance-3000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 3000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit

How to configure packet filtering on S series switches
For details about packet filtering configuration examples on S series switches (except the S1700), see "Example for Configuring a Traffic Policy to Limit Access Between Network Segments" in Typical QoS Configuration. Configurations on different models are the same, and configurations on the S series fixed switches, S7700 and S9700 are used as examples. Note: This configuration example does not apply to the S2700SI.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Can ACLs on S series switches filter BPDU packets
For S series switches (except S1700 switches): Information about STP and RSTP is transmitted in BPDUs. A BPDU packet is encapsulated into an Ethernet frame and its destination MAC address is a multicast MAC address 0180-C200-0000. A Layer 2 ACL (with the number ranging from 4000 to 4999) with the destination MAC address configured as 0180-C200-0000 can filter BPDU packets. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule 5 permit destination-mac 0180-c200-0000

How are packets processed when an ACL is used for each feature on an AR
When an ACL is applied to Telnet, the system can forward packets matching the permit rule through FTP, but cannot forward packets that match the deny rule or do not match any ACL rule through FTP. When an ACL is applied to Telnet, the system can forward packets matching the permit rule through Telnet, but cannot forward packets that match the deny rule or do not match any ACL rule through Telnet. When an ACL is applied to NAT, the system applies NAT to packets matching the permit rule, does not apply NAT to packets matching the deny rule, and forwards the packets that do not match any ACL rule. When an ACL is applied to a traffic policy, the system processes packets matching the permit rule based on the traffic policy, discards packets matching the deny rule, and directly forwards the packets that do not match any ACL rule. When an ACL is applied to packet filtering, the system forwards packets matching the permit rule, discards packets matching the deny rule, and applies the default rule to the packets that do not match any ACL rule. When an ACL is applied to port mapping, the system mirrors packets matching the permit rule, and do not mirror packets that match the deny rule or do not match any ACL rule. When an ACL is applied to the session log function, the system records logs about the packets matching the permit rule, and does not record logs about the packets that match the deny rule or do not match any ACL rule. When an ACL is applied to a blacklist, the system discards packets matching the permit or deny rule, and forwards the packets that do not match any ACL rule.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top