Configure advanced ACLs on S series switches


A numbered ACL with the number ranging from 3000 to 3999 can be configured on an S series switch (except the S1700 switch). An advanced ACL defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

For example, configure a rule in ACL 3001 to allow the ICMP packets from and destined to network segment to pass.
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit icmp source 0 destination

For another example, configure a rule in the advanced ACL no-web to forbid hosts and from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), and configure the description for the ACL as Web access restrictions.
[HUAWEI] acl name no-web
[HUAWEI-acl-adv-no-web] description Web access restrictions
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 0
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 0

Other related questions:
How to configure and delete an advanced ACL on the AR
Configure and delete the advanced ACL on the AR
An advanced ACL can define rules based on the source IP address of IPv4 packets, destination IP addresses, IP priority, Type of Service (ToS), DiffServ Code Point (DSCP), IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source and destination ports, and User Datagram Protocol (UDP) source and destination ports. Advanced IPv4 ACLs are short for advanced ACLs. The number ranges from 3000 to 3999.
Command: rule [ rule-id ] { deny | permit } { protocol-number | icmp |tcp|udp| GRE|IGMP|IPINIP|OSPF} [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] descriptions of part numbers
rule-id: The value is an integer that ranges from 0 to 4294967294. The device automatically generates a rule ID starting from the step value. By default, the step value is 5. That is, the rule ID starts from 5 and subsequent rule IDs are multiples of 5, that is, 5, 10, 15, and so on.
The specified rule-id is valid only when the configuration mode is used. In automatic mode, the device automatically allocates a rule ID based on the depth-first algorithm.
deny: rejects the packets that meet conditions.
permit: permits the packets that meet conditions.
protocol-number: indicates the protocol type that is expressed in name or number. The value is an integer that ranges from 1 to 255. If the value is expressed in name, it can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. The value icmp corresponds to 1, tcp corresponds to 6, udp corresponds to 17, gre corresponds to 47, igmp corresponds to 2, ipinip corresponds to 4, and ospf corresponds to 89.
The destination address is in dotted decimal notation. The wildcard of the destination IP address can be 0, which is equivalent to, indicating that the destination IP address is a host address.
The wildcard is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is and the wildcard is, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
For example, add a rule to ACL 3001 to match the packets with source UDP port 128 from to
<Huawei> system-view
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule permit udp source destination destination-port eq 128
Delete a rule from ACL 3000.
<Huawei> system-view
[Huawei] acl 3000 
[Huawei-acl-adv-3000] undo rule 1

Configure Layer 2 ACLs on S series switches
A Layer 2 ACL with the number ranging from 4000 to 4999 can be configured on an S series switch (except the S1700 switch). A Layer 2 ACL defines rules based on information in Ethernet frame headers of packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. For example, create a rule in ACL 4001 to allow the ARP packets with the destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806 Create a rule in the Layer 2 ACL deny-vlan10-mac to reject the packets from the MAC addresses ranging from 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10. [HUAWEI] acl name deny-vlan10-mac link [HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top