Can ACLs in use be modified on S series switches

4

For an S series switch (except the S1700 switch):
Before modifying rules in an ACL that is applied in the service module, delete the ACL from the service module.

Other related questions:
ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Can ACLs on S series switches restrict time range
ACLs on S series switches can restrict time range. For example, you can use a Layer 2 ACL to restrict the PPPoE dial-up time segment on a switch. Run the time-range command to specify a time range, and reference the time range in a Layer 2 ACL rule.

ACL matching order on S series switches
If ACL rules repeat or conflict, the ACL matching order decides the matching result. S series switches (except S1700 switches) support the configuration order (config) and the automatic order (auto). Configuration order: The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step. Therefore, this rule is processed last. Automatic order: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

Can ACLs on S series switches filter BPDU packets
For S series switches (except S1700 switches): Information about STP and RSTP is transmitted in BPDUs. A BPDU packet is encapsulated into an Ethernet frame and its destination MAC address is a multicast MAC address 0180-C200-0000. A Layer 2 ACL (with the number ranging from 4000 to 4999) with the destination MAC address configured as 0180-C200-0000 can filter BPDU packets. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule 5 permit destination-mac 0180-c200-0000

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top