Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Layer 2 ACL

Layer 2 ACL

Created: Nov 17, 2019 04:00:45Latest reply: Nov 18, 2019 02:26:53 534 4 0 0 0
  Rewarded HiCoins: 5 (problem resolved)
View the author 1#

Hi Experts,


I have several access switches connected to a central destribution switch. SVI is configured in destribution switch. Now, I want to configure layer 2 acl on access switch, so that the source mac only have access to 8.8.8.8 and other services will be dropped.


Software Version V200R011C10SPC600


Here is the configuration I have done:

acl number 4070

     rule 10 permit source-mac 4889-e79c-54e1

acl number 3070

     rule 10 permit ip destination 8.8.8.8 0.0.0.0

     rule 30 deny ip

traffic-filter inbound acl 4070 acl 3070

##############################

But the problem is all traffic is dropping for that source MAC. Also shared the simplified configuration of switch (excluding the new config)


Note: In destribution switch more than 70 vlan is created. So I had to apply ACL globally rather than specifing under vlan interface.






ACLLayer2ACL

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Multicast Problems
Next: S5700 interface connecting problem (Multicast topology)
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Nov 18, 2019 02:26:53

@BRACNet hello,
when layer 2 and layer 3 ACL configured simultaneously, the matching logic for them is or, not and. So as you configured, the traffic with source-mac 4889-e79c-54e1 or the destination address 8.8.8.8 will be passed through.

By the way, there is another error in your configuration.
acl number 3070
rule 10 permit ip destination 8.8.8.8 0.0.0.0
rule 30 deny ip
the acl 3070 only allow the traffic to the 8.8.8.8, and it configured in the system-view, in which situation the return traffic from the host 8.8.8.8 will blocked by the switch.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Nov 17, 2019 05:21:17

Hi
If ACL3070 is cancelled, does this policy work?
View more
  • x
  • convention:

BRACNet
BRACNet Created Nov 17, 2019 09:52:04 (0) (0)
No, it does not work. As the main condition is under ACL 3070. I want the host machine can only ping to 8.8.8.8 other will be dropped  
(0) (0)
3#
E.DR_91
E.DR_91 MVE Author Created Nov 17, 2019 13:00:53

May Be the below is useful for you:

View more
  • x
  • convention:
(0) (0)
4#
chenhui
chenhui Admin Created Nov 18, 2019 02:26:53

@BRACNet hello,
when layer 2 and layer 3 ACL configured simultaneously, the matching logic for them is or, not and. So as you configured, the traffic with source-mac 4889-e79c-54e1 or the destination address 8.8.8.8 will be passed through.

By the way, there is another error in your configuration.
acl number 3070
rule 10 permit ip destination 8.8.8.8 0.0.0.0
rule 30 deny ip
the acl 3070 only allow the traffic to the 8.8.8.8, and it configured in the system-view, in which situation the return traffic from the host 8.8.8.8 will blocked by the switch.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.