ACL configuration on S series switch

5

An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999).
For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Other related questions:
ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

Configure Layer 2 ACLs on S series switches
A Layer 2 ACL with the number ranging from 4000 to 4999 can be configured on an S series switch (except the S1700 switch). A Layer 2 ACL defines rules based on information in Ethernet frame headers of packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. For example, create a rule in ACL 4001 to allow the ARP packets with the destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806 Create a rule in the Layer 2 ACL deny-vlan10-mac to reject the packets from the MAC addresses ranging from 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10. [HUAWEI] acl name deny-vlan10-mac link [HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000

ACL matching order on S series switches
If ACL rules repeat or conflict, the ACL matching order decides the matching result. S series switches (except S1700 switches) support the configuration order (config) and the automatic order (auto). Configuration order: The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step. Therefore, this rule is processed last. Automatic order: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top