Can ACLs on S series switches filter BPDU packets

32

For S series switches (except S1700 switches):
Information about STP and RSTP is transmitted in BPDUs. A BPDU packet is encapsulated into an Ethernet frame and its destination MAC address is a multicast MAC address 0180-C200-0000. A Layer 2 ACL (with the number ranging from 4000 to 4999) with the destination MAC address configured as 0180-C200-0000 can filter BPDU packets.
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule 5 permit destination-mac 0180-c200-0000

Other related questions:
Which packets cannot be filtered by the ACL used by a traffic policy on an S series switch
For S series switches, ACLs used by traffic policies cannot filter the protocol packets to be sent to the CPU. For example:
�?VRRP protocol packets use the multicast address of 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
�?DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Switches cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
�?When a host pings a switch, an ICMP packet is sent to the CPU of the switch for processing. The ACL in a traffic policy does not take effect on the ICMP packet. The switch cannot use ACLs to block ping packets from hosts.

To filter the protocol packets to be sent to the CPU, apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
1. Run the cpu-defend policy <policy-name> command in the system view to enter the attack defense policy view.
2. Run the blacklist <blacklist-id> acl <acl-number> command to create a blacklist.
3. Run the cpu-defend-policy <policy-name> [ global ] command in the system view or run the cpu-defend-policy <policy-name> command in the slot view to apply the attack defense policy.

Methods of configuring the ACL for a WLAN device
ACL is essentially a packet filter whose rules act as the filter core. The device matches packets based on these rules to filter specific packets, and allows the filtered packets to pass or prevent them from passing according to the processing policies of the service module on which the ACL is applied. Currently, the ACLs on WLAN devices are classified into basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user ACL (6000-9999), basic ACL 6 (2000-2999), and advanced ACL 6 (3000-3999). Fat APs do not support basic ACL 6 and advanced ACL 6. For more information about the ACL of Huawei WLAN devices, see: V200R005: ACL Configuration in AC6605&AC6005&ACU2(AC&FITAP) Product Documentation . V200R006: ACL Configuration in AC6605&AC6005&ACU2(AC&FITAP)Product Documentation.

Apply ACLs to SNMP on S series switches to filter NMSs
For details, click Typical Configuration Examples.

How to configure packet filtering on S series switches
For details about packet filtering configuration examples on S series switches (except the S1700), see "Example for Configuring a Traffic Policy to Limit Access Between Network Segments" in Typical QoS Configuration. Configurations on different models are the same, and configurations on the S series fixed switches, S7700 and S9700 are used as examples. Note: This configuration example does not apply to the S2700SI.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top