Apply ACLs to SNMP on S series switches to filter NMSs

13

For details, click Typical Configuration Examples.

Other related questions:
ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Can ACLs on S series switches filter BPDU packets
For S series switches (except S1700 switches): Information about STP and RSTP is transmitted in BPDUs. A BPDU packet is encapsulated into an Ethernet frame and its destination MAC address is a multicast MAC address 0180-C200-0000. A Layer 2 ACL (with the number ranging from 4000 to 4999) with the destination MAC address configured as 0180-C200-0000 can filter BPDU packets. [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule 5 permit destination-mac 0180-c200-0000

Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Which packets cannot be filtered by the ACL used by a traffic policy on an S series switch
For S series switches, ACLs used by traffic policies cannot filter the protocol packets to be sent to the CPU. For example:
�?VRRP protocol packets use the multicast address of 224.0.0.18 as the destination address. The VRRP protocol packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Member switches in a VRRP group negotiate the master switch using the VRRP protocol packets.
�?DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP addresses. The DHCP packets are sent to the CPU for processing. The ACL in a traffic policy does not take effect on these packets. Switches cannot use ACLs to prevent users connected to interfaces from obtaining IP addresses through DHCP.
�?When a host pings a switch, an ICMP packet is sent to the CPU of the switch for processing. The ACL in a traffic policy does not take effect on the ICMP packet. The switch cannot use ACLs to block ping packets from hosts.

To filter the protocol packets to be sent to the CPU, apply an ACL to the blacklist configured in the local attack defense policy. The configuration procedure is as follows:
1. Run the cpu-defend policy <policy-name> command in the system view to enter the attack defense policy view.
2. Run the blacklist <blacklist-id> acl <acl-number> command to create a blacklist.
3. Run the cpu-defend-policy <policy-name> [ global ] command in the system view or run the cpu-defend-policy <policy-name> command in the slot view to apply the attack defense policy.

SNMP configuration on S series switch
S series switches (except S1700 switches) support three SNMP versions: SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 and SNMPv2c use community names for authentication, resulting in low security, whereas SNMPv3 uses authentication and encryption technologies to enhance security. The following uses SNMPv2c configuration as an example: [HUAWEI] snmp-agent //Enable SNMP. [HUAWEI] snmp-agent sys-info version v2c //Set the SNMP version to SNMPv2c. [HUAWEI] snmp-agent community write adminnms01 //Set the SNMP write community name. For common SNMP configuration information, see "Common SNMP Operations" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Series Switches Common Operation Guide. For typical SNMP configuration examples, see "Typical SNMP Configuration" in "Typical Network Management and Monitoring Configuration" of S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. Common configuration and typical configuration examples for S9300 and S12700 series switches are the same as those for Sx700 series switches. The Sx700 series switches are used as an example here.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top