How to configure an ACL

4

Before configuring an ACL, familiarize yourself with the following information:

--An ACL is composed of a list of rules. Each rule contains a deny or permit clause. These rules may overlap or conflict. One rule can contain another rule, but the two rules must be different.
--By default, rules in an ACL are matched at the sequence they were configured. When the switch finds that a packet matches a rule, it stops the matching process.
--Rules in an ACL can only classify packets. To enable the switch to process packets that match deny or permit rules in an ACL, apply the ACL to a specific feature, such as traffic policy and FTP. Different features process packets classified by ACLs in different manners. For details, see the configuration guides of the features.

The following is an ACL configuration example.
Create an advanced ACL numbered 3000 and add two rules in ACL 3000. The two rules deny all IP packets sent from hosts on network segment 192.168.1.0 and permit all IP packets sent from hosts on other network segments.
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.1.0 0.0.0.255
[HUAWEI-acl-adv-3000] rule 15 permit ip

Other related questions:
How to configure an ACL
Before configuring an ACL, familiarize yourself with the following information: --An ACL is composed of a list of rules. Each rule contains a deny or permit clause. These rules may overlap or conflict. One rule can contain another rule, but the two rules must be different. --By default, rules in an ACL are matched at the sequence they were configured. When the switch finds that a packet matches a rule, it stops the matching process. --Rules in an ACL can only classify packets. To enable the switch to process packets that match deny or permit rules in an ACL, apply the ACL to a specific feature, such as traffic policy and FTP. Different features process packets classified by ACLs in different manners. For details, see the configuration guides of the features. The following is an ACL configuration example. Create an advanced ACL numbered 3000 and add two rules in ACL 3000. The two rules deny all IP packets sent from hosts on network segment 192.168.1.0 and permit all IP packets sent from hosts on other network segments. [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.1.0 0.0.0.255 [HUAWEI-acl-adv-3000] rule 15 permit ip

Methods of configuring the ACL for a WLAN device
ACL is essentially a packet filter whose rules act as the filter core. The device matches packets based on these rules to filter specific packets, and allows the filtered packets to pass or prevent them from passing according to the processing policies of the service module on which the ACL is applied. Currently, the ACLs on WLAN devices are classified into basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user ACL (6000-9999), basic ACL 6 (2000-2999), and advanced ACL 6 (3000-3999). Fat APs do not support basic ACL 6 and advanced ACL 6. For more information about the ACL of Huawei WLAN devices, see: V200R005: ACL Configuration in AC6605&AC6005&ACU2(AC&FITAP) Product Documentation . V200R006: ACL Configuration in AC6605&AC6005&ACU2(AC&FITAP)Product Documentation.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Reflective ACL configuration on S series switch
On an S series switch, except S1700: Reflective ACL is a type of dynamic ACL. It controls user access according to the upper-layer session information in IP packets to prevent hosts on the public network from connecting to the private network unless users on the private network connect to the public network first. In this way, the reflective ACL protects the private network of an enterprise against attacks from unauthorized external users. For example, GE2/0/1 on a switch connects to the Internet. The reflective ACL is configured on GE 2/0/1 in the outbound direction to prevent the server on the Internet from accessing hosts on the internal network unless the internal hosts access the server first. The configurations are as follows: [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit udp [HUAWEI-acl-adv-3000] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 timeout 600 //Configure reflective ACL on GE2/0/1 to match UDP packets and set the aging time. [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] traffic-reflect timeout 900 //Set the global aging time for reflective ACL. Run the display traffic-reflect command in the system view to view the reflective ACL information.

Method used to configure the mask in the ACL on the AR
Masks in ACL rules configured on the AR series routers and S series switches are wildcard masks. The wildcard mask is also called wildcard and is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is 192.168.1.169 and the wildcard is 0.0.0.172, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
Example:  system-view
[Huawei] acl number 2000
[Huawei-acl-basic-2000] rule permit source 192.168.32.1 0 //Permit only a specific IP address, with the wildcard mask of 0.0.0.0 that is abbreviated as 0.
[Huawei-acl-basic-2000] rule permit source 192.168.32.0 0.0.0.255 //Permit a network segment (mask 255.255.255.0), with the wildcard mask of 0.0.0.255. The wildcard mask is used in an ACL.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top