01-02 ACL Configuration
Uploaded by
rapidox01-02 ACL Configuration
Uploaded by
rapidoxS300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2 ACL Configuration
2.1 Overview of ACLs
2.2 Understanding ACLs
2.3 Licensing Requirements and Limitations for ACLs
2.4 Summary of ACL Configuration Tasks
2.5 Default Settings for ACLs
2.6 (Optional) Creating a Time Range in Which an ACL Takes Effect
2.7 Configuring an ACL
2.8 Applying an ACL
2.9 Modifying an ACL
2.10 Deleting an ACL
2.11 Maintaining ACLs
2.12 Configuration Examples for ACLs
2.13 Troubleshooting ACLs
2.14 FAQ About ACLs
2.1 Overview of ACLs
Definition
Access Control Lists (ACLs) filter packets based on an ordered set of rules that
define the packet filtering conditions, such as the source address, destination
address, and port number of packets.
An ACL is a packet filter, while ACL rules are the filter elements. When receiving a
packet, a device checks the packet against ACL rules. If a match is found, the
device forwards or discards the packet according to the policy used by a service
module where the ACL is applied.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 4
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACLs take effect only after they are applied to specific service modules, such as
Telnet, FTP, and routing. A simple use case is to apply an ACL to a traffic policy or
simplified traffic policy. This enables the device to deliver ACL rules globally, in a
VLAN, or on an interface to filter packets to be forwarded. The service modules
use different actions and mechanisms to process the packets matching ACLs. For
details, see 2.2.7 Default ACL Actions and Mechanisms of Different Service
Modules.
Purpose
ACLs accurately identify and control packets on a network to manage network
access behaviors, prevent network attacks, and improve bandwidth use efficiency.
In this way, ACLs ensure security and high service quality on networks.
Figure 2-1 shows a typical network where ACLs are applied.
Figure 2-1 ACL application
For financial data security, an enterprise requires that the finance server be
accessible to the president office but block access from users in the R&D
department. To achieve this, on Interface 1 of the switch, apply an ACL on the
inbound direction so that the packets from the R&D department to the finance
server are denied on the interface. On Interface 2, apply no ACL so that the
interface can successfully forward the packets destined the finance server.
Additionally, to protect the enterprise intranet against viruses from the Internet,
apply an ACL on the inbound direction of Interface 3 on the switch.
Related Information
Support Community
● ACL Application
● Basic Knowledge About ACL
● ACL Matching
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 5
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2.2 Understanding ACLs
2.2.1 ACL Fundamentals
ACLs match packets against a sequential collection of rules, which can be
implemented on software or hardware.
ACL Structure
Figure 2-2 shows the structure of an ACL.
Figure 2-2 ACL structure
● ACL name: identifies a named ACL, which is similar to representing IP
addresses with domain names.
After creation, the name of a named ACL cannot be modified.
Repeated ACL names can only be used between basic ACL and basic ACL6,
and between advanced ACL and advanced ACL6.
When defining a named ACL, you can add a number. If no number is
specified, the system automatically allocates the largest number among the
available number range based on the ACL type to the ACL's name.
● ACL number: identifies a numbered ACL when it is defined separately.
For numbered ACLs, the number range varies depending on the ACL type.
● Rule: describes packet matching conditions.
– Rule ID: identifies an ACL rule, which can be manually configured or
automatically allocated by the system.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 6
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACL rule IDs range from 0 to 4294967294. Packets are matched against
ACL rules in ascending order of the rule ID. The device stops matching a
packet as long as a match is found.
– Action: indicates how packets are processed, including permit and deny.
– Matching condition: indicates criteria that packet must meet to match a
rule. ACLs support a diverse array of matching conditions. In addition to
the source IP address and time range in Figure 2-2, other matching
conditions include Layer 2 Ethernet frame header information (source
MAC, destination MAC, and Ethernet protocol type), Layer 3 packet
information (destination IP address and protocol type), and Layer 4
packet information (TCP or UDP port number). For details about ACL
matching conditions, see 2.2.2 ACLs Supported by Switches and
Common Matching Conditions.
ACL Implementation
ACLs can be implemented in hardware or software.
● Software-based ACL: filters the interactive protocol packets destined for the
local device, which must be sent to the CPU, for example, FTP, TFTP, Telnet,
SNMP, HTTP, routing, and multicast protocol packets.
● Hardware-based ACL: filters all packets by delivering ACL resources. Such
ACLs include the ACL referenced by a traffic policy or simplified traffic policy,
user group ACL, and ACL for adding outer VLAN tags to the packets received
on interfaces.
The software-based and hardware-based ACLs are different in the following
aspects:
● They filter different types of packets. A software-based ACL filters the packets
that must be sent to the CPU for processing, whereas a hardware-based ACL
filters all packets.
● They filter packets in different ways. A software-based ACL is referenced by
upper-layer software to filter packets, which consumes CPU resources. A
hardware-based ACL is delivered to hardware for packet filtering, which
consumes hardware resources. Packet filtering is faster using a hardware-
based ACL.
● They take different actions on the packets that match no ACL rule. When
packets do not match any ACL rule, a software-based ACL rejects the packets,
whereas a hardware-ACL permits the packets.
2.2.2 ACLs Supported by Switches and Common Matching
Conditions
ACLs Supported by Switches
Huawei switches support ACLs for filtering IPv4 packets, ACL6s for filtering IPv6
packets, and Layer 2 ACLs and user-defined ACLs that can filter both IPv4 and
IPv6 packets. Table 2-1 lists detailed ACLs supported by switches.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 7
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-1 ACL rules supported by switches
Category IP Version Rule Definition Description Number Range
Basic ACL IPv4 Defines rules based on source 2000-2999
IP addresses, fragmentation
information, and time ranges.
Advanced IPv4 Defines rules based on source 3000-3999
ACL IPv4 addresses, destination
IPv4 addresses, IPv4 protocol
types, ICMP types, TCP source/
destination port numbers, UDP
source/destination port
numbers, and time ranges.
Layer 2 IPv4&IPv6 Defines rules based on 4000-4999
ACL information in Ethernet
frame headers of packets,
such as the source MAC
addresses, destination MAC
addresses, and Layer 2
protocol types.
User- IPv4&IPv6 Defines rules based on packet 5000-5999
defined headers, offsets, character
ACL string masks, and user-
defined character strings.
The ACL performs an AND
operation on the packet bytes
from a certain position behind
the packet header and the
character string mask. Then,
the ACL compares the
extracted character string
against the user-defined
character string.
User ACL IPv4 Defines rules based on source 6000-9999
IPv4 addresses or user
control list (UCL) groups/
destination IPv4 addresses or
destination UCL groups, IPv4
protocol types, ICMP types,
TCP source/destination port
numbers, and UDP source/
destination port numbers.
Basic IPv6 Defines rules based on source 2000-2999
ACL6 IPv6 addresses, fragmentation
information, and time ranges.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 8
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Category IP Version Rule Definition Description Number Range
Advanced IPv6 Defines rules based on source 3000-3999
ACL6 IPv6 addresses, destination
IPv6 address, IPv6 protocol
types, ICMPv6 types, TCP
source/destination port
numbers, UDP source/
destination ports, and time
ranges.
User IPv6 Defines rules based on source 6000-9999
ACL6 IPv6 addresses or UCL
groups/destination IPv6
addresses, IPv6 protocol types,
ICMPv6 types, TCP source/
destination port numbers, and
UDP source/destination port
numbers.
Common Matching Conditions
Huawei switches support various ACL matching conditions. The following describes
the commonly used conditions.
● Time range
ACLs support packet filtering based on time ranges (using the time-range
time-name command). For details about time ranges, see 2.2.4 Time Range.
● Protocol type carried by IP
Format: protocol-number | icmp | tcp | udp | gre | igmp | ip | ipinip | ospf
This matching condition is supported only by advanced ACLs. An advanced
ACL can filter packets based on protocol types, which are listed in the
following table.
Table 2-2 Protocol types for filtering packets
Protocol Type Protocol Number
ICMP 1
TCP 6
UDP 17
GRE 47
IGMP 2
IPinIP 4
OSPF 89
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 9
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
The value ip indicates any IP layer protocol. The protocol number ranges from
1 to 255.
For example, to forbid user access on an interface susceptible to attacks, you
can specify the protocol type as IP to discard all IP traffic on the interface.
rule deny ip //Reject IP packets.
● Source/Destination IP addresses and wildcard masks
Format of the source IP address and wildcard mask: source { source-address
source-wildcard | any }
Format of destination IP address and wildcard mask: destination
{ destination-address destination-wildcard | any }
Basic ACLs can filter packets based on source IP addresses, and advanced
ACLs can filter packets based on both source and destination IP addresses.
When the source or destination IP address is specified as a matching
condition, a wildcard mask must be specified to exactly determine an address
range.
The format of an IP address wildcard mask is the same as that of an inverse
subnet mask (32-bit numeric string). A wildcard mask specifies the digits in
an IP address to be checked. Among the bits in a mask, the bit 0 indicates
"check", and the bit 1 indicates "not check." An IP address subnet mask must
have continuous 0s and 1s, whereas a wildcard mask can have discontinuous
0s and 1s.
The wildcard mask can be set to 255.255.255.255 or 0 (equivalent to 0.0.0.0).
The value 255.255.255.255 indicates any IP address, which is equivalent to the
keyword any. The value 0 indicates that the source/destination address is a
host address.
For example, in the following rule, the specified IP address wildcard mask
indicates that all IP packets from the network segment 192.168.1.0/24 are
permitted:
rule 5 permit ip source 192.168.1.0 0.0.0.255
In this rule, the wildcard mask 0.0.0.255 indicates that only the bits of the
binary bytes in the first three groups of an IP address are checked. Packets are
permitted only if the first 24 bits in the source IP address are the same as the
first 24 bits in the specified IP address, which are 192.168.1 in this example.
That is, only the packets sent from the IP address segment 192.168.1.0/24 are
permitted. Table 2-3 illustrates how the wild mask is used to determine an
address range.
Table 2-3 Wildcard mask description
Item Decimal Binary
Specified IP 192.168.1.0 11000000.10101000.000000
address 01.00000000
Wildcard mask 0.0.0.255 00000000.00000000.000000
00.11111111
Determined 192.168.1.* 11000000.10101000.000000
address range * indicates an integer 01.xxxxxxxx
between 0 and 255. x can be 0 or 1.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 10
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-4 gives more examples of determining an address range by IP address
and wildcard mask.
Table 2-4 Determining address ranges by IP addresses and wildcard masks
IP Address Wildcard Mask Determined Address
Range
0.0.0.0 255.255.255.255 Any IP address
172.18.0.0 0.0.255.255 IP addresses on the
network segment
172.18.0.0/16
172.18.5.2 0.0.0.0 Only host address
172.18.5.2
172.18.8.0 0.0.0.7 IP addresses on the
network segment
172.18.8.0/29
172.18.8.8 0.0.0.7 IP addresses on the
network segment
172.18.8.8/29
10.1.2.0 0.0.254.255 (discontinuous IP addresses that are in the
1s and 0s in wildcard mask) range of 10.1.0.0/24 and
10.1.254.0/24 and have an
even number in the third
byte, for example,
10.1.0.0/24, 10.1.2.0/24,
10.1.4.0/24, and 10.1.6.0/24
● Source/Destination MAC addresses and wildcard masks
Format of the source MAC address and wildcard mask: source-mac source-
mac-address [ source-mac-mask ]
Format of the destination MAC address and wildcard mask: destination-mac
dest-mac-address [ dest-mac-mask ]
Only Layer 2 ACLs can filter packets based on source and destination MAC
addresses.
When the source or destination MAC address is specified as a matching
condition, a wildcard mask can be specified to exactly determine an address
range.
The format of a MAC address wildcard mask is the same as that of a MAC
address (hexadecimal). A MAC address wildcard mask consists of 6 bytes (48
bits) to indicate the digits in a MAC address to be checked. Different from
those in an IP address wildcard mask, the value 1 in a MAC address wildcard
mask indicates "check" and the value 0 indicates "not check." If no wildcard
mask is specified, the default mask ffff-ffff-ffff is used, indicating that every
digit in a MAC address is to be checked.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 11
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-5 illustrates how a MAC address and a wildcard mask determine an
address range.
Table 2-5 Determining address ranges by MAC addresses and wildcard masks
MAC Address Wildcard Mask Determined Address
Range
00e0- 0000-0000-0000 Any MAC address
fc01-0101
00e0- ffff-ffff-ffff Only 00e0-fc01-0101
fc01-0101
00e0- ffff-ffff-0000 00e0-fc01-0000 to 00e0-
fc01-0101 fc01-ffff
● VLAN ID and mask
Format of the outer VLAN ID and mask: vlan-id vlan-id [ vlan-id-mask ]
Format of the inner VLAN ID and mask: cvlan-id cvlan-id [ cvlan-id-mask ]
Layer 2 ACLs can filter packets based on outer and inner VLAN IDs.
When a VLAN ID is specified as a matching condition, a VLAN mask can be
specified to exactly determine a VLAN range.
A VLAN mask is in hexadecimal format, ranging from 0x0 to 0xFFF. If no
VLAN mask is specified, the default mask 0xFFF is used, indicating that every
digit in the VLAN ID is checked.
Table 2-6 illustrates how a VLAN ID and a mask determine a VLAN range.
Table 2-6 Determining VLAN ranges by VLAN IDs and masks
VLAN ID VLAN Mask Determined VLAN Range
10 0x000 Any VLAN
10 0xFFF Only VLAN 10
10 0xFF0 VLAN 1 to VLAN 15
● TCP/UDP port number
Format of the source port number: source-port { eq port | gt port | lt port |
range port-start port-end }
Format of the destination port number: destination-port { eq port | gt port |
lt port | range port-start port-end }
When the protocol type of an advanced ACL is specified as TCP or UDP, the
device can match packets against the TCP or UDP source/destination port
number.
The operators of specifying TCP or UDP port numbers are described as
follows:
– eq port: equivalent to the source or destination port number
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 12
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
– gt port: greater than the destination or source port number
– lt port: less than the source or destination port number
– range port-start port-end: source or destination port number range. port-
start indicates the start port number, and port-end indicates the end port
number.
TCP or /UDP port numbers can be represented by numeric or character strings
(aliases). For example, rule deny tcp destination-port eq 80 can be
represented by rule deny tcp destination-port eq www. For commonly used
TCP or UDP port numbers and their character strings, see the mappings
between TCP or UDP source or destination port numbers and values in rule.
● TCP flag
Format: tcp-flag { ack | established | fin | psh | rst | syn | urg }*
When the TCP protocol is specified in an advanced ACL, the device filters
packets based on the TCP flag.
A TCP packet header contains 6 flag bits: ack (acknowledge), fin (finish), psh
(push), rst (reset), syn (synchronize), and urg (urgent).
The established field in a TCP flag indicates that the flag bit is ack or rst.
ACL rules with the keyword tcp-flag specified can implement unidirectional
access control. For example, it is required that users on the network segment
192.168.1.0/24 can access the network segment 192.168.2.0/24, but access in
the opposite direction be prohibited. To meet this requirement, you can apply
an ACL rule to the inbound direction of the interface connecting to the
network segment 192.168.2.0/24.
Only the ack and rst values of TCP packets are 1. Therefore, configure ACL
rules to permit the only acknowledgement and reset TCP packets and DENY
other TCP packets. In this way, the TCP connection requests from the network
segment 192.168.2.0/24 are blocked.
– Rule 1: Configure ACL rules with the keywords ack and rst specified.
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack //Permit the TCP packets with the
ACK value of 1.
rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst //Permit the TCP packets with the
RST value of 1.
rule 15 deny tcp source 192.168.2.0 0.0.0.255 //Deny other TCP packets.
– Rule 2: Configure ACL rules with the keyword established specified.
rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established //established indicates that
the ack or rst value is 1. Therefore, acknowledgement or reset TCP packets are permitted.
rule deny tcp source 192.168.2.0 0.0.0.255 //Reject other TCP packets.
● IP fragmentation
Format: fragment
Basic and advanced ACLs can filter packets based on IP fragmentation
information.
The fragments of an IP packet include the initial fragment and non-initial
fragments. Only the initial fragment contains Layer 4 information, such as
TCP or UDP port number. A network device checks whether a received
fragment is the last fragment. If the fragment is not the last, the device
allocates memory space for it, and reassembles the fragments after the last
fragment is received. The device does not release memory until the last
fragment is received and all fragments are reassembled. An exploit exists
whereby an attacker may send fragments to a device without sending the last
fragment.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 13
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
To prevent fragment packet attacks, you can specify the keyword fragment in
an ACL rule to block non-initial fragments.
Table 2-7 describes how ACLs process non-fragment packets, initial
fragments, and non-initial fragments.
Table 2-7 IP packet processing methods
Matching Non-fragment Initial Fragment Non-initial
Condition Packet Fragment
s in a
Rule
Layer 3 If Layer 3 If Layer 3 If Layer 3
informatio information is information is information is
n (such as matched, the result matched, the result matched, the result
source or (permit or deny) is (permit or deny) is (permit or deny) is
destinatio returned; returned; returned;
n IP otherwise, the otherwise, the otherwise, the
address) packet is matched packet is matched packet is matched
against the next against the next against the next
rule. rule. rule.
Layer 3 If both Layer 3 and If both Layer 3 and The non-initial
informatio Layer 4 Layer 4 fragment is not
n and information is information is matched against
Layer 4 matched, the result matched, the result this rule, and then
informatio (permit or deny) is (permit or deny) is the next rule
n (such as returned; returned; works.
TCP or otherwise, the otherwise, the
UDP port packet is matched fragment is
number) against the next matched against
rule. the next rule.
Layer 3 The non-fragment The initial If Layer 3
informatio packet is not fragment is not information is
n and matched against matched against matched, the result
fragment this rule, and then this rule, and then (permit or deny) is
the next rule the next rule returned;
works. works. otherwise, the
fragment is
matched against
the next rule.
For example, ACL 3012 contains the following rules:
#
acl number 3012
rule 5 deny tcp destination 192.168.2.2 0 fragment
rule 10 permit tcp destination 192.168.2.2 0 destination-port eq www
rule 15 deny ip
#
A TCP packet with the destination IP address of 192.168.2.2 is matched as
follows:
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 14
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
– For a non-fragment packet or initial fragment: If the destination port
number is 80 (www), the packet is permitted by rule 10. If the
destination port number of the packet is not 80, the packet is denied by
rule 15.
– For a non-initial fragment: The packet is denied by rule 5.
2.2.3 ACL Matching
Matching Mechanism
A device stops matching packets against ACL rules as long as a match is found, as
detailed in Figure 2-3.
Figure 2-3 ACL matching mechanism
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 15
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
According to the preceding matching process, after packets are filtered by ACL
rules, the following two results may be generated:
● The packets match a rule in an ACL.
● No ACL exists, the ACL contains no rule, or packets do not match any rule in
an ACL.
Whether packets are permitted or denied is determined by actions specified in ACL
rules and service modules that have ACLs applied. Different service modules
process the packets that are filtered by ACL rules in different ways. For example,
the Telnet module directly forwards the packets matching a permit rule, whereas
the traffic policy module discards the packets matching a permit rule if the
configured behavior in the traffic policy is deny. For details about ACL processing
on each service module, see 2.2.7 Default ACL Actions and Mechanisms of
Different Service Modules.
Matching Order
An ACL consists of multiple rules, which may overlap or conflict. For example, an
ACL contains two rules:
rule deny ip destination 10.1.0.0 0.0.255.255 //Packets destined for an IP address on the network segment
10.1.0.0/16 are denied.
rule permit ip destination 10.1.1.0 0.0.0.255 //Packets destined for an IP address on the network segment
10.1.1.0/24 are permitted, which is smaller than the network segment 10.1.0.0/16.
If the system first matches a packet destined for the IP address 10.1.1.1 against
the deny rule, the packet is discarded. However, if the system matches the packet
against the permit rule first, the packet is forwarded.
Therefore, if ACL rules overlap or conflict, the matching order decides the
matching result.
The device can match packets against ACLs in configuration (config) or automatic
order (auto). The default order is config.
Config order
The system matches packets against ACL rules in ascending order of rule IDs. That
is, the rule with the smallest ID takes effect first.
● If a smaller rule ID is manually specified for a rule, the rule takes effect earlier
than those with larger ruler IDs.
● If no ID is manually specified for a rule, the system allocates an ID to the rule.
This rule ID is the largest in the ACL and has the minimum multiple of the
increment. Therefore, this rule is the last one that functions.
Auto order
The system arranges ACL rules based on their precision degree (depth first
principle), and checks packets against the rules in descending order of precision. A
rule with the highest precision defines strictest conditions, and has the highest
priority. Table 2-8 describes how the auto order is applied to each type of ACL.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 16
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-8 Auto matching order
ACL Type Determining a Prior Rule by Comparing
Basic ACL 1. VPN instance.
and basic 2. Source IP address range. A smaller source IP address range
ACL6 indicates a higher rule priority. The wildcard mask with the most
0s identifies the smallest source IP address range.
3. Rule ID. A smaller rule ID indicates a higher rule priority.
Advanced 1. VPN instance.
ACL and 2. Protocol type. IP-based protocols make a rule prior to other rules.
advanced
ACL6 3. Source IP address range. A smaller source IP address range
indicates a higher rule priority. The wildcard mask with the most
0s identifies the smallest source IP address range.
4. Destination IP address range. A smaller destination IP address
range indicates a higher rule priority. The wildcard mask with the
most 0s identifies the smallest destination IP address range.
5. Layer 4 port number (TCP/UDP port number) range. A smaller
port number range indicates a higher rule priority.
6. Rule ID. A smaller rule ID indicates a higher rule priority.
Layer 2 1. L2 protocol type wildcard (with the most 1s in the wildcard
ACL mask). A larger L2 protocol type wildcard indicates a higher rule
priority.
2. Source MAC address range. A smaller source MAC address range
indicates a higher rule priority. The wildcard mask with the most
1s identifies the smallest source MAC address range.
3. Destination MAC address range. A smaller destination MAC
address range indicates a higher rule priority. The wildcard mask
with the most 1s identifies the smallest destination MAC address
range.
4. Rule ID. A smaller rule ID indicates a higher rule priority.
User- A user-defined ACL matches packets against rules in ascending
defined order of rule IDs.
ACL
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 17
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACL Type Determining a Prior Rule by Comparing
User ACL 1. Protocol type. IP-based protocols make a rule prior to other rules.
and User 2. Source IP address range. If all source IP addresses are IP network
ACL6 segments, the rule with a smaller source IP address range (with
more 0 bits in wildcard mask) is prioritized. If not all the source
IP addresses are IP network segments, the rule in which the
source IP address range is an IP network segment takes
precedence over that in which the source IP address is a UCL
group.
3. Destination IP address range. If all destination IP addresses are IP
network segments, the rule with a smaller destination IP address
range (with more 0 bits in wildcard mask) is prioritized. If not all
the destination IP addresses are IP network segments, the rule in
which the destination IP address range is an IP network segment
takes precedence over that in which the destination IP address
range is a UCL group.
4. Layer 4 port number (TCP/UDP) range. A smaller Layer 4 port
number indicates a higher rule priority.
5. Rule ID. A smaller rule ID indicates a higher rule priority.
For details about the ACL matching conditions mentioned in Table 2-8, see 2.2.2
ACLs Supported by Switches and Common Matching Conditions.
If you add a rule to an ACL in auto matching mode, the system automatically
identifies the rule priority and assigns a rule ID accordingly.
For example, two rules are added to advanced ACL 3001 in auto mode:
rule deny ip destination 10.1.0.0 0.0.255.255 //Reject the packets destined for network segment 10.1.0.0/16.
rule permit ip destination 10.1.1.0 0.0.0.255 //Permit the packets destined for network segment
10.1.1.0/24, which has a smaller range than 10.1.0.0/16.
The two rules specify the identical protocol range and source IP address range but
do not specify VPN instances. According to the auto matching order in Table 2-8,
the system compares the destination IP address ranges in the rules. The
destination IP address range specified in the permit rule is smaller than that
specified in the deny rule, so the permit rule has a higher precision. The system
then allocates a smaller ID to the permit rule. Therefore, the system enables the
two rules in ACL 3001 to function in the following order:
#
acl number 3001 match-order auto
rule 5 permit ip destination 10.1.1.0 0.0.0.255
rule 10 deny ip destination 10.1.0.0 0.0.255.255
#
A rule rule deny ip destination 10.1.1.1 0 is added to ACL 3001. (This rule has a
higher priority than the previous two rules because the destination IP address is a
host address.) The system reassigns IDs to the rules according to the rule
priorities. The new order is as follows:
#
acl number 3001 match-order auto
rule 5 deny ip destination 10.1.1.1 0
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 18
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
rule 10 permit ip destination 10.1.1.0 0.0.0.255
rule 15 deny ip destination 10.1.0.0 0.0.255.255
#
Compared with the config mode, the auto mode is more complex. However, the
auto mode is advantageous in some scenarios. For example, to ensure network
security, the administrator has configured an ACL in auto mode to discard all IP
packets on untrusted network segments. When more services are deployed on the
network, some IP packets on these network segments need to be allowed. The
auto matching mode allows the administrator to directly add new rules to the
ACL, without the need to rearrange the rules.
2.2.4 Time Range
Background
Time ranges define when the permit or deny rules in an ACL are in effect, for
example, during a specified period of time or on specified days of the week. This
allows network administrators to configure different policies during different time
ranges for network optimization.
Time Range Mode
Time ranges associated with ACL rules are classified into:
● Periodic time range: defined by week. That is, ACL rules can take effect at an
interval of one week. For example, if the time range of ACL rules is 8:00-12:00
on Monday, the ACL rules take effect at 8:00-12:00 on every Monday.
● Absolute time range: defined by a period of time, in the format of from
YYYY/MM/DD HH:MM to YYYY/MM/DD HH:MM. That is, ACL rules take effect
only during this period.
You can define time-name and specify multiple time ranges for it. When only
periodic or only absolute time ranges are configured, the OR logical operator is
used to calculate the effective time range. When both periodic and absolute time
ranges are configured, the AND logical operator is used to calculate the effective
time range. If configured periodic or absolute time ranges do not overlap with
each other, all of them are effective. If a periodic time ranges conflicts with an
absolute time range, the configured time ranges do not take effect.
For example, ACL 2001 is associated with the time range named test, in which
contains three time ranges are configured.
#
time-range test 8:00 to 18:00 working-day
time-range test 14:00 to 18:00 off-day
time-range test from 00:00 2014/01/01 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit time-range test
● Time range 1: 8:00-18:00 from Monday to Friday (periodic)
● Time range 2: 14:00-18:00 on Saturday and Sunday (periodic)
● Time range 3: from 2014-1-1 00:00 to 2014-12-31 23:59 (absolute)
Therefore, the time range test is effective during 8:00-18:00 on Monday to Friday
and 14:00-18:00 on every Saturday and Sunday in 2014.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 19
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
If time range 3 is modified as from 2014-1-1 19:00 to 2014-12-31 21:00, the time
range test is ineffective.
2.2.5 ACL Increment
What Is an Increment
An increment is automatically allocated by the system to determine difference in
to neighboring rule IDs.
If a rule without a manually specified ID is added to an empty ACL, the system
allocates the increment value as the ID to this rule. If a rule without a manually
specified ID is added to an ACL containing rules with manually specified IDs, the
system allocates to this new rule the minimum multiple of the increment value,
which is also greater than the largest rule ID in the ACL. For example, an ACL
(basic ACL, advanced ACL, Layer 2 ACL, user ACL, or user-defined ACL) contains
rule 5 and rule 12, and the default increment is 5. When a new rule is added to
the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is
the minimum multiple of 5).
Basic ACL6s and advanced ACL6s do not allow for the increment configuration,
and use the fixed increment of 5.
How an Increment Functions
Setting an increment facilitates new rule insertion between existing rules of an
ACL.
For example, an ACL contains rule 5, rule 10, and rule 15, with an increment of 5.
rule 5 deny source 10.1.1.1 0 //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0/24.
It is required that a rule that packets from the source IP address 10.1.1.3 be
denied. The system stops matching packets once a match is found. Therefore, you
need to define a new rule before rule 15 that will deny packets from the source IP
address 10.1.1.3. In this way, rule 15 with a larger range will not filter these
packets. The increment of 5 allows you to easily insert the new rule. However, if
the increment is set to 1 (that is, rules are automatically arranged as rule 1, 2,
3...), you may have to first delete existing rules, define a new one, and then re-
configure the deleted ones, which brings a heavy workload.
rule 5 deny source 10.1.1.1 0 //Reject the packets from source IP address 10.1.1.1.
rule 10 deny source 10.1.1.2 0 //Reject the packets from source IP address 10.1.1.2.
rule 11 deny source 10.1.1.3 0 //Reject the packets from source IP address 10.1.1.3.
rule 15 permit source 10.1.1.0 0.0.0.255 //Reject the packets from source IP address segment 10.1.1.0.
2.2.6 ACL Configuration Guidelines
When configuring ACL rules, follow these guidelines:
1. The rules in an ACL may overlap. If packets match the rules with loose
conditions, the subsequent other ACL rules do not take effect. In this case,
packets may fail to be checked against the rules with strict conditions.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 20
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Therefore, the rules with strict conditions must be arranged in front lines and
those with loose conditions must be arranged towards the end.
2. The ACL configuration guidelines vary according to the default ACL actions
taken by the service modules (for details, see 2.2.7 Default ACL Actions and
Mechanisms of Different Service Modules). For example, if a service module
with the default action of permit must deny the packets from some IP
addresses, you can configure deny rules only for these IP addresses, and a
permit rule for any IP address is not required as the last rule. The converse is
true for a service module whose default action is deny. Table 2-9 describes
the ACL configuration guidelines.
NOTE
The following rules are for reference only. The command line syntax shall prevail when you
configure ACL rules.
rule permit/deny a/rule permit/deny b: permits or denies the specified packets based on
the conditions a and b. The parameter b indicates a larger range than the parameter a,
that is, b includes a.
Table 2-9 ACL configuration guidelines
Defaul Permit All Deny All Permit a Few Deny a Few
t ACL Packets Packets Packets and Packets and
Action Deny Most Permit Most
Packets Packets
permit No ACL is Configure rule Configure rule Only rule
required. deny. permit a first, deny a is
and then rule required, and
deny b or rule rule permit b
deny. or rule permit
NOTE is not
This guideline required.
applies to NOTE
packet If rule permit
filtering. When is configured
an ACL is and ACL is
applied to applied to a
traffic policing traffic policy in
or traffic which the
statistics behavior is
collection in a deny, all
traffic policy, packets are
configure rule rejected and
permit a if all services are
you only need interrupted.
to count rate
or collect
statistics on
the specified
packets.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 21
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Defaul Permit All Deny All Permit a Few Deny a Few
t ACL Packets Packets Packets and Packets and
Action Deny Most Permit Most
Packets Packets
deny ● Routing ● Routing Only rule Configure rule
and and permit a is deny a first,
multicast multicast required, and and then rule
module: modules: rule deny b or permit b or
Configure ACL is not rule deny is rule permit.
rule required. not required.
permit. ● Other
● Other modules:
modules: Configure
ACL is not rule deny.
required.
The following examples describe simple use cases:
– Example 1: Apply an ACL to a traffic policy to filter packets from network
segment 192.168.1.0/24. Reject the packets from hosts 192.168.1.2 and
192.168.1.3, and allow the packets from other hosts on network segment
192.168.1.0/24 to pass.
The default ACL action of the traffic policy module is permit, and a few
packets are denied and most packets are permitted. Therefore, you only
need to configure rule deny a.
#
acl number 2000
rule 5 deny source 192.168.1.2 0
rule 10 deny source 192.168.1.3 0
#
– Example 2: Apply an ACL to a traffic policy to filter packets from network
segment 192.168.1.0/24. Allow the packets from hosts 192.168.1.2 and
192.168.1.3 to pass, and reject the packets from other hosts on network
segment 192.168.1.0/24.
The default ACL action of the traffic policy module is permit, and a few
packets are permitted and most packets are denied. Therefore, you need
to configure rule permit a first, and then rule deny b.
#
acl number 2000
rule 5 permit source 192.168.1.2 0
rule 10 permit source 192.168.1.3 0
rule 15 deny source 192.168.1.0 0.0.0.255
#
– Example 3: Apply an ACL to Telnet, to allow only the administrator's host
(172.16.105.2) to Telnet to the device and reject other users.
The default ACL action of the Telnet module is deny, and a few packets
are permitted and most packets are denied. Therefore, you only need to
configure rule permit a.
#
acl number 2000
rule 5 permit source 172.16.105.2 0
#
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 22
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
– Example 4: Apply an ACL to Telnet, to forbid two hosts (172.16.105.3 and
172.16.105.4) to Telnet to the device and allow other user hosts to Telnet
to the device.
The default ACL action of the Telnet module is deny, and a few packets
are denied and most packets are permitted. Therefore, you need to
configure rule deny a first, and then rule permit.
#
acl number 2000
rule 5 deny source 172.16.105.3 0
rule 10 deny source 172.16.105.4 0
rule 15 permit
#
– Example 5: Apply an ACL to FTP to prevent users from accessing the FTP
server from 00:00-08:00 every Saturday.
The default ACL action of the FTP module is deny, and a few packets are
denied and most packets are permitted. Therefore, you need to configure
rule deny a first, and then rule permit b.
#
time-range t1 00:00 to 08:00 Sat
time-range t2 00:00 to 23:59 daily
#
acl number 2000
rule 5 deny time-range t1
rule 10 permit time-range t2
#
2.2.7 Default ACL Actions and Mechanisms of Different
Service Modules
Applying ACLs to Service Modules
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect.
In most cases, an ACL is applied to a traffic policy or simplified traffic policy. This
enables the device to deliver ACL rules globally, in a VLAN, or on an interface to
filter packets to be forwarded. An ACL can be applied to service modules such as
Telnet, FTP, and routing.
Table 2-10 describes how the service modules process ACLs.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 23
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-10 Applying ACLs to service modules
Service Usage Scenario Service Module
Filtering The device filters received Traffic policy and simplified
packets to be packets globally, on an traffic policy
forwarded interface, or in a VLAN, and
then discards, modifies
priorities of, or redirects the
filtered packets.
For example, you can apply
ACLs to filter packets between
different network segments,
prohibit specified hosts from
accessing the network during a
specified time, or reduce the
service level for bandwidth-
consuming services (such as
P2P downloading and online
video). When network
congestion occurs, these
bandwidth-consuming service
packets are discarded first.
Filtering If too many protocol packets Blacklist
packets to be are sent to the CPU, the CPU
sent to the usage increases and CPU
CPU performance may be degraded.
The device needs to restrict the
packets to be sent to the CPU.
For example, when a user sends
a large number of ARP attack
packets to the device, the CPU
becomes busy and service is
interrupted. You can apply an
ACL to the local attack defense
service, and add the user to the
blacklist so that the CPU
discards the packets from this
user.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 24
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario Service Module
Login control The device controls access Telnet, STelnet, FTP, SFTP,
permission of users. Only HTTP, SNMP
authorized users can log in to
the device, and other users
cannot log in without
permission. This ensures
network security.
For example, only the
administrator is allowed to log
in to the device. You can apply
an ACL to the Telnet service
and specify the hosts that can
log in to the device or the hosts
that cannot log in.
Route filtering ACLs can be applied to various BGP, IS-IS, OSPF, OSPFv3, RIP,
dynamic routing protocols to RIPng, multicast protocol
filter advertised and received
routes and multicast groups.
For example, you can apply an
ACL to a routing policy to filter
routing information and
prevent the device from
sending routes of a network
segment to the neighboring
router.
Default ACL Actions and Mechanisms
When an ACL is applied to service modules, the modules take different actions on
the packets that are matched against ACL rules.
For example, an ACL with rules configured is applied to a traffic policy with the
default action of permit. If a packet does not match any ACL rules, it is permitted.
In contrast, an ACL with rules configured is applied to the Telnet module with the
default action of deny. If a packet does not match any ACL rules, it is rejected.
The blacklist module processes ACL in a different way. After an ACL is applied to a
blacklist, the packets matching any ACL rule are discarded no matter whether they
match the permit or deny rule.
Table 2-11, Table 2-12, and Table 2-13 provide the default ACL actions and
mechanisms taken by each service module.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 25
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-11 Default ACL actions and mechanisms of different service modules
Default Telnet STelnet HTTP FTP TFTP
ACL
Actions
and
Mechanis
ms
Default deny deny deny deny deny
ACL Action
Packets permit permit permit permit permit
Match the (login (login (login (login (login
permit allowed) allowed) allowed) allowed) allowed)
Rule
Packets deny (login deny (login deny (login deny (login deny (login
Match the not not not not not
deny Rule allowed) allowed) allowed) allowed) allowed)
Packets Do deny (login deny (login deny (login deny (login deny (login
Not Match not not not not not
Any Rule in allowed) allowed) allowed) allowed) allowed)
an ACL
An ACL permit permit permit permit permit
Does Not (login (login (login (allowed to (login
Contain allowed) allowed) allowed) log in) allowed)
Rules
ACL Is Not permit permit permit permit permit
Created (login (login (login (login (login
allowed) allowed) allowed) allowed) allowed)
Table 2-12 Default ACL actions and mechanisms of different service modules
Default SFTP SNMP Traffic Simplified Local
ACL Policy Traffic Attack
Actions Policy Defense
and Policy
Mechanis (Blacklist)
ms
Default deny deny permit permit permit
ACL Action
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 26
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Default SFTP SNMP Traffic Simplified Local
ACL Policy Traffic Attack
Actions Policy Defense
and Policy
Mechanis (Blacklist)
ms
Packets permit permit ● When permit deny
Match the (login (login the (The device (discarded)
permit allowed) allowed) traffic takes the
Rule behavio action
r is defined in
permit, the
the simplified
packets traffic
are policy.)
forward
ed.
● When
the
traffic
behavio
r is
deny,
the
packets
are
discarde
d.
● When
the
traffic
behavio
r is
neither
permit
nor
deny,
the
packets
are
forward
ed
(action
in the
traffic
policy).
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 27
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Default SFTP SNMP Traffic Simplified Local
ACL Policy Traffic Attack
Actions Policy Defense
and Policy
Mechanis (Blacklist)
ms
Packets deny (login deny (login deny ● When deny
Match the not not (discarded) the (discarded)
deny Rule allowed) allowed) NOTE action
The switch in the
takes the simplifie
action d traffic
defined in
policy is
the traffic
behavior traffic-
only when filter or
the traffic traffic-
behavior is secure:
traffic deny
statistics
collection, ● When
MAC the
address action
learning in the
disabled,
simplifie
or traffic
mirroring. d traffic
policy is
neither
traffic-
filter
nor
traffic-
secure:
permit
Packets Do deny (login deny (login permit permit permit
Not Match not not (The traffic (The (blacklist
Any Rule in allowed) allowed) policy does simplified does not
an ACL not take traffic take effect,
effect, and policy does and
packets are not take packets are
forwarded effect, and forwarded)
without packets are
the forwarded
restriction without
of the the
traffic restriction
policy.) of the
simplified
traffic
policy.)
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 28
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Default SFTP SNMP Traffic Simplified Local
ACL Policy Traffic Attack
Actions Policy Defense
and Policy
Mechanis (Blacklist)
ms
An ACL permit permit permit permit permit
Does Not (login (login (The traffic (The (blacklist
Contain allowed) allowed) policy does simplified does not
Rules not take traffic take effect,
effect, and policy does and
packets are not take packets are
forwarded effect, and forwarded)
without packets are
the forwarded
restriction without
of the the
traffic restriction
policy.) of the
simplified
traffic
policy.)
ACL Is Not permit permit permit permit permit
Created (login (login (The traffic (The (blacklist
allowed) allowed) policy does simplified does not
not take traffic take effect,
effect, and policy does and
packets are not take packets are
forwarded effect, and forwarded)
without packets are
the forwarded
restriction without
of the the
traffic restriction
policy.) of the
simplified
traffic
policy.)
Table 2-13 Default ACL actions and mechanisms of different service modules
Default ACL Route Policy Filter Policy igmp- igmp-
Actions and snooping snooping
Mechanisms ssm-policy group-policy
Default ACL deny deny deny deny
Action
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 29
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Default ACL Route Policy Filter Policy igmp- igmp-
Actions and snooping snooping
Mechanisms ssm-policy group-policy
Packets ● When the permit (route permit (added permit (added
Match the matching advertisement to SSM group to multicast
permit Rule mode is or reception is address group)
permit: allowed) range)
permit
(routing
policy is
enforced)
● When the
matching
mode is
deny: deny
(routing
policy is
not
enforced)
Packets deny (routing deny (route deny (not deny (not
Match the policy does advertisement added to SSM added to
deny Rule not take or reception is group address multicast
effect) not allowed) range) group)
Packets Do deny (routing deny (route deny (not deny (not
Not Match policy does advertisement added to SSM added to
Any Rule in not take or reception is group address multicast
an ACL effect) not allowed) range) group)
An ACL Does permit deny (route deny (not deny (not
Not Contain (routing advertisement added to SSM added to
Rules policy takes or reception is group address multicast
effect on all not allowed) range, and no group)
routes) group is in
the SSM
group address
range)
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 30
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Default ACL Route Policy Filter Policy igmp- igmp-
Actions and snooping snooping
Mechanisms ssm-policy group-policy
ACL Is Not deny (routing permit (route deny (not deny (not
Created policy does advertisement added to SSM added to
not take or reception is group address multicast
effect) allowed) range, and group)
only the
temporary
group
addresses
232.0.0.0-232.
255.255.255
are in the
SSM group
address
range)
2.3 Licensing Requirements and Limitations for ACLs
Involved Network Elements
Other network elements are not required.
Licensing Requirements
ACL is a basic feature of a switch and is not under license control.
Feature Support in V200R021C00
All models of S300, S500, S2700, S5700, and S6700 series switches support ACL.
NOTE
For details about software mappings, visit Hardware Query Tool and search for the desired
product model.
Feature Limitations
Only the following products and versions support the user ACLs:
● S5720-HI, S5720-EI, S6720-EI, S6720S-EI, S5720I-SI, S5730-HI, S5731-H,
S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H,
S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S500, S6720S-S, S5735S-H,
S5736-S, S6730-S, and S6730S-S: all versions
● S2720-EI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI,
S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5730-SI, S5730S-EI,
S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI: V200R012C00 and later
versions
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 31
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
● S6700-EI, S5700-HI, S5710-HI, and S5710-EI: V200R005
When configuring ACL rules:
● If the specified rule ID already exists and the new rule conflicts with the
original rule, the new rule replaces the original rule.
● Repeated ACL names can only be used between basic ACL and basic ACL6,
and between advanced ACL and advanced ACL6.
● The match order of an ACL affects packet matching results. Therefore,
consider the match order when configuring rules. If the match-order
parameter is not specified when you create an ACL, the default match order
config is used.
● To associate a time range with an ACL rule, ensure that the system time of
the switch is the same as that of other devices on the network; otherwise, the
rule cannot take effect. The time-name must already exist; otherwise, the rule
cannot be bound to the time range.
When applying ACL rules:
● Apply an ACL to a correct direction of an interface. If an ACL is applied to an
inbound direction of an interface, the switch matches the packets received by
this interface against ACL rules; if an ACL is applied to an outbound direction
of an interface, the switch matches the packets sent by this interface against
ACL rules.
● If an ACL rule defines deny and ACL-based traffic policy or ACL-based traffic-
filter is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-
HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI,
S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, control packets of
ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This
affects relevant protocol functions.
● When WLAN service is configured on the switch, the switch can deliver only
the following types of ACL rules to APs:
– Rules 0-127 of advanced ACLs 3000-3031
– Rules 0-127 of Layer 2 ACLs 4000-4031 (supported in V200R011C10 and
later versions)
– Rules 0-127 of user ACLs 6000-6031
– In V200R013 and later versions, when an ACL6 numbered 3000-3031 is
configured on a switch that supports the WLAN AC function, the switch
automatically delivers the ACL to the APs connected to the switch.
– When a rule is automatically delivered to an AP, the time range field is
not supported. Support for other rules varies according to specific AP
models. The rules containing fields that are supported by the switch but
not APs will not be delivered to APs. For details about the rules supported
by APs, see the AP product documentation at http://e.huawei.com.
● When an ACL is applied to a physical interface configured with a sub-
interface, the ACL also takes effect on the sub-interface.
When deleting ACL rules:
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If
a simplified traffic policy references a specified rule in an ACL, this command does
not take effect.) Before deleting a rule, ensure that the rule is not being
referenced.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 32
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACL resource allocation mode:
To configure the ACL resource allocation mode for the S5720-HI, S2720-EI, S5720I-
SI, S5720-LI, S5720S-LI, S5735S-H, S5736-S, and S6720S-S, run the assign
resource-template acl-mode command.
ACL support is the same for a stack as for a standalone device. The ACL
configuration on the active switches is propagated to all standby and slave
switches in the stack.
2.4 Summary of ACL Configuration Tasks
Table 2-14 lists ACL configuration tasks. The configuration tasks can be performed
in any sequence. You need to select at least one of them.
Table 2-14 ACL configuration tasks
Scenario Description Task (Perform Steps in
Sequence)
Configure and apply a A basic ACL defines rules 1. 2.7.1 Configuring a
basic ACL. to filter IPv4 packets Basic ACL
based on information 2. 2.8 Applying an ACL
such as source IP
addresses, fragment
information, and time
ranges.
To filter packets based
only on source IP
addresses, you can
configure a basic ACL.
Configure and apply an Advanced ACLs give you 1. 2.7.2 Configuring an
advanced ACL. greater flexibility and Advanced ACL
functionality than basic 2. 2.8 Applying an ACL
ACLs, allowing you to
filter packets more
accurately. For example,
with advanced ACLs, you
can define rules to filter
IPv4 packets based on a
range of criteria,
including source IP
addresses, destination IP
addresses, IP protocol
types, TCP source/
destination port
numbers, UDP source/
destination port
numbers, fragment
information, and time
ranges.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 33
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Scenario Description Task (Perform Steps in
Sequence)
Configure and apply a A Layer 2 ACL defines 1. 2.7.3 Configuring a
Layer 2 ACL. rules to filter traffic Layer 2 ACL
based on Ethernet frame 2. 2.8 Applying an ACL
information, such as
source MAC addresses,
destination MAC
addresses, VLAN IDs, and
Layer 2 protocol types.
Configure and apply a A user-defined ACL 1. 2.7.4 Configuring a
user-defined ACL. defines rules based on User-Defined ACL
packet headers, offsets, 2. 2.8 Applying an ACL
character string masks,
and user-defined
character strings. With
such a user-defined ACL
configured, the system
performs an AND
operation on the packet
bytes from a certain
position behind the
packet header and the
character string mask,
compares the extracted
character string against
the user-defined
character string, and
then filters IPv4 and IPv6
packets.
User-defined ACLs are
more accurate and
flexible than basic ACLs,
advanced ACLs, and
Layer 2 ACLs, as well as
providing more
functions. For example, a
user-defined ACL can be
configured to filter ARP
packets based on source
IP addresses and ARP
packet types.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 34
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Scenario Description Task (Perform Steps in
Sequence)
Configure and apply a A user ACL defines rules 1. 2.7.5 Configuring a
user ACL. to filter IPv4 packets User ACL
based on the source IP 2. 2.8 Applying an ACL
addresses or source User
Control List (UCL)
groups, destination IP
addresses or destination
UCL groups, IP protocol
types, ICMP types, TCP
source/destination port
numbers, UDP source/
destination port
numbers, and time
ranges.
To filter packets based
on UCL groups, configure
a user ACL.
Configure and apply a A basic ACL6 defines 1. 2.7.6 Configuring a
basic ACL6. rules to filter IPv6 Basic ACL6
packets based on 2. 2.8 Applying an ACL
information such as
source IPv6 addresses,
fragment information,
and time ranges.
To filter packets based
only on source IPv6
addresses, you can
configure a basic ACL6.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 35
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Scenario Description Task (Perform Steps in
Sequence)
Configure and apply an An advanced ACL6 1. 2.7.7 Configuring an
advanced ACL6. defines rules to filter Advanced ACL6
IPv6 packets based on 2. 2.8 Applying an ACL
source IPv6 addresses,
destination IPv6
addresses, IPv6 protocol
types, TCP source/
destination port
numbers, UDP source/
destination port
numbers, fragment
information, and time
ranges.
Compared with a basic
ACL6, an advanced ACL6
is more accurate and
flexible, and provides
more functions. For
example, to filter packets
based on source and
destination IPv6
addresses, configure an
advanced ACL6.
Configure and apply a A user ACL6 defines rules 1. 2.7.8 Configuring a
user ACL6. to filter IPv6 packets User ACL6
based on the source IPv6 2. 2.8 Applying an ACL
addresses or source User
Control List (UCL)
groups, destination IPv6
addresses, IPv6 protocol
types, ICMPv6 types, TCP
source/destination port
numbers, UDP source/
destination port
numbers, and time
ranges.
To filter packets based
on UCL groups, configure
a user ACL6.
2.5 Default Settings for ACLs
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 36
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Table 2-15 Default settings for ACLs
Parameter Default Setting
Step 5 for ACL4, which can be adjusted
using a command
5 for ACL6, which cannot be adjusted
using a command
Matching order Configuration order
2.6 (Optional) Creating a Time Range in Which an ACL
Takes Effect
Context
By default, an ACL is always effective after it is applied to a service module. To
make the ACL rules work only in a certain period, you can define a time range and
associate it with the ACL rules. In this way, services can be controlled through a
time-based ACL. For example, by configuring ACLs with specified time ranges, an
enterprise can forbid employees to access the Internet during work hours and limit
bandwidth for bandwidth-consuming services such as P2P and downloading
services during peak hours to avoid network congestion.
Time ranges associated with ACL rules are classified into:
● Periodic time range: defined by week. That is, ACL rules can take effect at an
interval of one week. For example, if the time range of ACL rules is 8:00-12:00
on Monday, the ACL rules take effect at 8:00-12:00 on every Monday.
● Absolute time range: defined by a period of time, in the format of from
YYYY/MM/DD HH:MM to YYYY/MM/DD HH:MM. That is, ACL rules take effect
only during this period.
NOTE
If the system time of a device is not synchronized with the network time, the ACL rules cannot
take effect in the associated time range. To make ACL rules take effect on a device, configure
the Network Time Protocol (NTP) on the device to automatically synchronize the system time
with the network time. NTP ensures clock consistency on all devices on a network. For details on
how to configure NTP, see Configuring Basic NTP Functions in "NTP Configuration" in the S300,
S500, S2700, S5700, and S6700 V200R021C00 Configuration Guide - Device Management.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run time-range time-name { start-time to end-time { days } &<1-7> | from time1
date1 [ to time2 date2 ] }
A time range is created.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 37
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
By default, no time range is configured on a device.
You can specify multiple time ranges for time-name. The device obtains the
intersection of the configured periodic or absolute time ranges.
To delete a time range, see Deleting a Time Range.
----End
Follow-up Procedure
After a time range is created, you need to create an ACL and configure the ACL
rules to be associated with the time range. For the configuration of an ACL, see
2.7 Configuring an ACL.
Configuration Examples
Deleting a time range
Before deleting a time range, you must delete the ACL rules associated with the
time range or delete the ACL to which the ACL rules belong.
For example, ACL 2001 contains rule 5 and is associated with time range time1.
#
time-range time1 from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit time-range time1
#
Before deleting time1, delete rule 5 or ACL 2001.
● Delete rule 5 and then time1.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] undo rule 5
[HUAWEI-acl-basic-2001] quit
[HUAWEI] undo time-range time1
● Delete ACL 2001 and then time1.
<HUAWEI> system-view
[HUAWEI] undo acl 2001
[HUAWEI] undo time-range time1
2.7 Configuring an ACL
2.7.1 Configuring a Basic ACL
Prerequisites
If you need to configure a time-based ACL, create a time range and associate the
time range with the ACL rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 38
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Context
A basic ACL defines rules to filter IPv4 packets based on information such as
source IP addresses, fragment information, and time ranges.
To filter packets based only on source IP addresses, you can configure a basic ACL.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create a basic ACL. You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered basic ACL (2000-2999) and enter the basic
ACL view.
● Run the acl name acl-name { basic | acl-number } [ match-order { auto |
config } ] command to create a named basic ACL and enter the basic ACL
view.
By default, no ACL exists on the device.
If the parameter match-order is not specified when you create an ACL, the
default matching order config is used. For details about the ACL matching order,
see 2.2.3 ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL
configuration requirements, you can change the step value. For details about the
step, see 2.2.5 ACL Increment; for configuration of the step, see 2.11.1 Adjusting
the Increment of ACL Rules.
Step 3 (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose
of an ACL.
Step 4 Run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard |
any } | fragment | logging | time-range time-name | { vpn-instance vpn-
instance-name | public } ] *
Rules are configured in the basic ACL.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
For details about the time range, source IP address and its wildcard mask, and IP
fragment information, see 2.2.2 ACLs Supported by Switches and Common
Matching Conditions. Configuring rules for a basic ACL provides a rule
configuration example.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 39
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring rules for a basic ACL
● Configuring a packet filtering rule based on the source IP address (host
address)
To allow packets from a host to pass, add a rule to an ACL. For example, to
allow packets from the host at 192.168.1.3 to pass, create the following rule
in ACL 2001.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
● Configuring a packet filtering rule based on the source network segment
To allow packets from a host to pass and reject packets from other hosts on
the same network segment, configure rules in an ACL. For example, to allow
packets from the host at 192.168.1.3 to pass and reject packets from other
hosts on the network segment 192.168.1.0/24, configure the following rules in
ACL 2001 and set the description of ACL 2001 to "Permit only 192.168.1.3
through."
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.1.3 0
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] description permit only 192.168.1.3 through
● Configuring a time-based ACL rule
Create a time range working-time (for example, 8:00-18:00 on Monday
through Friday) and configure a rule in ACL work-acl. The rule rejects the
packets from the network segment 192.168.1.0/24 within the specified time
range working-time.
<HUAWEI> system-view
[HUAWEI] time-range working-time 8:00 to 18:00 working-day
[HUAWEI] acl name work-acl basic
[HUAWEI-acl-basic-work-acl] rule deny source 192.168.1.0 0.0.0.255 time-range working-time
● Configuring a packet filtering rule based on the source network segment
and IP fragment information
To reject non-initial fragments from a network segment, configure a rule in
an ACL. For example, to reject non-initial fragments from the network
segment 192.168.1.0/24, configure the following rule in ACL 2001.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule deny source 192.168.1.0 0.0.0.255 fragment
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 40
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2.7.2 Configuring an Advanced ACL
Prerequisites
If you need to configure a time-based ACL, create a time range and associate the
time range with the ACL rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Context
Advanced ACLs give you greater flexibility and functionality than basic ACLs,
allowing you to filter packets more accurately. For example, with advanced ACLs,
you can define rules to filter IPv4 packets based on a range of criteria, including
source IP addresses, destination IP addresses, IP protocol types, TCP source/
destination port numbers, UDP source/destination port numbers, fragment
information, and time ranges.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create an advanced ACL. You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered advanced ACL (3000-3999) and enter the
advanced ACL view.
● Run the acl name acl-name { advance | acl-number } [ match-order { auto |
config } ] command to create a named advanced ACL and enter the
advanced ACL view.
By default, no ACL exists on the device.
If the parameter match-order is not specified when you create an ACL, the
default matching order config is used. For details about the ACL matching order,
see 2.2.3 ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL
configuration requirements, you can change the step value. For details about the
step, see 2.2.5 ACL Increment; for configuration of the step, see 2.11.1 Adjusting
the Increment of ACL Rules.
Step 3 (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose
of an ACL.
Step 4 Configure rules for the advanced ACL.
You can configure advanced ACL rules according to the protocols carried by IP. The
parameters vary according to the protocol types.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 41
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
● When the protocol type is ICMP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination
{ destination-address destination-wildcard | any } | { { precedence precedence
| tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type
{ icmp-name | icmp-type [ icmp-code ] } | source { source-address source-
wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
● When the protocol type is TCP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
● When the protocol type is UDP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | time-range time-name | ttl-expired |
{ vpn-instance vpn-instance-name | public } ] *
● When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format
is:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip |
ospf } [ destination { destination-address destination-wildcard | any } |
{ { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-
fragment } | logging | source { source-address source-wildcard | any } | time-
range time-name | ttl-expired | { vpn-instance vpn-instance-name |
public } ] *
NOTE
● Only the S6735-S, S6720S-EI and S6720-EI support ttl-expired.
● The vpn-instance and public parameter is supported only when a software-based ACL is
applied to the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731-
S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6720S-S, S6730-H, S6730S-H, S6730-
S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in
the S300, S500, S2700, S5700, and S6700 V200R021C00 Configuration Guide - Security ACL
Configuration - 2.2.1 ACL Fundamentals.
● If the ACL rules configured on the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-
H, S6730S-H, S6730-S, and S6730S-S are hardware-based ACLs, tcp-flag is not supported.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I,
S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support first-fragment.
For the S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, and S5735-S-I, an ACL containing the first-fragment can only be
used in the inbound direction.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 42
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
For details about the time ranges, types of protocols carried by IP, source/
destination IP addresses and their wildcard masks, TCP/UDP port numbers, TCP
flaps, and IP fragment information, see 2.2.2 ACLs Supported by Switches and
Common Matching Conditions. Configuring rules for an advanced ACL
provides a rule configuration example.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring rules for an advanced ACL
● Configuring a packet filtering rule for ICMP protocol packets based on
the source IP address (host address) and destination network segment
To allow ICMP packets from a host that are destined for a network segment
to pass, configure a rule in an ACL. For example, to allow ICMP packets from
the host at 192.168.1.3 that are destined for the network segment
192.168.2.0/24 to pass, configure the following rule in ACL 3001.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
● Configuring a packet filtering rule for TCP protocol packets based on the
TCP destination port number, source IP address (host address), and
destination network segment
To prohibit Telnet connections between a specified host and the hosts on a
network segment, configure a rule in an advanced ACL. For example, to
prohibit Telnet connections between the host at 192.168.1.3 and hosts on the
network segment 192.168.2.0/24, configure the following rule in the advanced
ACL deny-telnet.
<HUAWEI> system-view
[HUAWEI] acl name deny-telnet
[HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0
destination 192.168.2.0 0.0.0.255
To prohibit the specified hosts from accessing web pages (HTTP is used to
access web pages, and TCP port number is 80), configure rules in an advanced
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 43
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from
accessing web pages, configure the following rules in ACL no-web and set the
description for the ACL to "Web access restrictions."
<HUAWEI> system-view
[HUAWEI] acl name no-web
[HUAWEI-acl-adv-no-web] description Web access restrictions
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0
[HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0
● Configuring a packet filtering rule for TCP packets based on the source
network segment and TCP flags
To implement unidirectional access control on a network segment, configure
rules in an ACL. For example, to implement unidirectional access control on
the network segment 192.168.2.0/24, configure the following rules in ACL
3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to
TCP handshake packets, but cannot send TCP handshake packets. Set the
descriptions of the ACL rules to "Allow the ACK TCP packets through", "Allow
the RST TCP packets through", and "Do not Allow the other TCP packet
through."
To meet the preceding requirement, configure two permit rules to allow the
packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and
then configure a deny rule to reject other TCP packets from this network
segment.
<HUAWEI> system-view
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
[HUAWEI-acl-adv-3002] display this // If you do not specify an ID for a created rule, you can view
the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID.
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack // The rule ID allocated by the
system is 5.
#
return
[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
[HUAWEI-acl-adv-3002] display this
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
rule 5 description Allow the ACK TCP packets through
rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst // The rule ID allocated by the system
is 10.
#
return
[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
[HUAWEI-acl-adv-3002] display this
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
rule 5 description Allow the ACK TCP packets through
rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
rule 10 description Allow the RST TCP packets through
rule 15 deny tcp source 192.168.2.0 0.0.0.255 // The rule ID allocated by the system is 15.
#
return
[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
You can specify the parameter established to allow the packets with the ACK
or RST field being 1 sent from 192.168.2.0/24 to pass and configure a deny
rule to reject other TCP packets from this subnet.
<HUAWEI> system-view
[HUAWEI] acl 3002
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 44
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established
[HUAWEI-acl-adv-3002] rule 5 description Allow the Established TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
[HUAWEI-acl-adv-3002] rule 10 description Do not Allow the other TCP packet through
[HUAWEI-acl-adv-3002] display this
#
acl number 3002
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag
established
rule 5 description Allow the Established TCP packets
through
rule 10 deny tcp source 192.168.2.0
0.0.0.255
rule 10 description Do not Allow the other TCP packet
through
#
return
● Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
● Configuring a packet filtering rule based on the source network segment
and IP fragment information
For details, see Configuring a packet filtering rule based on the IP
fragment information and source IP address segment in Configuring a
Basic ACL.
2.7.3 Configuring a Layer 2 ACL
Prerequisites
If you need to configure a time-based ACL, create a time range and associate the
time range with the ACL rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Context
A Layer 2 ACL defines rules to filter traffic based on Ethernet frame information,
such as source MAC addresses, destination MAC addresses, VLAN IDs, and Layer 2
protocol types.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create a Layer 2 ACL. You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered Layer 2 ACL (4000-4999) and enter the Layer
2 ACL view.
● Run the acl name acl-name { link | acl-number } [ match-order { auto |
config } ] command to create a named Layer 2 ACL and enter the Layer 2
ACL view.
By default, no ACL exists on the device.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 45
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
If the parameter match-order is not specified when you create an ACL, the
default matching order config is used. For details about the ACL matching order,
see 2.2.3 ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL
configuration requirements, you can change the step value. For details about the
step, see 2.2.5 ACL Increment; for configuration of the step, see 2.11.1 Adjusting
the Increment of ACL Rules.
Step 3 (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose
of an ACL.
Step 4 Run rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol
type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] |
source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-
mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p
802.1p-value | double-tag | time-range time-name ] *
Rules are configured in the Layer 2 ACL.
NOTE
The S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735-S-I, and S5735S-S do not support
cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.
The S5735S-H, S5736-S, and S6720S-S do not support cvlan-8021p 802.1p-value.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
For details about the time range, source/destination MAC addresses and their
wildcard masks, VLAN IDs and their masks, see 2.2.2 ACLs Supported by
Switches and Common Matching Conditions. Configuring rules for a Layer 2
ACL provides a rule configuration example.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 46
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring rules for a Layer 2 ACL
● Configuring packet filtering rules based on the source MAC address,
destination MAC address, and Layer 2 protocol types
To allow ARP packets with the specified destination and source MAC
addresses, and Layer 2 protocol type to pass, configure a rule in a Layer 2
ACL. For example, to allow ARP packets with the destination MAC address of
0000-0000-0001, source MAC address of 0000-0000-0002, and Layer 2
protocol type of 0x0806 to pass, configure the following rule in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002
l2-protocol 0x0806
To reject PPPoE packets with the specified Layer 2 protocol type, configure a
rule in a Layer 2 ACL. To reject PPPoE packets with the Layer 2 protocol type
of 0x8863, configure the following rule in ACL 4001.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
● Configuring a packet filtering rule based on the source MAC address
segment and VLAN IDs
To reject packets from the specified MAC address segments in a VLAN,
configure a rule in a Layer 2 ACL. For example, to reject packets from the
source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10,
configure the following rule in the Layer 2 ACL deny-vlan10-mac.
<HUAWEI> system-view
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000
● Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
2.7.4 Configuring a User-Defined ACL
Prerequisites
If you need to configure a time-based ACL, create a time range and associate the
time range with the ACL rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Context
A user-defined ACL defines rules based on packet headers, offsets, character string
masks, and user-defined character strings. With such a user-defined ACL
configured, the system performs an AND operation on the packet bytes from a
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 47
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
certain position behind the packet header and the character string mask,
compares the extracted character string against the user-defined character string,
and then filters IPv4 and IPv6 packets.
User-defined ACLs are more accurate and flexible than basic ACLs, advanced ACLs,
and Layer 2 ACLs, as well as providing more functions. For example, a user-
defined ACL can be configured to filter ARP packets based on source IP addresses
and ARP packet types.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure a user-defined ACL. You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered user-defined ACL (5000-5999) and enter the
user-defined ACL view.
● Run the acl name acl-name { user | acl-number } [ match-order { auto |
config } ] command to create a named user-defined ACL and enter the user-
defined ACL view.
By default, no ACL exists on the device.
If the parameter match-order is not specified when you create an ACL, the
default matching order config is used. For details about the ACL matching order,
see 2.2.3 ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL
configuration requirements, you can change the step value. For details about the
step, see 2.2.5 ACL Increment; for configuration of the step, see 2.11.1 Adjusting
the Increment of ACL Rules.
Step 3 (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose
of an ACL.
Step 4 Run rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-
head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
Rules are configured in the user-defined ACL.
NOTE
The S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, and
S6720S-S do not support &<1-8> and ipv6-head.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
Configuring a user-defined ACL rule provides a rule configuration example.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 48
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring a user-defined ACL rule
● Configuring packet filtering rules based on Layer 2 headers, offsets,
character string masks, and user-defined character strings
To reject ARP packets from the specified host, configure a rule in a user-
defined ACL. For example, to reject ARP packets from the host at 192.168.0.2,
configure the following rule in ACL 5001.
In the following rule:
– 0x00000806 indicates the ARP protocol.
– 0x0000ffff is the character string mask.
– 10 indicates the protocol type field offset in the ARP packets (without
VLAN ID).
– c0a80002 is the hexadecimal format of 192.168.0.2.
– 26 and 30 respectively indicate the offsets of the higher 2 bytes and
lower 2 bytes in the source IP addresses in ARP packets (without VLAN
ID). The source IP address in an ARP packet begins at the 28th byte in the
Layer 2 header and occupies 4 bytes. The Layer 2 header offset defined in
a user-defined ACL must be 4n + 2 (n is an integer). Therefore, the source
IP address is divided into two segments for matching. The lower 2 bytes
among the four bytes behind offset 26 (4 x 6 + 2) and the higher 2 bytes
among the 4 bytes behind offset 30 (4 x 7 + 2) are matched separately.
To filter ARP packets carrying VLAN IDs, add 4 to each of the following
offsets.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 49
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-4 Source IP address field offset in the Layer 2 header of an ARP
packet
<HUAWEI> system-view
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26
0x00020000 0xffff0000 30
To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.
In the following rule:
– 0x00060000 indicates the TCP protocol.
– 8 indicates the protocol type offset in the IP packets. (The protocol type
field in an IP packet begins at the 10th byte in the IPv4 header and
occupies 1 byte. The IPv4 header offset defined in a user-defined ACL
must be 4n (n is an integer). Therefore, the second higher byte among
the 4 bytes behind offset 8 in the IPv4 header is matched.)
<HUAWEI> system-view
[HUAWEI] acl name deny-tcp user
[HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
Figure 2-5 TCP protocol field offset in the IPv4 header
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 50
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
NOTE
When specifying an ACL rule to match offset bytes in the Layer 2 header on the
S5735S-H or S5736-S, add a tag first if the ACL rule will be applied on a GE electrical
interface through which packets having no tag pass.
● Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
2.7.5 Configuring a User ACL
Prerequisites
● The NAC mode has been set to the unified mode using the authentication
unified-mode command and the device has been restarted to make the NAC
mode take effect.
● A UCL group that identifies the user category has been created using the ucl-
group command.
● If you need to configure a time-based ACL, create a time range and associate
the time range with the ACL rules. For details, see 2.6 (Optional) Creating a
Time Range in Which an ACL Takes Effect.
Context
A user ACL defines rules to filter IPv4 packets based on the source IP addresses or
source User Control List (UCL) groups, destination IP addresses or destination UCL
groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP
source/destination port numbers, and time ranges.
To filter packets based on UCL groups, configure a user ACL.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create a user ACL. You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered user ACL (6000-9999) and enter the user
ACL view.
● Run the acl name acl-name { ucl | acl-number } [ match-order { auto |
config } ] command to create a named user ACL and enter the user ACL view.
By default, no ACL exists on the device.
If the parameter match-order is not specified when you create an ACL, the
default matching order config is used. For details about the ACL matching order,
see 2.2.3 ACL Matching.
The default step of a created ACL is 5. If the default step cannot meet your ACL
configuration requirements, you can change the step value. For details about the
step, see 2.2.5 ACL Increment; for configuration of the step, see 2.11.1 Adjusting
the Increment of ACL Rules.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 51
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Step 3 (Optional) Run description text
A description is configured for the ACL.
By default, an ACL has no description.
The ACL description helps you understand and remember the functions or purpose
of an ACL.
Step 4 Configure user ACL rules.
You can configure the user ACL rules according to the protocol types of IP packets.
The parameters vary according to the protocol types.
● When the protocol type is ICMP, the command format is:
rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source
{ { source-address source-wildcard | any } | { ucl-group { name source-ucl-
group-name | source-ucl-group-index } } } * | destination { { { destination-
address destination-wildcard | any } | { ucl-group { name destination-ucl-
group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-
type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-
name | time-range time-name ] *
● When the protocol type is TCP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-
address source-wildcard | any } | { ucl-group { source-ucl-group-index | name
source-ucl-group-name } } } * | destination { { { destination-address
destination-wildcard | any } | { ucl-group { destination-ucl-group-index |
name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port
{ eq port | gt port | lt port | range port-start port-end } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack |
established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-
instance vpn-instance-name ] *
● When the protocol type is UDP, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source
{ { source-address source-wildcard | any } | { ucl-group { source-ucl-group-
index | name source-ucl-group-name } } } * | destination { { { destination-
address destination-wildcard | any } | { ucl-group { destination-ucl-group-
index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-
port { eq port | gt port | lt port | range port-start port-end } | destination-
port { eq port | gt port | lt port | range port-start port-end } | time-range
time-name | vpn-instance vpn-instance-name ] *
● When the protocol type is GRE, IGMP, IP, IPINIP, or OSPF, the command format
is:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip |
ospf } [ source { { source-address source-wildcard | any } | { ucl-group
{ source-ucl-group-index | name source-ucl-group-name } } } * | destination
{ { { destination-address destination-wildcard | any } | { ucl-group
{ destination-ucl-group-index | name destination-ucl-group-name } } } * |
fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-
name ] *
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 52
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
NOTE
The S2720-EI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI, S5735S-H, S5736-S,
S6720S-S, S6720S-EI, and S6720-EI do not support destination { fqdn fqdn-name }, ucl-
group { destination-ucl-group-index | name destination-ucl-group-name }, and vpn-
instance vpn-instance-name.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
A rule configuration example is provided in Configuring user ACL rules.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring user ACL rules
● Configuring a packet filtering ACL rule based on the source UCL group
and destination IP address
Configure a rule in ACL 6000 to reject all the IP packets sent from the hosts in
source UCL group group1 to the network segment 192.168.1.0/24.
<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 192.168.1.0
0.0.0.255
● Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
2.7.6 Configuring a Basic ACL6
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 53
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Prerequisites
If you need to configure a time-based ACL6, create a time range and associate the
time range with the ACL6 rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Context
A basic ACL6 defines rules to filter IPv6 packets based on information such as
source IPv6 addresses, fragment information, and time ranges.
To filter packets based only on source IPv6 addresses, you can configure a basic
ACL6.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create a basic ACL6. You can create a numbered or named ACL.
● Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
command to create a numbered basic ACL6 (2000-2999) and enter the basic
ACL6 view.
● Run the acl ipv6 name acl6-name { basic | acl6-number } [ match-order
{ auto | config } ] command to create a named basic ACL6 and enter the
basic ACL6 view.
By default, no ACL6 exists on the device.
If the parameter match-order is not specified when you create an ACL6, the
default matching order config is used. The matching order of an ACL6 is the same
as that of an ACL. For details, see 2.2.3 ACL Matching.
Step 3 (Optional) Run description text
A description is configured for the ACL6.
By default, an ACL6 has no description.
The ACL6 description helps you understand and remember the functions or
purpose of an ACL6.
Step 4 Run rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-
address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address
postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-
name | { vpn-instance vpn-instance-name | public } ] *
Rules are configured in the basic ACL6.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
Configuring rules for the basic ACL6 provides a rule configuration example.
Step 5 (Optional) Run rule rule-id description description
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 54
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring rules for a basic ACL6
● Configuring a packet filtering rule based on the source IPv6 address (host
address)
Configure a rule in ACL6 2001 to allow packets from the host at fc00:1::1/128
to pass.
<HUAWEI> system-view
[HUAWEI] acl ipv6 2001
[HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128
● Configuring a packet filtering rule based on the source IPv6 network
segment
Configure a rule in ACL6 2001 to allow packets from the host at fc00:1::1/128
to pass and reject packets from other hosts on the network segment
fc00:1::/64.
<HUAWEI> system-view
[HUAWEI] acl ipv6 2001
[HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128
[HUAWEI-acl6-basic-2001] rule deny source fc00:1:: 64
● Configuring a time-based ACL6 rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
● Configuring a packet filtering rule based on the source network segment
and IP fragment information
For details, see Configuring a packet filtering rule based on the IP
fragment information and source IP address segment in Configuring a
Basic ACL.
2.7.7 Configuring an Advanced ACL6
Prerequisites
If you need to configure a time-based ACL6, create a time range and associate the
time range with the ACL6 rules. For details, see 2.6 (Optional) Creating a Time
Range in Which an ACL Takes Effect.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 55
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Context
An advanced ACL6 defines rules to filter IPv6 packets based on source IPv6
addresses, destination IPv6 addresses, IPv6 protocol types, TCP source/destination
port numbers, UDP source/destination port numbers, fragment information, and
time ranges.
Compared with a basic ACL6, an advanced ACL6 is more accurate and flexible, and
provides more functions. For example, to filter packets based on source and
destination IPv6 addresses, configure an advanced ACL6.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create an advanced ACL6. You can create a numbered or named ACL.
● Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
command to create a numbered advanced ACL6 (3000-3999) and enter the
advanced ACL6 view.
● Run the acl ipv6 name acl6-name { advance | acl6-number } [ match-order
{ auto | config } ] command to create a named advanced ACL6 and enter the
advanced ACL6 view.
By default, no ACL6 exists on the device.
If the parameter match-order is not specified when you create an ACL6, the
default matching order config is used. The matching order of an ACL6 is the same
as that of an ACL. For details, see 2.2.3 ACL Matching.
Step 3 (Optional) Run description text
A description is configured for the ACL6.
By default, an ACL6 has no description.
The ACL6 description helps you understand and remember the functions or
purpose of an ACL6.
Step 4 Configure rules for the advanced ACL6.
You can configure advanced ACL6 rules according to the protocols carried by IP.
The parameters vary according to the protocol types.
● When the protocol type is TCP, the command format is:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-
start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * |
time-range time-name | { vpn-instance vpn-instance-name | public } ] *
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 56
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
● When the protocol type is UDP, the command format is:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-
start port-end } | time-range time-name | { vpn-instance vpn-instance-name
| public } ] *
● When the protocol is ICMPv6, the command format is:
rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp }
| routing [ routing-type routing-type ] | { fragment | first-fragment } |
icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | time-range time-name | { vpn-instance vpn-instance-name |
public } ] *
● When the protocol is others, the command format is:
rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf }
[ destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | { { precedence precedence | tos
tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment |
first-fragment } | logging | source { source-ipv6-address prefix-length |
source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length
| source-ipv6-address wildcard | any } | time-range time-name | { vpn-
instance vpn-instance-name | public } ] *
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 57
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
NOTE
– The vpn-instance and public parameter is supported only when a software-based ACL
is applied to the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6720S-S, S6730-H,
S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL
Implementations" in the S300, S500, S2700, S5700, and S6700 V200R021C00
Configuration Guide - Security ACL Configuration - 2.2.1 ACL Fundamentals.
– If the ACL rules configured on the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S, and S6730S-S are hardware-based ACLs, tcp-flag is not
supported.
– Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6730-
H, S6730S-H, S6730-S, and S6730S-S support routing [ routing-type routing-type ].
– Only the S2720-EI, S5720-LI, S5720S-LI, S5720I-SI, S5735S-H, S5736-S, S5731-H, S5731-
S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6720S-S, S6730-H, S6730S-H,
S6730-S, S6730S-S, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-S-I support dscp, precedence, and
tos.
– Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-
S-I, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support
destination and first-fragment. For the S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-S-I, an ACL
containing the first-fragment can only be used in the inbound direction.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
Configuring rules for the advanced ACL6 provides a rule configuration example.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Configuration Examples
Configuring rules for an advanced ACL6
● Configuring a packet filtering rule for ICMPv6 protocol packets based on
the source IPv6 address (host address) and destination IPv6 network
segment
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 58
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Configure a rule in ACL6 3001 to allow the ICMPv6 packets from the host at
fc00:1::1 and destined for the network segment fc00:2::/64 to pass.
<HUAWEI> system-view
[HUAWEI] acl ipv6 3001
[HUAWEI-acl6-adv-3001] rule permit icmpv6 source fc00:1::1 128 destination fc00:2:: 64
● Configuring a packet filtering rule for TCP protocol packets based on the
TCP destination port number, source IPv6 address (host address), and
destination IPv6 address segment
Configure a rule in the advanced ACL6 deny-telnet to forbid Telnet
connections between the host at fc00:1::3 and hosts on the network segment
fc00:2::/64.
<HUAWEI> system-view
[HUAWEI] acl ipv6 name deny-telnet
[HUAWEI-acl6-adv-deny-telnet] rule deny tcp destination-port eq telnet source fc00:1::3 128
destination fc00:2:: 64
Configure a rule in the advanced ACL6 no-web to forbid hosts at fc00:1::3 and
fc00:1::4 from accessing web pages (HTTP is used to access web pages, and
the TCP port number is 80).
<HUAWEI> system-view
[HUAWEI] acl ipv6 name no-web
[HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::3 128
[HUAWEI-acl6-adv-no-web] rule deny tcp destination-port eq 80 source fc00:1::4 128
● Configuring a time-based ACL6 rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
● Configuring a packet filtering rule based on the source network segment
and IP fragment information
For details, see Configuring a packet filtering rule based on the IP
fragment information and source IP address segment in Configuring a
Basic ACL.
2.7.8 Configuring a User ACL6
Prerequisites
● The NAC mode has been set to the unified mode using the authentication
unified-mode command, restarted to make the NAC mode take effect. By
default, the unified NAC configuration mode is used.
● For the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, S5736-S, and
S6720S-S, the ACL resource allocation mode device has been set to NAC
mode using the assign resource-template acl-mode, restarted to make the
NAC mode take effect. By default, the Normal ACL resource allocation mode
is used.
● A UCL group that identifies the user category has been created using the ucl-
group command.
● If you need to configure a time-based ACL6, create a time range and
associate the time range with the ACL6 rules. For details, see 2.6 (Optional)
Creating a Time Range in Which an ACL Takes Effect.
Context
A user ACL6 defines rules to filter IPv6 packets based on the source IPv6 addresses
or source User Control List (UCL) groups, destination IPv6 addresses, IPv6 protocol
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 59
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
types, ICMPv6 types, TCP source/destination port numbers, UDP source/
destination port numbers, and time ranges.
To filter packets based on UCL groups, configure a user ACL6.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Create a user ACL6. You can create a numbered or named ACL6.
● Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
command to create a numbered user ACL6 (6000-9999) and enter the user
ACL6 view.
● Run the acl ipv6 name acl6-name { ucl | acl6-number } [ match-order { auto
| config } ] command to create a named user ACL6 and enter the user ACL6
view.
By default, no ACL6 exists on the device.
If the parameter match-order is not specified when you create an ACL6, the
default matching order config is used. The matching order of an ACL6 is the same
as that of an ACL. For details, see 2.2.3 ACL Matching.
Step 3 (Optional) Run description text
A description is configured for the ACL6.
By default, an ACL6 has no description.
The ACL6 description helps you understand and remember the functions or
purpose of an ACL6.
Step 4 Configure user ACL6 rules.
You can configure the user ACL6 rules according to the protocol types of IPv6
packets. The parameters vary according to the protocol types.
● When the protocol type is ICMPv6, the command format is:
rule [ rule-id ] { permit | deny } { icmpv6 | protocol-number } [ source
{ { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | { ucl-group { name source-ucl-group-name | source-ucl-group-
index } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | icmp6-type
{ icmp6-type [ icmp6-code ] | icmp6-name } | vpn-instance vpn-instance-
name | time-range time-name ] *
● When the protocol type is TCP, the command format is:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ source { { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-
address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-
group { source-ucl-group-index | name source-ucl-group-name } } } * |
destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 60
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | destination-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
● When the protocol type is UDP, the command format is:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ source
{ { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | { ucl-group { source-ucl-group-index | name source-ucl-group-
name } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | source-port { eq
port | gt port | lt port | range port-start port-end } | destination-port { eq
port | gt port | lt port | range port-start port-end } | time-range time-name |
vpn-instance vpn-instance-name ] *
● When the protocol type is GRE, IPv6, or OSPF, the command format is:
rule [ rule-id ] { deny | permit } { gre | ipv6 | ospf | protocol-number }
[ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-
length | source-ipv6-address postfix postfix-length | source-ipv6-address
wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-
group-name } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | time-range time-
name | vpn-instance vpn-instance-name ] *
NOTE
The S2720-EI, S5720-LI, S5720S-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI, S5735S-H, S5736-S,
S6720S-S, S6720S-EI, and S6720-EI do not support vpn-instance vpn-instance-name.
In this example, only one permit or deny rule is configured. In actual
configuration, you can configure multiple rules and decide the matching order of
the rules according to service requirements.
A rule configuration example is provided in Configuring user ACL6 rules.
Step 5 (Optional) Run rule rule-id description description
A description is configured for the ACL rules.
By default, an ACL rule has no description.
The ACL rule description helps you understand and remember the functions or
purpose of an ACL rule.
You can configure descriptions for only the existing rules on the device. That is,
you cannot configure a description for a rule before creating it.
----End
Follow-up Procedure
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect. For supported service modules and
configurations, see 2.8 Applying an ACL.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 61
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Configuration Examples
Configuring user ACL6 rules
● Configuring a packet filtering ACL6 rule based on the source UCL group
and destination IPv6 address
Configure a rule in ACL6 6000 to reject all the IPv6 packets sent from the
hosts in source UCL group group1 to the network segment fc00:1::/64.
<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl ipv6 6000
[HUAWEI-acl6-ucl-6000] rule deny ipv6 source ucl-group name group1 destination fc00:1:: 64
● Configuring a time-based ACL rule
For details, see Configuring a time-based ACL rule in Configuring a Basic
ACL.
2.7.9 Verifying the ACL Configuration
Procedure
● Run the display acl { acl-number | name acl-name | all } command to check
the ACL configuration.
● Run the display acl ipv6 { acl6-number | name acl6-name | all } command to
check the ACL6 configuration.
● Run the display time-range { all | time-name } command to view the time
range configuration.
----End
2.8 Applying an ACL
Context
After an ACL is configured, it must be applied to a service module so that the ACL
rules can be delivered and take effect.
In most cases, an ACL is applied to a traffic policy or simplified traffic policy. This
enables the device to deliver ACL rules globally, in a VLAN, or on an interface to
filter packets to be forwarded. An ACL can be applied to service modules such as
Telnet, FTP, and routing.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 62
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Filtering packets The device filters ● Simplified ● Basic ACL
to be forwarded received packets traffic policy: ● Advanced ACL
globally, on an See ACL-based
interface, or in a Simplified ● Layer 2 ACL
VLAN, and then Traffic Policy ● User-defined
discards, modifies Configuration ACL
priorities of, or in the S300, ● User ACL
redirects the S500, S2700,
filtered packets. S5700, and ● Basic ACL6
For example, you S6700 ● Advanced ACL6
can apply ACLs to V200R021C00 ● User ACL6
filter packets Configuration
between different Guide - QoS.
network ● Traffic policy:
segments, prohibit See MQC
specified hosts Configuration
from accessing in the S300,
the network S500, S2700,
during a specified S5700, and
time, or reduce S6700
the service level V200R021C00
for bandwidth- Configuration
consuming Guide - QoS.
services (such as
P2P downloading
and online video).
When network
congestion occurs,
these bandwidth-
consuming service
packets are
discarded first.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 63
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Filtering packets If too many ● Blacklist: See ● Basic ACL
to be sent to the protocol packets 3.5.2 ● Advanced ACL
CPU are sent to the Configuring a
CPU, the CPU Blacklist in ● Layer 2 ACL
usage increases Local Attack ● Advanced ACL6
and CPU Defense
performance may Configuration.
be degraded. The
device needs to
restrict the
packets to be sent
to the CPU.
For example,
when a user sends
a large number of
ARP attack
packets to the
device, the CPU
becomes busy and
service is
interrupted. You
can apply an ACL
to the local attack
defense service,
and add the user
to the blacklist so
that the CPU
discards the
packets from this
user.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 64
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Login control The device ● Telnet: See ● Basic ACL
controls access Configuring ● Advanced ACL
permission of Telnet Login in
users. Only "CLI Login ● Basic ACL6
authorized users Configuration" ● Advanced ACL6
can log in to the in the S300,
device, and other S500, S2700,
users cannot log S5700, and
in without S6700
permission. This V200R021C00
ensures network Configuration
security. Guide - Basic
Configuration.
● FTP: See
Managing Files
When the
Device
Functions as
an FTP Server
in "File
Management"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - Basic
Configuration.
● SFTP: See
Managing Files
When the
Device
Functions as
an SFTP Server
in "File
Management"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - Basic
Configuration.
● HTTP: See
Configuring
Web System
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 65
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Login in "Web
System Login
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - Basic
Configuration.
● SNMP: See
(Optional)
Restricting
Management
Rights of the
NMS (SNMPv1
and SNMPv2c)
and (Optional)
Restricting
Management
Rights of the
NMS
(SNMPv3) in
"SNMP
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide -
Network
Management
and
Monitoring.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 66
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Route filtering ACLs can be ● BGP: See ● Basic ACL
applied to various Controlling the ● Advanced ACL
dynamic routing Advertisement
protocols to filter of BGP Routes ● Basic ACL6
advertised and and Controlling ● Advanced ACL6
received routes the Receiving
and multicast of BGP Routes
groups. in "BGP
For example, you Configuration"
can apply an ACL in the S300,
to a routing policy S500, S2700,
to filter routing S5700, and
information and S6700
prevent the device V200R021C00
from sending Configuration
routes of a Guide - IP
network segment Unicast
to the routing.
neighboring ● IS-IS (IPv4):
router. See
Configuring IS-
IS to Advertise
Specified
External
Routes to an
IS-IS Routing
Domain and
Adding
Specified IS-IS
Routes to the
IP Routing
Table in "IPv4
IS-IS
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - IP
Unicast
routing.
● OSPF: See
Configuring
OSPF to Filter
Received
Routes and
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 67
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Configuring
OSPF to Filter
the Routes to
Be Advertised
in "OSPF
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - IP
Unicast
routing.
● RIP: See
Configuring
RIP to Import
Routes and
Configuring
RIP to Filter
Received
Routes in "RIP
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - IP
Unicast
routing.
● Multicast: See
Filtering IGMP
Messages
Based on
Source IP
Addresses in
"IGMP
Configuration",
Configuring a
Multicast
Group Policy
and (Optional)
Configuring an
SSM Group
Policy in "IGMP
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 68
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Service Usage Scenario How ACLs Are Supported ACL
Used Type
Snooping
Configuration"
in the S300,
S500, S2700,
S5700, and
S6700
V200R021C00
Configuration
Guide - IP
Multicast.
2.9 Modifying an ACL
Context
To modify ACL rules, you can delete some rules and add rules as required. It is not
recommended that existing rules be directly modified. This is because if rules after
modification conflict with other rules, new ones will replace existing ones. In this
manner, the ACL rules may fail to achieve the expected effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl acl-number or acl name acl-name
The ACL view is displayed.
Step 3 Based on the ACL type, configure new rules and delete unnecessary rules.
NOTE
When you update ACL rules, the device delivers the old and new rules together, and then
deletes the old rules. Therefore, sufficient ACL resources are required on the device for
successful rule update. For example, if three rules are configured in ACL3001, to add
another rule, ensure that there are at least four ACL resources available.
----End
2.10 Deleting an ACL
Context
When the usage of ACL resources on a device reaches the maximum, you can
deploy new ACLs only after deleting unnecessary ACL configurations.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 69
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform either of the following operations based on the site requirements:
● Run undo acl { [ number ] acl-number | all }
Or run undo acl name acl-name
An ACL is deleted.
● Run undo acl ipv6 { all | [ number ] acl6-number }
Or undo acl ipv6 name acl6-name
An ACL6 is deleted.
NOTE
An ACL or ACL6 can be deleted even when they are referenced by service modules (except
when a simplified traffic references the specified rule in the ACL or ACL6). Therefore, ensure
that an ACL or ACL6 is not referenced by service modules before deleting it.
----End
2.11 Maintaining ACLs
2.11.1 Adjusting the Increment of ACL Rules
Context
During routine maintenance, you may need to add rules to an ACL to meet new
service requirements. If the default increment 5 is used, you can insert only four
rules between neighboring rules (for example, rules 6, 7, 8, and 9 can be inserted
between rules 5 and 10). To insert more than four rules between neighboring
rules, increase the increment to a value greater than 6 so that the system
reallocates IDs to the rules.
For details about the step, see 2.2.5 ACL Increment.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 You can create a numbered or named ACL.
● Run the acl [ number ] acl-number [ match-order { auto | config } ]
command to create a numbered ACL and enter the ACL view.
● Run the acl name acl-name [ advance | basic | link | ucl | user | acl-number ]
[ match-order { auto | config } ] command to create a named ACL and enter
the ACL view.
By default, no ACL exists on the device.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 70
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Step 3 Run the step step command to set the increment.
The default increment is 5.
----End
2.11.2 Displaying ACL Resources
Context
If you are notified that an ACL fails to be applied, this may be due to the system
having insufficient available ACL resources.
You can view ACL resource usage in the system to check whether the ACL
resources are exhausted.
Procedure
● Run the display acl resource [ slot slot-id ] command in any view to check
information about ACL resources.
If the value of Rule Free or Free is not 0, there are available ACL resources in
the system.
----End
2.11.3 Optimizing ACL Resources
Context
Many services use ACL rules to control packets. These ACL rules occupy ACL
resources. The ACL resources on the device are limited. If the number of occupied
ACL resources reaches the upper limit, new services cannot be delivered. However,
the device running and the services that have ACLs applied are not affected.
To optimize ACL resources, you need to know how ACL rules occupy ACL
resources. Generally, the number of occupied ACL resources is calculated as
follows:
Number of occupied ACL resources = Number of ACL rules x ACL application scope
(Number of interfaces or Number of VLANs or 1 if the ACL is applied globally) x
ACL application direction (1 for inbound and 1 for outbound, and 2 for inbound
and outbound)
For example, if 1K ACL rules are configured in an ACL using the if-match acl { acl-
number | acl-name } command and the traffic policy that references the ACL is
applied to the outbound direction of 8 interfaces, then totally 8K (1K rules x 8
interfaces x 1 direction) ACL resources are occupied.
Actually, the number of ACL rules configured on the device is different from the
actual number of ACL resources occupied. The calculation method varies
depending on factors such as the hardware chip and the type of service to which
an ACL is applied.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 71
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Procedure
In the preceding traffic policy example, if the device supports a maximum of 7K
downstream ACL resources, the service cannot be configured. You can use any of
the following methods to optimize ACL resource usage so that the service can be
successfully configured:
● Method 1: Delete unnecessary services.
– Run the display traffic-policy applied-record command to check the
traffic policy application records and delete redundant traffic policies.
– Check the services that use ACLs other than the traffic policy and delete
redundant services or ACLs.
● Method 2: Adjust the ACL application range.
If the interfaces with the traffic policy applied belong to the same VLAN or if
some of the interfaces belong to the same VLAN and the interfaces without
traffic policy configured are not in this VLAN, you can apply an ACL to this
VLAN (for example, VLAN 10 or VLAN 20). After the ACL application range is
adjusted, the number of occupied ACL resources is 2K (1K rules x 2 VLANs).
● Method 3: Combine ACL rules to reduce the number of effective ACL
rules.
Find out the common matching conditions in the ACL rules and relationships
between the rules.
For example, the following content is included in 1K ACL rules:
#
acl number 3009
rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0
rule 2 permit ip source 10.1.1.2 0 destination 10.10.1.1 0
rule 3 permit ip source 10.1.1.3 0 destination 10.10.1.1 0
rule 4 permit ip source 10.1.1.4 0 destination 10.10.1.1 0
...
rule 255 permit ip source 10.1.1.255 0 destination 10.10.1.1 0
rule 256 permit ip source 10.1.2.1 0 destination 10.10.1.1 0
...
rule 510 permit ip source 10.1.2.255 0 destination 10.10.1.1 0
...
rule 801 deny tcp destination-port eq www //Port 80
rule 802 deny tcp destination-port eq 81
rule 803 deny tcp destination-port eq 82
...
rule 830 deny tcp destination-port eq pop2 //Port 109
rule 831 deny tcp destination-port eq pop3 //Port 110
...
rule 1000 xxx
#
Rules 1 through 510 use source and destination IP addresses as matching
conditions. Source IP addresses are all IP addresses on network segments
10.1.1.0/24 and 10.1.2.0/24. Therefore, rules 1 through 510 can be combined
into the following two rules using the IP address wildcard mask.
#
acl number 3009
rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0
rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0
...
#
After combination, the number of preceding rules is reduced to 492. The
number of occupied ACL resources is reduced to 3936 (492 rules x 8
interfaces), which is lower than the upper limit of ACL resources.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 72
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
In addition, rules 801 through 831 use TCP destination ports 80 through 110
as the matching conditions. Therefore, you can specify the keyword range to
combine rules 801 through 831 into the following rule:
#
acl number 3009
...
rule 801 deny tcp destination-port range 80 110
...
#
After combination, rules 801 through 831 are reduced to 462 rules. The
number of occupied ACL resources is reduced to 3696 (462 rules x 8
interfaces), which is lower than the upper limit of ACL resources.
2.11.4 Configuring the ACL Resource Usage Threshold
Context
ACL resources are occupied by ACL or ACL6 services, Meter resources are occupied
by traffic rate limiting services, and Counter resources are occupied by traffic
statistics service. You can configure the ACL, Meter or Counter resource usage
threshold at which an alarm will be generated.
When the ACL, Meter or Counter resource usage is higher than or equal to the
threshold, the device generates an alarm. When the ACL, Meter or Counter
resource usage is lower than or equal to the lower threshold, the device generates
a clear alarm.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the acl [ meter | counter ] threshold-alarm { upper-limit upper-limit |
lower-limit lower-limit } * command to set the alarm threshold percentage of
ACL, Meter or Counter resource usage.
By default, the lower alarm threshold percentage is 70, and the upper alarm
threshold percentage is 80.
----End
2.11.5 Configuring the ACL resource allocation mode
Context
The default ACL resource allocation mode is Normal. In Normal mode, the ACL
does not support matching of destination IPv6 addresses. If matching destination
IPv6 address is required, switch the ACL resource allocation mode to NAC.
NOTE
Only the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, S5736-S, and S6720S-S
support this command.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 73
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Procedure
Step 1 (Optional) Run the display system resource-template [ slot slot-id ] command
to display information about the system resource template.
Step 2 Run the system-view command to enter the system view.
Step 3 Run the assign resource-template acl-mode { nac | normal } [ slot slot-id ]
command to configure the ACL resource allocation mode.
The default ACL resource allocation mode is Normal.
NOTE
After configuring the ACL resource allocation mode, save the configuration, and restart the
device for the configuration to take effect.
----End
2.11.6 Clearing ACL or ACL6 Statistics
Context
NOTICE
The deleted ACL or ACL6 statistics cannot be restored. Exercise caution when you
run the command.
Procedure
● Run the reset acl counter { name acl-name | acl-number | all } command in
the user view to clear ACL statistics.
● Run the reset acl ipv6 counter { name acl6-name | acl6-number | all }
command in the user view to clear ACL6 statistics.
----End
2.12 Configuration Examples for ACLs
2.12.1 Example for Using Basic ACLs to Restrict FTP Access
Rights
Networking Requirements
As shown in Figure 2-6, the Switch functions as an FTP server. The requirements
are as follows:
● All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP
server anytime.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 74
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
● All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP
server only during the specified period of time.
● Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the
Switch to limit user access to the FTP server.
Figure 2-6 Using basic ACLs to restrict FTP access rights
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure time ranges and ACLs so that the device can filter user packets to
control FTP access rights of different users.
2. Configure basic FTP functions.
3. Apply the ACL to the FTP module to make the ACL take effect.
Procedure
Step 1 Configure time ranges.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31
[Switch] time-range ftp-access 14:00 to 18:00 off-day
Step 2 Configure a basic ACL.
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access
[Switch-acl-basic-2001] rule deny source any
[Switch-acl-basic-2001] quit
Step 3 Configure basic FTP functions.
[Switch] ftp server-source -i vlanif 10 //Assume that the client uses the IP address 172.16.104.110 to
connect to the server, and the interface using this IP address is Vlanif 10.
[Switch] ftp server enable
[Switch] aaa
[Switch-aaa] local-user test password irreversible-cipher SetUserPasswd@123
[Switch-aaa] local-user test privilege level 15
[Switch-aaa] local-user test service-type ftp
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 75
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch-aaa] local-user test ftp-directory flash:
[Switch-aaa] quit
Step 4 Apply the ACL to the FTP server for access permission control.
[Switch] ftp acl 2001
Step 5 Verify the configuration.
Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1.
PC1 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on
Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp
172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on
Saturday in 2014. PC2 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot
connect to the FTP server.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
FTP server enable
FTP server-source -i vlanif 10
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
aaa
local-user test password irreversible-cipher $1a$a/sUWg/.p1*))=~SWzIRS0N",`&aS%'7X).m=o[PkQcv"!!
TTQOI~Z)C'1<9$
local-user test privilege level 15
local-user test ftp-directory flash:
local-user test service-type ftp
#
return
2.12.2 Example for Using Basic ACLs to Control Telnet Login
Rights
Networking Requirements
As shown in Figure 2-7, the PC and device are reachable to each other. Users
require that the device be remotely configured and easily managed. To meet the
requirement, configure AAA authentication for Telnet users on the server and
configure a security policy to allow only users meeting the policy to log in to the
device.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 76
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-7 Networking diagram for configuring Telnet login
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the device using Telnet to remotely maintain the device.
2. Configure the administrator user name and password, and configure an AAA
authentication policy to ensure that only users passing the authentication can
log in to the device.
3. Configure a security policy to ensure that only users meeting the policy can
log in to the device.
Procedure
Step 1 Enable the server function.
<HUAWEI> system-view
[HUAWEI] sysname Telnet_Server
[Telnet_Server] telnet server-source -i Vlanif 10 //Assume that the client uses the IP address
10.137.217.177 to connect to the server, and the interface using this IP address is Vlanif 10.
[Telnet_Server] telnet server enable
Step 2 Set parameters for the VTY user interface.
# Set the maximum number of VTY user interfaces.
[Telnet_Server] user-interface maximum-vty 15
# Specify the IP address of the host allowed to log in to the device.
[Telnet_Server] acl 2001
[Telnet_Server-acl-basic-2001] rule permit source 10.1.1.1 0
[Telnet_Server-acl-basic-2001] quit
[Telnet_Server] user-interface vty 0 14
[Telnet_Server-ui-vty0-14] protocol inbound telnet
[Telnet_Server-ui-vty0-14] acl 2001 inbound
# Set terminal attributes for the VTY user interface.
[Telnet_Server-ui-vty0-14] shell
[Telnet_Server-ui-vty0-14] idle-timeout 20
[Telnet_Server-ui-vty0-14] screen-length 0
[Telnet_Server-ui-vty0-14] history-command max-size 20
# Set an authentication mode for the VTY user interface.
[Telnet_Server-ui-vty0-14] authentication-mode aaa
[Telnet_Server-ui-vty0-14] quit
Step 3 Configure the login user information.
# Set an authentication mode for login users.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 77
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Telnet_Server] aaa
[Telnet_Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[Telnet_Server-aaa] local-user admin1234 service-type telnet
[Telnet_Server-aaa] local-user admin1234 privilege level 3
[Telnet_Server-aaa] quit
Step 4 Log in to the client.
Run commands on the Windows Command Prompt of the PC to log in to the
device using Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177
Press Enter, and enter the configured user name and password in the login
window. If authentication succeeds, the CLI is displayed, indicating that you have
successfully logged in to the device. (The following information is only for
reference.)
Login authentication
Username:admin1234
Password:
Info: The max number of VTY users is 8, and the number
of current VTY users on line is 2.
The current login time is 2012-08-06 18:33:18+00:00.
<Telnet_Server>
----End
Configuration File
Telnet_Server configuration file
#
sysname Telnet_Server
#
telnet server enable
telnet server-source -i Vlanif 10
#
acl number 2001
rule 5 permit source 10.1.1.1 0
#
aaa
local-user admin1234 password irreversible-cipher $1a$aVW8S=aP=B<OWi1Bu'^R[=_!~oR*85r_nNY+kA(I}
[TiLiVGR-i/'DFGAI-O$
local-user admin1234 privilege level 3
local-user admin1234 service-type telnet
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2001 inbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 0
protocol inbound telnet
#
return
2.12.3 Example for Applying Basic ACLs to SNMP to Filter
NMSs
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 78
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Networking Requirements
As shown in Figure 2-8, two NMSs are available on the network to monitor
network devices. The network size is small and the network has a high security
level. Therefore, the administrator requires that only the trusted NMS (NMS2)
manage network devices and the Switch use SNMPv1 to communicate with the
NMS. Unauthorized NMSs cannot manage the Switch. According to service
requirements, the administrator allows the NMS to manage the objects on the
Switch except RMON, and the administrator needs to locate and rectify faults
quickly through the NMS.
Figure 2-8 Applying basic ACLs to SNMP to filter NMSs
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the SNMP version on the Switch to SNMPv1.
2. Configure the ACL, MIB view, and community name to control the access
rights of NMSs. NMS2 can only manage the objects on the Switch except
RMON, and NMS1 cannot manage the Switch.
3. Configure the trap host for the Switch to deliver traps generated on the
Switch to NMS2. To help quickly identify faults according to trap messages
and reduce useless traps, configure the Switch to send only the traps of the
modules enabled by default.
4. Configure NMS2.
Procedure
Step 1 Configure an IP address for an interface of the Switch to provide a reachable route
between the NMS and the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 79
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.1 24
[Switch-Vlanif100] quit
Step 2 Configure the interface can receive and respond to NMS request packets on the
Switch.
[Switch] snmp-agent protocol source-interface vlanif 100
Step 3 Set the SNMP version on the Switch to SNMPv1.
[Switch] snmp-agent sys-info version v1
Step 4 Configure the access rights.
# Configure an ACL that allows NMS2 to manage the Switch and prevents NMS1
from managing the Switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
[Switch-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[Switch-acl-basic-2001] quit
# Configure the MIB view to allow NMS2 to manage all MIB objects on the Switch
except RMON objects.
[Switch] snmp-agent mib-view excluded allextrmon 1.3.6.1.2.1.16
# Configure a community name and reference the ACL and MIB view for the
community.
[Switch] snmp-agent community write adminnms2 mib-view allextrmon acl 2001
Step 5 Configure the trap host.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname adminnms2
Step 6 Configure NMS2.
You must set a read-write community name for an NMS running SNMPv1. For
details about the NMS configuration, see the manual of the NMS.
NOTE
The authentication parameter configuration on the NMS must be the same as that on the
Switch. Otherwise, the NMS cannot manage the Switch. If only the write community name
is configured on the device, the read and write community names on the NMS must be the
same as the write community name configured on the device.
Step 7 Verify the configuration.
After completing the configuration, run the following commands to verify that the
configurations have taken effect.
# View the SNMP version.
[Switch] display snmp-agent sys-info version
SNMP version running in the system:
Polling: SNMPv1:enable, SNMPv2c:disable,
SNMPv3:disable
Trap : SNMPv1:enable, SNMPv2c:disable,
SNMPv3:disable
# View the configuration of the target host used to receive traps.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 80
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch] display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 10.1.1.2
Domain :-
Source interface : -
VPN instance : -
Security name : %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
Port : 162
Type : trap
Version : v1
Level : No authentication and privacy
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
acl number 2001
rule 5 permit source 10.1.1.2 0
rule 6 deny source 10.1.1.1 0
#
interface Vlanif100
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-h@aJ6d,l0md
%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view allextrmon acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname cipher %^%#uq/!
YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view excluded allextrmon rmon
snmp-agent protocol source-interface Vlanif100
#
return
2.12.4 Example for Using Basic ACLs to Filter OSPF Routes
Networking Requirements
Figure 2-9 shows how on an OSPF network, SwitchA receives routes from the
Internet and provides these routes for the OSPF network. A user wants devices on
the OSPF network to access only the network segments 172.16.17.0/24,
172.16.18.0/24, and 172.16.19.0/24, and SwitchC to access only the network
segment 172.16.18.0/24.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 81
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-9 Networking diagram for filtering the received and advertised routes
Device Interface VLANIF Interface IP Address
SwitchA GE0/0/1 VLANIF10 192.168.1.1/24
SwitchB GE0/0/1 VLANIF10 192.168.1.2/24
SwitchB GE0/0/2 VLANIF20 192.168.2.1/24
SwitchC GE0/0/1 VLANIF20 192.168.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an ACL on SwitchA so that SwitchA advertises only the routes
172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24 to SwitchB. In this case,
the OSPF network can access only 172.16.17.0/24, 172.16.18.0/24, and
172.16.19.0/24.
2. Configure an ACL on SwitchC so that SwitchC receives only the route
172.16.18.0/24. In this case, the network connected to SwitchC can access
only the network segment 172.16.18.0/24.
Procedure
Step 1 Add interfaces to VLANs.
# Configure SwitchA. Ensure that the configurations of SwitchB and SwitchC are
the same as the configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
Step 2 Assign IP addresses to VLANIF interfaces.
# Configure SwitchA. Ensure that the configurations of SwitchB and SwitchC are
the same as the configuration of SwitchA.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 82
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 192.168.1.1 24
[SwitchA-Vlanif10] quit
Step 3 Configure basic OSPF functions.
# Configure SwitchA.
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure SwitchB.
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
Step 4 Configure five static routes on SwitchA and import these routes into OSPF.
[SwitchA] ip route-static 172.16.16.0 24 NULL 0
[SwitchA] ip route-static 172.16.17.0 24 NULL 0
[SwitchA] ip route-static 172.16.18.0 24 NULL 0
[SwitchA] ip route-static 172.16.19.0 24 NULL 0
[SwitchA] ip route-static 172.16.20.0 24 NULL 0
[SwitchA] ospf
[SwitchA-ospf-1] import-route static
[SwitchA-ospf-1] quit
# Check the IP routing table on SwitchB. You can see that the five static routes are
imported into OSPF.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.16.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.20.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
Step 5 Configure a route advertisement policy.
# Configure ACL 2002 on SwitchA to allow only 172.16.17.0/24, 172.16.18.0/24,
and 172.16.19.0/24 to pass.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 83
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[SwitchA] acl number 2002
[SwitchA-acl-basic-2002] rule permit source 172.16.17.0 0.0.0.255
[SwitchA-acl-basic-2002] rule permit source 172.16.18.0 0.0.0.255
[SwitchA-acl-basic-2002] rule permit source 172.16.19.0 0.0.0.255
[SwitchA-acl-basic-2002] quit
# Configure a route advertisement policy on SwitchA and associate ACL 2002 with
the policy to filter routes.
[SwitchA] ospf
[SwitchA-ospf-1] filter-policy 2002 export static
[SwitchA-ospf-1] quit
# View the IP routing table on SwitchB. SwitchB has received only the three routes
defined in ACL 2002.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.16.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
Step 6 Configure a route receiving policy.
# Configure ACL 2003 on SwitchC to allow only 172.16.18.0/24 to pass.
[SwitchC] acl number 2003
[SwitchC-acl-basic-2003] rule permit source 172.16.18.0 0.0.0.255
[SwitchC-acl-basic-2003] quit
# Configure a route receiving policy on SwitchC and associate ACL 2003 with the
policy to filter routes.
[SwitchC] ospf
[SwitchC-ospf-1] filter-policy 2003 import
[SwitchC-ospf-1] quit
# View the IP routing table on SwitchC. SwitchC has received only the route
defined in ACL 2003.
[SwitchC] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.18.0/24 O_ASE 150 1 D 192.168.2.1 Vlanif20
192.168.2.0/24 Direct 0 0 D 192.168.2.2 Vlanif20
192.168.2.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
----End
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 84
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
acl number 2002
rule 5 permit source 172.16.17.0 0.0.0.255
rule 10 permit source 172.16.18.0 0.0.0.255
rule 15 permit source 172.16.19.0 0.0.0.255
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
ospf 1
filter-policy 2002 export static
import-route static
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static 172.16.16.0 255.255.255.0 NULL0
ip route-static 172.16.17.0 255.255.255.0 NULL0
ip route-static 172.16.18.0 255.255.255.0 NULL0
ip route-static 172.16.19.0 255.255.255.0 NULL0
ip route-static 172.16.20.0 255.255.255.0 NULL0
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 20
#
acl number 2003
rule 5 permit source 172.16.18.0 0.0.0.255
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 85
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
filter-policy 2003 import
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
2.12.5 Example for Using Advanced ACLs to Restrict Mutual
Access Between Network Segments
Networking Requirements
As shown in Figure 2-10, the departments of an enterprise are connected through
the Switch. To facilitate network management, the administrator allocates the IP
addresses on two network segments to the R&D and marketing departments,
respectively. In addition, the administrator adds the two departments to different
VLANs for broadcast domain isolation. The Switch needs to restrict mutual access
between two network segments to ensure information security.
Figure 2-10 Using advanced ACLs to restrict mutual access between network
segments
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 86
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
1. Configure an advanced ACL and an ACL-based traffic classifier to filter the
packets exchanged between R&D and marketing departments.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces to ensure network connections.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE0/0/1 and GE0/0/2 on the Switch as trunk interfaces, and add the
two interfaces to VLAN 10 and VLAN 20, respectively.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/2] quit
# Create VLANIF 10 and VLANIF 20, and assign IP addresses to them.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.1 24
[Switch-Vlanif20] quit
Step 2 Configure ACLs.
# Create the advanced ACL 3001, and block packets from one department to
another department. In this example, configure rules for the ACL to block the
packets from the R&D department to the marketing department.
[Switch] acl 3001
[Switch-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Switch-acl-adv-3001] quit
Step 3 Configure an advanced ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 3001.
[Switch] traffic classifier tc1
[Switch-classifier-tc1] if-match acl 3001
[Switch-classifier-tc1] quit
Step 4 Configure a traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1
[Switch-behavior-tb1] deny
[Switch-behavior-tb1] quit
Step 5 Configure a traffic policy.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 87
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# Define the traffic policy, and associate the traffic classifier and traffic behavior
with the traffic policy.
[Switch] traffic policy tp1
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
[Switch-trafficpolicy-tp1] quit
Step 6 Apply the traffic policy to interfaces.
# Packets from the R&D department are received by GE0/0/1. Therefore, apply the
traffic policy to the inbound direction of GE0/0/1.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Switch-GigabitEthernet0/0/1] quit
Step 7 Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl 3001
Advanced ACL 3001, 1 rule
Acl's step is 5
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: OR
Rule(s) : if-match acl 3001
Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# The two network segments where the R&D and marketing departments reside
cannot access each other.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
acl number 3001
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
traffic classifier tc1 operator or
if-match acl 3001
#
traffic behavior tb1
deny
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 88
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy tp1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return
Related Content
Videos
Configure ACL
2.12.6 Example for Using Advanced ACLs to Implement
Unidirectional Access Control
Networking Requirements
As shown in Figure 2-11, different offices of an enterprise are connected through
SwitchC. To facilitate network management, the administrator allocates the IP
addresses on two network segments to the president's office and employee's
office, respectively. In addition, the administrator adds the two offices to different
VLANs for broadcast domain isolation. The president's office must be able to
access the employee's office, but the employee's office is not allowed to access the
president's office to protect the enterprise's confidential information.
Figure 2-11 Using advanced ACLs to implement unidirectional access control
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 89
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Configuration Roadmap
1. Configure an advanced ACL and ACL-based traffic classifier to restrict ICMP
and TCP services so that unidirectional access from the president's office to
the employee's office can be implemented.
– TCP service: permits SYN and ACK packets from the employee's office to
the president's office, that is, responds to TCP connections initiated by the
president's office; denies SYN request packets from the employee's office
to the president's office to prevent the employee's office from initiating
TCP connections.
– ICMP service: denies echo request packets from the employee's office to
the president's office to prevent the employee's office from initiating ping
connectivity tests.
NOTE
Unidirectional access cannot be implemented for UDP services.
2. Configure a traffic behavior so that packets matching ACL rules are forwarded
based on the original policy.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure IP addresses for interfaces and add the interfaces to VLANs.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10 20
# Configure GE0/0/1 and GE0/0/2 on the SwitchC as trunk interfaces and add
them to VLAN 10 and VLAN 20, respectively.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type trunk
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchC-GigabitEthernet0/0/2] quit
# Create VLANIF 10 and VLANIF 20, and assign IP addresses to them.
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 10.1.1.1 24
[SwitchC-Vlanif10] quit
[SwitchC] interface vlanif 20
[SwitchC-Vlanif20] ip address 10.1.2.1 24
[SwitchC-Vlanif20] quit
Step 2 Configure an ACL.
# Create advanced ACL 3001 and configure ACL rules.
[SwitchC] acl 3001
[SwitchC-acl-adv-3001] rule permit tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag
syn ack
[SwitchC-acl-adv-3001] rule deny tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag syn
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 90
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[SwitchC-acl-adv-3001] rule deny icmp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 icmp-
type echo
[SwitchC-acl-adv-3001] quit
Step 3 Configure a traffic classifier based on the advanced ACL.
# Configure the traffic classifier tc1 to classify packets that match ACL 3001.
[SwitchC] traffic classifier tc1
[SwitchC-classifier-tc1] if-match acl 3001
[SwitchC-classifier-tc1] quit
Step 4 Configure a traffic behavior.
# Configure the traffic behavior tb1.
[SwitchC] traffic behavior tb1
[SwitchC-behavior-tb1] permit
[SwitchC-behavior-tb1] quit
Step 5 Configure a traffic policy.
# Define a traffic policy, and associate the traffic classifier and traffic behavior
with the traffic policy.
[SwitchC] traffic policy tp1
[SwitchC-trafficpolicy-tp1] classifier tc1 behavior tb1
[SwitchC-trafficpolicy-tp1] quit
Step 6 Apply the traffic policy to an interface.
# Apply the traffic policy in the inbound direction of GE0/0/2.
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] traffic-policy tp1 inbound
[SwitchC-GigabitEthernet0/0/2] quit
Step 7 Verify the configuration.
# Check the ACL configuration.
[SwitchC] display acl 3001
Advanced ACL 3001, 3 rules
Acl's step is 5
rule 5 permit tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag ack syn
rule 10 deny tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag syn
rule 15 deny icmp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 icmp-type echo
# Check the traffic classifier configuration.
[SwitchC] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: OR
Rule(s) : if-match acl 3001
Total classifier number is 1
# Check the traffic policy configuration.
[SwitchC] display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Permit
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 91
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# The president's office can access the employee's office, but the employee's office
cannot access the president's office.
----End
Configuration Files
SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 20
#
acl number 3001
rule 5 permit tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag ack syn
rule 10 deny tcp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 tcp-flag syn
rule 15 deny icmp source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 icmp-type echo
#
traffic classifier tc1 operator or
if-match acl 3001
#
traffic behavior tb1
permit
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy tp1 inbound
#
return
Related Content
Videos
Configure ACL
2.12.7 Example for Using Advanced ACLs to Control Access to
the Specified Server in the Specified Time Range
Networking Requirements
As shown in Figure 2-12, the departments of an enterprise are connected through
the Switch. The R&D and marketing departments cannot access the salary query
server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president office
can access the server at anytime.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 92
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-12 Using advanced ACLs to control access to the specified server in the
specified time range
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure the time range, advanced ACL, and ACL-based traffic classifier to
filter packets from users to the server in the specified time range. In this way,
you can restrict the access of different users to the server in the specified time
range.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE0/0/1 throughGE0/0/3 to VLANs 10, 20, and 30, respectively, add
GE0/0/4 to VLAN 100, and assign IP addresses to these VLANIF interfaces. The
configurations on GE0/0/1 and VLANIF 10 are used as an example here. The
configurations on GE0/0/2, GE0/0/3, and GE0/0/4 are similar to those on GE0/0/1,
and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100 are similar to
those on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 93
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
[Switch-Vlanif10] quit
Step 2 Configure a time range.
# Configure the time range from 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.
# Configure an ACL for the marketing department to access the salary query
server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range
satime
[Switch-acl-adv-3002] quit
# Configure an ACL for the R&D department to access the salary query server.
[Switch] acl 3003
[Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range
satime
[Switch-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL
3002.
[Switch] traffic classifier c_market
[Switch-classifier-c_market] if-match acl 3002
[Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd
[Switch-classifier-c_rd] if-match acl 3003
[Switch-classifier-c_rd] quit
Step 5 Configure traffic behaviors.
# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market
[Switch-behavior-b_market] deny
[Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.
[Switch] traffic behavior b_rd
[Switch-behavior-b_rd] deny
[Switch-behavior-b_rd] quit
Step 6 Configure traffic policies.
# Configure the traffic policy p_market, and associate the traffic classifier
c_market and the traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market
[Switch-trafficpolicy-p_market] classifier c_market behavior b_market
[Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd, and associate the traffic classifier c_rd and the
traffic behavior b_rd with the traffic policy.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 94
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch] traffic policy p_rd
[Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Switch-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.
# Packets from the marketing department are received by GE0/0/2, so apply the
traffic policy p_market to the inbound direction of GE0/0/2.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] traffic-policy p_market inbound
[Switch-GigabitEthernet0/0/2] quit
# Packets from the R&D department are received by GE0/0/3, so apply the traffic
policy p_rd to the inbound direction of GE0/0/3.
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] traffic-policy p_rd inbound
[Switch-GigabitEthernet0/0/3] quit
Step 8 Verify the configuration.
# Check the configuration of ACL rules.
[Switch] display acl all
Total nonempty ACL number is 2
Advanced ACL 3002, 1 rule
Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (Active)
Advanced ACL 3003, 1 rule
Acl's step is 5
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (Active)
# Check the configuration of traffic classifiers.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c_market
Operator: OR
Rule(s) : if-match acl 3002
Classifier: c_rd
Operator: OR
Rule(s) : if-match acl 3003
Total classifier number is 2
# Check the configuration of traffic policies.
[Switch] display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: p_market
Classifier: c_market
Operator: OR
Behavior: b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
Total policy number is 2
# Check the traffic policy use records.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 95
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name: p_market
Policy Index: 0
Classifier:c_market Behavior:b_market
-------------------------------------------------
*interface GigabitEthernet0/0/2
traffic-policy p_market inbound
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
#
-------------------------------------------------
Policy Name: p_rd
Policy Index: 1
Classifier:c_rd Behavior:b_rd
-------------------------------------------------
*interface GigabitEthernet0/0/3
traffic-policy p_rd inbound
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
#
# The R&D and marketing departments cannot access the salary query server
during work hours (08:00 to 17:30).
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market operator or
if-match acl 3002
traffic classifier c_rd operator or
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market match-order config
classifier c_market behavior b_market
traffic policy p_rd match-order config
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 96
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy p_market inbound
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy p_rd inbound
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
2.12.8 Example for Using Layer 2 ACLs to Block Network
Access of the Specified Users
Networking Requirements
As shown in Figure 2-13, the Switch that functions as the gateway is connected to
the users' PCs. The administrator wants to block network access of PC1 after
detecting that PC1 (00e0-f201-0101) is unauthorized.
Figure 2-13 Using Layer 2 ACLs to block network access of the specified users
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure a Layer 2 ACL and an ACL-based traffic classifier to discard packets
from the MAC address 00e0-f201-0101 (preventing the user with this MAC
address from accessing the network).
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 97
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 4000
[Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff
[Switch-acl-L2-4000] quit
Step 2 Configure an ACL-based traffic classifier.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1
[Switch-classifier-tc1] if-match acl 4000
[Switch-classifier-tc1] quit
Step 3 Configure a traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1
[Switch-behavior-tb1] deny
[Switch-behavior-tb1] quit
Step 4 Configure a traffic policy.
# Configure the traffic policy tp1, and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
[Switch-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.
# Packets from PC1 to the Internet are received by GE0/0/2, so apply the traffic
policy tp1 to the inbound direction of GE0/0/2.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] traffic-policy tp1 inbound
[Switch-GigabitEthernet0/0/2] quit
Step 6 Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny source-mac 00e0-f201-0101
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: OR
Rule(s) : if-match acl 4000
Total classifier number is 1
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 98
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# Check the traffic policy use record.
[Switch] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name: tp1
Policy Index: 0
Classifier:tc1 Behavior:tb1
-------------------------------------------------
*interface GigabitEthernet0/0/2
traffic-policy tp1 inbound
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
#
# The user with the MAC address 00e0-f201-0101 cannot access the Internet.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface GigabitEthernet0/0/2
traffic-policy tp1 inbound
#
return
2.12.9 Example for Using Layer 2 ACLs in QoS to Implement
Traffic Policing
Networking Requirements
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN
100 respectively.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 99
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Traffic policing needs to be configured on the Switch to police packets of different
services so that traffic is limited within a proper range and bandwidth of each
service is guaranteed.
Table 2-16 describes QoS required by different services.
Table 2-16 QoS guarantee for uplink traffic on the Switch
Traffic Type CIR (kbit/s) PIR (kbit/s)
Voice 2000 10000
Video 4000 10000
Data 4000 10000
Figure 2-14 Networking of traffic policing
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that users can access the Internet
through the Switch.
2. Configure ACLs on the Switch to match services from different VLANs.
3. Configure ACL-based traffic policing on the Switch to rate-limit packets.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 100
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces, and add GE0/0/1 and
GE0/0/2 to VLAN 100, VLAN 110, and VLAN 120.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/2] quit
Step 2 Configure ACLs.
# Configure Layer 2 ACLs on the Switch to classify different service flows based on
the VLAN ID.
[Switch] acl 4001
[Switch-acl-L2-4001] rule 1 permit vlan-id 120
[Switch-acl-L2-4001] quit
[Switch] acl 4002
[Switch-acl-L2-4002] rule 1 permit vlan-id 110
[Switch-acl-L2-4002] quit
[Switch] acl 4003
[Switch-acl-L2-4003] rule 1 permit vlan-id 100
[Switch-acl-L2-4003] quit
Step 3 Configure traffic policing.
# Configure traffic policing in the inbound direction of GE0/0/1 on the Switch to
rate-limit different packets.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-limit inbound acl 4001 cir 2000 pir 10000
[Switch-GigabitEthernet0/0/1] traffic-limit inbound acl 4002 cir 4000 pir 10000
[Switch-GigabitEthernet0/0/1] traffic-limit inbound acl 4003 cir 4000 pir 10000
[Switch-GigabitEthernet0/0/1] quit
Step 4 Verify the configuration.
# Check information about ACLs and actions on the interface in the inbound
direction.
[Switch] display traffic-applied interface gigabitethernet 0/0/1 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet0/0/1
ACL 4001
rule 1 permit vlan-id 120
ACTIONS:
limit cir 2000 ,cbs 250000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
ACL 4002
rule 1 permit vlan-id 110
ACTIONS:
limit cir 4000 ,cbs 500000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
ACL 4003
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 101
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
rule 1 permit vlan-id 100
ACTIONS:
limit cir 4000 ,cbs 500000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 110 120
#
acl number 4001
rule 1 permit vlan-id 120
acl number 4002
rule 1 permit vlan-id 110
acl number 4003
rule 1 permit vlan-id 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-limit inbound acl 4001 cir 2000 pir 10000 cbs 250000 pbs 1250000
traffic-limit inbound acl 4002 cir 4000 pir 10000 cbs 500000 pbs 1250000
traffic-limit inbound acl 4003 cir 4000 pir 10000 cbs 500000 pbs 1250000
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 110 120
#
return
2.12.10 Example for Using User-Defined ACLs to Filter the
Specified Packets
Networking Requirements
As shown in Figure 2-15, users are connected to the Switch through GE0/0/1. The
Switch needs to discard certain packets (with four bytes following the 14th byte in
the Layer 2 header being 0x0180C200) sent by users.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 102
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-15 Using user-defined ACLs to filter the specified packets
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure a user-defined ACL and an ACL-based traffic classifier to filter
certain packets (with four bytes following the 14th byte in the Layer 2 header
being 0x0180C200).
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure an ACL.
# Configure a user-defined ACL.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 5000
[Switch-acl-user-5000] rule deny l2-head 0x0180C200 0xFFFFFFFF 14
[Switch-acl-user-5000] quit
Step 2 Creating a traffic classifier based on the user-defined ACL.
# Configure the traffic classifier tc1 to classify packets that match ACL 5000.
[Switch] traffic classifier tc1
[Switch-classifier-tc1] if-match acl 5000
[Switch-classifier-tc1] quit
Step 3 Configure a traffic behavior.
# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1
[Switch-behavior-tb1] deny
[Switch-behavior-tb1] quit
Step 4 Configure a traffic policy.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 103
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# Define the traffic policy, and associate the traffic classifier and traffic behavior
with the traffic policy.
[Switch] traffic policy tp1
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
[Switch-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy to an interface.
# Apply the traffic policy to the inbound direction of GE0/0/1.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Switch-GigabitEthernet0/0/1] quit
Step 6 Verify the configuration.
# Check the configuration of the ACL rule.
[Switch] display acl 5000
User ACL 5000, 1 rule
Acl's step is 5
rule 5 deny 0x0180c200 0xffffffff 14
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: OR
Rule(s) : if-match acl 5000
Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
acl number 5000
rule 5 deny 0x0180c200 0xffffffff 14
#
traffic classifier tc1 operator or
if-match acl 5000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface GigabitEthernet0/0/1
traffic-policy tp1 inbound
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 104
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
#
return
2.12.11 Example for Using User ACLs to Control Network
Access Rights of Enterprise's Internal Users Based on Groups
Networking Requirements
As shown in Figure 2-16, a large number of terminals in an office area of an
enterprise connect to the enterprise internal network through the switch. Some
departments have multiple branches in different locations, so the terminals of the
same department cannot use the IP addresses of the same network segment.
The administrator requires that the switch authenticate the terminals (including
computers and printers) of every department, to prevent unauthorized access. In
addition, due to the differentiated responsibilities, the administrator wants to
grant different network access rights to the users of different department,
avoiding secret information leak caused by mutual access between users.
The following requirements must be met:
● The marketing department cannot access the IT department.
● The R&D department cannot access the IT department.
Figure 2-16 Using user ACLs to control network access rights of enterprise's
internal users based on groups
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 105
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain, ensuring that the Switch and RADIUS server can
communicate with each other and terminals can be authenticated by the
RADIUS server.
2. Some terminals cannot have the 802.1X client installed, for example, printers.
To ensure authentication for all types of terminals, configure MAC address
authentication and 802.1X authentication, and configure MAC address
authentication to be used first.
3. Each department has a large number of terminals and the terminals of some
departments the same department are located on different network
segments. The workload will be huge for configuring a network access policy
for the terminals one by one. Therefore, configure a UCL group to classify the
terminals into different types, and associate a user ACL with the UCL group so
that the terminals in each group can share the ACL rules. The workload of
administrator is reduced, and ACL resource use efficiency on the device is
improved.
4. Create service schemes and apply the service schemes to the UCL group to
control the network access right of each department based on groups.
NOTE
This example only provides the configurations on the Switch. The configurations on the LAN
switch and RADIUS server are not provided here.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces to ensure network connections.
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 40.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40
# Configure GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 on the Switch as trunk
interfaces, and add the interfaces to VLAN 10, VLAN 20, VLAN 30, and VLAN 40.
Take the configurations on GE0/0/1 as an example. The configurations on
GE0/0/2, GE0/0/3, and GE0/0/4 are similar to those on GE0/0/1, and are not
mentioned here.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
# Create VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 40, and assign IP
addresses to these VLANIF interfaces so that reachable routes can be set up
between the terminals, Switch, and enterprise internal servers.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 192.168.3.1 24
[Switch-Vlanif30] quit
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 106
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch] interface vlanif 40
[Switch-Vlanif40] ip address 192.168.4.29 24
[Switch-Vlanif40] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.4.30 1812
[Switch-radius-rd1] radius-server shared-key cipher test@123
[Switch-radius-rd1] radius-server retransmit 2
[Switch-radius-rd1] quit
# Create the AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create the authentication domain abc11, and bind the AAA scheme abc and the
RADIUS server template rd1 to the authentication domain.
[Switch-aaa] domain abc11
[Switch-aaa-domain-abc11] authentication-scheme abc
[Switch-aaa-domain-abc11] radius-server rd1
[Switch-aaa-domain-abc11] quit
[Switch-aaa] quit
Step 3 Configure MAC address authentication and 802.1X authentication.
# Set the NAC mode to unified mode.
NOTE
By default, the NAC mode is unified mode, so this step can be skipped.
After the common mode and unified mode are switched, you must restart the device to make
each function take effect in the new mode.
[Switch] authentication unified-mode
# Configure a MAC access profile.
[Switch] mac-access-profile name m1
[Switch-mac-access-profile-m1] mac-authen username fixed A-123 password cipher test123
[Switch-mac-access-profile-m1] quit
# Configure an 802.1X access profile.
NOTE
By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS
server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] quit
# Configure an authentication profile.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] mac-access-profile m1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] authentication dot1x-mac-bypass
[Switch-authen-profile-p1] quit
# Enable MAC address authentication and 802.1X authentication on GE0/0/1,
GE0/0/2, and GE0/0/3.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 107
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] authentication-profile p1
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] authentication-profile p1
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] authentication-profile p1
[Switch-GigabitEthernet0/0/3] quit
Step 4 Create a UCL group, associate the user ACL with the UCL group, and apply the
user ACL to filter packets.
# Create UCL groups group_m and group_r. Add the marketing department to
group_m and R&D department to group_r.
[Switch] ucl-group 1 name group_m
[Switch] ucl-group 2 name group_r
NOTE
Information about user groups of the marketing and R&D departments must have been
configured on the RADIUS server.
# Create user ACL 6001 and configure ACL rules. Configure rule 5 to prevent the
marketing department from accessing the IT department; configure rule 10 to
prevent the R&D department from accessing the IT department.
[Switch] acl 6001
[Switch-acl-ucl-6001] rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255
[Switch-acl-ucl-6001] rule 10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255
[Switch-acl-ucl-6001] quit
# Configure user ACL-based packet filtering to make the user ACL take effect.
[Switch] traffic-filter inbound acl 6001
Step 5 Configure service schemes service-scheme1 and service-scheme2, and apply the
service schemes to UCL groups group_m and group_r to control the network
access right of each department based on groups.
[Switch] aaa
[Switch-aaa] service-scheme service-scheme1
[Switch-aaa-service-service-scheme1] ucl-group name group_m
[Switch-aaa-service-service-scheme1] quit
[Switch-aaa] service-scheme service-scheme2
[Switch-aaa-service-service-scheme2] ucl-group name group_r
[Switch-aaa-service-service-scheme2] quit
[Switch-aaa] quit
[Switch] quit
NOTE
After the preceding steps are complete, configure the RADIUS server to associate the service
schemes with users.
Step 6 Verify the configuration.
# Run the display acl all command to view information about the user ACL.
<Switch> display acl all
Total nonempty ACL number is 1
Ucl-group ACL 6001, 2 rules
Acl's step is 5
rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255
rule 10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 108
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
# Run the display ucl-group all command to view information about all UCL
groups.
<Switch> display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group_m
2 group_r
--------------------------------------------------------------------------------
Total : 2
# Run the display dot1x command to check the 802.1X authentication
configuration. The command output (802.1x protocol is Enabled) shows that the
802.1X authentication has been enabled on the interface GE0/0/1, GE0/0/2, and
GE0/0/3.
# Run the display mac-authen command to check the MAC address
authentication configuration. The command output (MAC address
authentication is enabled) shows that MAC address authentication has been
enabled on the interface GE0/0/1, GE0/0/2, and GE0/0/3.
# The marketing department cannot access the IT department and the R&D
department cannot access the IT department.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 40
#
authentication-profile name p1
dot1x-access-profile d1
mac-access-profile m1
authentication dot1x-mac-bypass
ucl-group 1 name group_m
ucl-group 2 name group_r
#
radius-server template rd1
radius-server shared-key cipher %^%#zH_B2{mN=177WZ2z+G|5)c'OKD[VaPNYP4>&6uC~%^%#
radius-server authentication 192.168.4.30 1812 weight 80
radius-server retransmit 2
#
acl number 6001
rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255 rule
10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255
#
aaa
authentication-scheme abc
authentication-mode radius
service-scheme service-scheme1
ucl-group name group_m
service-scheme service-scheme2
ucl-group name group_r
domain abc11
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 109
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.29 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
authentication-profile p1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
authentication-profile p1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
authentication-profile p1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 40
#
traffic-filter inbound acl 6001
#
dot1x-access-profile name d1
#
mac-access-profile name m1
mac-authen username fixed A-123 password cipher %^%#(!XnF'#X^Sc=[&,fH38!
OKNNEjez>NO`Z*NJK*s4%^%#
#
return
2.12.12 Example for Using Advanced ACL6s to Filter Certain
Types of IPv6 Packets
Networking Requirements
As shown in Figure 2-17, users are connected to the Switch through GE0/0/1. The
Switch needs to block certain types of IPv6 packets from users in which the source
IPv6 address is fc01::2/64 and the destination IPv6 address is fc01::1/64.
Figure 2-17 Using advanced ACL6s to filter certain types of IPv6 packets
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 110
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure an advanced ACL6 and an ACL6-based traffic classifier to filter the
IPv6 packets in which the source IPv6 address is the host address fc01::2/64
and the destination IPv6 address is fc01::1/64.
2. Configure a traffic behavior to discard the packets matching the ACL6.
3. Configure and apply a traffic policy to make the ACL6 and traffic behavior
take effect.
Procedure
Step 1 Enable the IPv6 forwarding capability, add an interface to a VLAN, and assign an
IPv6 address to the VLANIF interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] ipv6
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ipv6 enable
[Switch-Vlanif10] ipv6 address fc01::1 64
[Switch-Vlanif10] quit
Step 2 Configure an advanced ACL6 and an ACL6-based traffic classifier. Configure a
traffic behavior and traffic policy, and apply the traffic policy to the inbound
direction of GE0/0/1 to reject the IPv6 packets with the source IPv6 address of
fc01::2/64 and the destination IPv6 address of fc01::1/64.
[Switch] acl ipv6 number 3001
[Switch-acl6-adv-3001] rule deny ipv6 source fc01::2/64 destination fc01::1/64
[Switch-acl6-adv-3001] quit
[Switch] traffic classifier class1
[Switch-classifier-class1] if-match ipv6 acl 3001
[Switch-classifier-class1] quit
[Switch] traffic behavior behav1
[Switch-behavior-behav1] deny
[Switch-behavior-behav1] statistic enable
[Switch-behavior-behav1] quit
[Switch] traffic policy policy1
[Switch-trafficpolicy-policy1] classifier class1 behavior behav1
[Switch-trafficpolicy-policy1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy policy1 inbound
[Switch-GigabitEthernet0/0/1] quit
Step 3 Verify the configuration.
# Check the ACL6 configuration.
[Switch] display acl ipv6 3001
Advanced IPv6 ACL 3001, 1 rule
rule 0 deny ipv6 source FC01::/64 destination FC01::/64
# Check the configuration of the traffic classifier.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 111
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Classifier: class1
Operator: OR
Rule(s) : if-match ipv6 acl 3001
Total classifier number is 1
# Check the configuration of the traffic policy.
[Switch] display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: policy1
Classifier: class1
Operator: OR
Behavior: behav1
Deny
Statistic: enable
Total policy number is 1
# If PC1 cannot access the network, run the display traffic policy statistics
interface gigabitethernet 0/0/1 inbound command on the Switch. The command
output shows that the number of matched packets is the same as the number of
discarded packets. This indicates that packets matching ACL 3001 are all
discarded.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
ipv6
#
vlan batch 10
#
acl ipv6 number 3001
rule 0 deny ipv6 source FC01::/64 destination FC01::/64
#
traffic classifier class1 operator or
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
statistic enable
#
traffic policy policy1 match-order config
classifier class1 behavior behav1
#
interface Vlanif10
ipv6 enable
ipv6 address FC01::1/64
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy policy1 inbound
#
return
2.13 Troubleshooting ACLs
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 112
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2.13.1 Services Are Interrupted Due to an Incorrect IP Address
Wildcard Mask
Fault Description
A traffic policy has been configured on a device to redirect packets. To redirect the
packets from a certain IP address, the administrator adds a rule to the ACL used
by the traffic policy following the ACL configuration guidelines. The new rule uses
this source IP address as the matching condition. However, the IP address wildcard
mask in the rule is incorrectly configured. As a result, BGP packets cannot be sent
to the CPU, and most services are interrupted.
Procedure
Step 1 Run the display this command in the ACL view to check the new rule.
The new rule is as follows:
rule 100 permit ip source 10.1.1.3 255.255.255.255
The IP address wildcard mask is 255.255.255.255, which is not an inverse mask.
This rule is equivalent to "rule 100 permit ip" and "rule 100 permit ip source any",
meaning that packets from any IP address are matched.
The traffic policy using this ACL has been applied to a large number of interfaces,
so all BGP packets received by these interfaces are redirected to other interfaces,
but not sent to the CPU. The device times out to process protocol packets and
most services are interrupted.
Step 2 Run the rule command in the ACL view to modify the IP address wildcard mask in
the new rule.
The modified rule is as follows:
rule 100 permit ip source 10.1.1.3 0.0.0.0 //IP address of a single host only when the IP address wildcard
mask is 0.0.0.0.
Services are recovered, and packets from the source IP address of 10.1.1.3 are
redirected correctly.
----End
2.13.2 Users Cannot Access the Internet Because the DNS
Server Address Is Blocked
Fault Description
An ACL is configured on the device to restrict destination addresses accessible to
users; however, the DNS server address is blocked in the ACL. As a result, the
query packets sent from users to the DNS server are discarded. The domain names
cannot be resolved, so users cannot access the Internet.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 113
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Procedure
Step 1 Run the display acl command in the system view to check ACL rules.
The following rule is included:
rule 100 deny ip destination 10.102.192.0 0.0.0.255 //Reject the packets from network segment
10.102.192.0/24.
The DNS server address configured on user PCs is 10.102.192.68, which belongs to
the network segment 10.102.192.0/24. Therefore, packets sent from users to the
DNS server are discarded. The domain names cannot be resolved, so users cannot
access the Internet.
Step 2 Run the rule command in the ACL view to add a rule to permit the DNS server
address.
rule 99 permit ip destination 10.102.192.68 0.0.0.0 //Permit the packets destined for the DNS server.
rule 100 deny ip destination 10.102.192.0 0.0.0.255 //Reject the packets destined for network segment
10.102.192.0/24.
After rule 99 is added, the packets sent from users to the DNS server match rule
99 and pass. The domain names can be resolved, and users can access the
Internet.
----End
2.13.3 Time Range-based ACL Does Not Take Effect Due to
Incorrect System Time
Fault Description
The system time on the device is incorrect, making the time-based ACL ineffective.
Procedure
Step 1 Run the display acl command in the system view to check ACL rules.
A rule based on the time range is included:
rule 10 deny ip source 10.1.1.1 0 time-range time1 //Reject the packets from 10.1.1.1 in the time range
time1.
Step 2 Run the display time-range { all | time-name } command in the system view to
check the configuration of the time range time1.
The following information is displayed:
Current time is 14:53:17 8-16-2013 Friday
Time-range: time1 ( Inactive )
from 00:00 2014/1/1 to 23:59 2014/12/31
Total time-range number is 1
The time range time1 starts at 00:00 on January 1, 2014 and ends at 23:59 on
December 31, 2014, while the system time is 14:53:17 on August 16, 2013, which
is not the actual date (August 16, 2014) and is not within the time range time1.
Therefore, the ACL associated with time1 does not take effect, and packets from
10.1.1.1 are not discarded.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 114
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Step 3 Change the system date and time.
● Correct the system date and time.
Run the clock datetime command in the user view.
clock datetime 14:53:17 2014-08-16 //Set the date to 2014-08-16.
● Configure NTP to enable automatic clock synchronization on the device so
that the device can synchronize clock information with a trusted device
(which has synchronized clock information with an authoritative clock
through the network).
a. On the trusted device, configure the NTP master clock and clock stratum.
Run the ntp-service refclock-master command in the system view.
ntp-service refclock-master 2 //A small stratum value indicates a high precision.
b. On the device that needs to synchronize clock information with the
trusted device, set the NTP working mode. For details, see Configuring
NTP Operating Modes in "NTP Configuration" in the S300, S500, S2700,
S5700, and S6700 V200R021C00 Configuration Guide - Device
Management.
----End
2.13.4 Access Control Does Not Take Effect Due to the
Incorrect Direction of a Traffic Policy
Fault Description
As shown in Figure 2-18, the departments of an enterprise are connected through
the Switch. GE0/0/4 on the Switch is connected to the salary query server. The
enterprise allows only the president office to access the salary query server, but
prevents other departments (such as R&D and marketing departments) from
accessing the salary query server. Therefore, the administrator configures an ACL
and a traffic policy that uses the ACL on the Switch, and applies the traffic policy
to the inbound direction of GE0/0/4. The traffic policy is applied to an incorrect
direction, so access control does not take effect.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 115
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Figure 2-18 Applying the traffic policy to an interface
Procedure
Step 1 Run the display traffic policy interface [ interface-type interface-number ]
command in any view to check the traffic policy configuration on the interface.
The traffic policy p1 has been applied to the inbound direction of GE0/0/4.
Interface: GigabitEthernet0/0/4
Direction: Inbound
Policy: p1
......
Step 2 Run the display traffic-applied interface [ interface-type interface-number ]
inbound verbose command in any view to check information about the ACL used
by the traffic policy on the interface and the direction to which the traffic policy is
applied.
The traffic policy p1 uses ACL 3001, and the traffic policy is applied to the inbound
direction of the interface.
-----------------------------------------------------------
Policy applied inbound interface GigabitEthernet0/0/4
Interface: GigabitEthernet0/0/4
Direction: Inbound
Policy: p1
Classifier: c1
Operator: OR
Rule(s) :
if-match acl 3001
Behavior: b1
Deny
-----------------------------------------------------------
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 116
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
Step 3 Run the display this command in the view of advanced ACL 3001 to check the
ACL rule configuration.
ACL 3001 contains the following rules:
acl number 3001
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.9.9 0 //Allow the president office to
access the server.
rule 10 deny ip destination 10.164.9.9 0 //Prevent other departments from accessing the server.
The source IP address is the network segment where the president office resides,
and the destination IP address is the salary query server's address. The ACL rules
meet the packet filtering requirement, so the ACL configuration is correct.
Step 4 Check the direction to which the traffic policy is applied.
As shown in Step 2, the traffic policy is applied to the inbound direction of the
interface. However, packets from each department do not enter the Switch
through GE0/0/4 but through other interfaces, and the packets are sent out
through GE0/0/4. (The Switch searches for a route after receiving the packets, and
sends the packets out through GE0/0/4.)
Therefore, when the traffic policy using the ACL is applied to the inbound direction
of GE0/0/4, access control does not take effect. To make access control effective,
apply the traffic policy to the outbound direction or apply the traffic policy
globally, to the VLANs of the departments, or to the inbound direction of each
interface connecting to each department.
Step 5 Change the direction to which the traffic policy is applied.
Run the traffic-policy policy-name outbound command in the view of GE0/0/4 to
apply the traffic policy to the outbound direction.
----End
2.14 FAQ About ACLs
2.14.1 What Is the Relationship Between the permit/deny
Rules in an ACL and Those in the Behavior of a Traffic Policy?
An ACL is usually used with a traffic policy. A traffic policy includes the traffic
classifier that meets the requirement of an ACL and a traffic behavior, such as
permit/deny.
The permit/deny rules in an ACL and a behavior in the traffic policy are used as
follows.
Table 2-17 Usage of permit/deny rules in an ACL and in a behavior
ACL Behavior in a Traffic Action Taken for
Policy Matching Packets
permit permit permit
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 117
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ACL Behavior in a Traffic Action Taken for
Policy Matching Packets
permit deny deny
deny permit deny
deny deny deny
NOTE
The traffic policy module permits packets by default. If you only want to block mutual
access between network segments, you only need to define the characteristics of the
packets to be denied in the ACL. If you add rule permit at the bottom of the ACL, the
packets that do not match previous rules will match the last rule. In addition, if the traffic
behavior is set to deny, the device discards all packets matching rule permit. As a result, all
services are interrupted.
2.14.2 How Can I Apply an ACL to a VLAN?
You can use either of the following methods to associate an ACL with a service
module (traffic policy or simplified traffic policy), and apply the ACL to a VLAN:
NOTE
The following commands are only for you reference. You should comply with the command line
syntax of the version running on your device.
● Method 1: Apply a traffic policy to a VLAN.
a. Configure a traffic classifier.
i. Run the traffic classifier classifier-name [ operator { and | or } ]
[ precedence precedence-value ] command in the system view to
enter the traffic classifier view.
ii. Run the if-match acl { acl-number | acl-name } command to apply
an ACL to the traffic classifier.
b. Configure a traffic behavior.
Run the traffic behavior behavior-name command in the system view to
create a traffic behavior and enter the traffic behavior view.
c. Configure a traffic action.
There are two actions for packet filtering: deny and permit. For other
traffic actions, see Configuration Guide - QoS of the corresponding
product version.
d. Configure a traffic policy.
i. Run the traffic policy policy-name [ match-order { auto | config } ]
command in the system view to create a traffic policy and enter the
traffic policy view.
ii. Run the classifier classifier-name behavior behavior-name
command to configure a traffic behavior for the specified traffic
classifier in the traffic policy. That is, bind the traffic behavior to the
classifier.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 118
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
e. Apply the traffic policy.
Run the traffic-policy policy-name { inbound | outbound } command in
the VLAN view to apply the traffic policy.
● Method 2: Apply the simplified traffic policy with the specified VLAN ID
globally.
Run the following commands in the system view:
– Packet filtering based on ACL
▪ traffic-filter vlan vlan-id inbound acl xxx
▪ traffic-filter vlan vlan-id outbound acl xxx
▪ traffic-secure vlan vlan-id inbound acl xxx
– Traffic policing based on ACL
▪ traffic-limit vlan vlan-id inbound acl xxx
▪ traffic-limit vlan vlan-id outbound acl xxx
– Redirection based on ACL
traffic-redirect vlan vlan-id inbound acl xxx
– Re-mark based on ACL
▪ traffic-remark vlan vlan-id inbound acl xxx
▪ traffic-remark vlan vlan-id outbound acl xxx
– Traffic statistics collection based on ACL
▪ traffic-statistic vlan vlan-id inbound acl xxx
▪ traffic-statistic vlan vlan-id outbound acl xxx
– Traffic mirroring based on ACL
traffic-mirror vlan vlan-id inbound acl xxx
2.14.3 How Can I Apply an ACL to an Interface?
An ACL cannot be directly applied to an interface. You can use either of the
following methods to associate an ACL with a service module (traffic policy or
simplified traffic policy), and apply the ACL to an interface:
NOTE
The following commands are only for you reference. You should comply with the command line
syntax of the version running on your device.
Since V200R009, traffic policy can be applied to VLANIF interfaces only on the S5731-H, S5731-
S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and
S6730S-S.
● Method 1: Apply a traffic policy to an interface.
a. Configure a traffic classifier.
i. Run the traffic classifier classifier-name [ operator { and | or } ]
[ precedence precedence-value ] command in the system view to
enter the traffic classifier view.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 119
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
ii. Run the if-match acl { acl-number | acl-name } command to apply
an ACL to the traffic classifier.
b. Configure a traffic behavior.
Run the traffic behavior behavior-name command in the system view to
create a traffic behavior and enter the traffic behavior view.
c. Configure a traffic action.
There are two actions for packet filtering: deny and permit. For other
traffic actions, see Configuration Guide - QoS of the corresponding
product version.
d. Configure a traffic policy.
i. Run the traffic policy policy-name [ match-order { auto | config } ]
command in the system view to create a traffic policy and enter the
traffic policy view.
ii. Run the classifier classifier-name behavior behavior-name
command to configure a traffic behavior for the specified traffic
classifier in the traffic policy. That is, bind the traffic behavior to the
classifier.
e. Apply the traffic policy.
Run the traffic-policy policy-name { inbound | outbound } command in
the interface view to apply the traffic policy.
● Method 2: Apply a simplified traffic policy to an interface.
Run the following commands in the interface view:
– Packet filtering based on ACL
▪ traffic-filter inbound acl xxx
▪ traffic-filter outbound acl xxx
▪ traffic-secure inbound acl xxx
– Traffic policing based on ACL
▪ traffic-limit inbound acl xxx
▪ traffic-limit outbound acl xxx
– Redirection based on ACL
traffic-redirect inbound acl xxx
– Re-mark based on ACL
▪ traffic-remark inbound acl xxx
▪ traffic-remark outbound acl xxx
– Traffic statistics collection based on ACL
▪ traffic-statistic inbound acl xxx
▪ traffic-statistic outbound acl xxx
– Traffic mirroring based on ACL
traffic-mirror inbound acl xxx
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 120
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
2.14.4 How Can I Check the Order in Which ACL Rules Take
Effect?
Run the display acl { acl-number | name acl-name | all } or display acl ipv6
{ acl6-number | name acl6-name | all } command in any view or the display this
command in the ACL view to check the order in which ACL rules take effect, as
shown in Table 2-18.
Table 2-18 ACL matching order
ACL Type Order
ACL in config mode The rules with smaller IDs take effect
earlier than the rules with larger IDs.
ACL in auto mode The rules with smaller IDs take effect
earlier than the rules with larger IDs.
ACL6 in config mode The rules with smaller IDs take effect
earlier than the rules with larger IDs.
ACL6 in auto mode The rules in front lines take effect
earlier than the rules in latter lines.
The rules may not be arranged in the
ascending order of rule IDs.
NOTE
When multiple traffic policies using ACLs are applied to a device, if a packet matches the ACL
rules in different traffic policies, the matching order of the ACL rules depends on the processing
mechanism of the traffic policy module. For details, see Configuration Guide - QoS of the
corresponding product version.
2.14.5 Which Packets Cannot Be Filtered by the ACL Used by a
Traffic Policy?
The ACL used by a traffic policy cannot filter the protocol packets to be sent to the
CPU.
● VRRP protocol packets use multicast address 224.0.0.18 as the destination
address. The VRRP protocol packets are sent to the CPU for processing;
therefore, the ACL in a traffic policy does not take effect on these packets.
Member switches in a VRRP group negotiate the master switch using the
VRRP protocol packets.
● DHCP clients exchange DHCP packets with the DHCP server to obtain valid IP
addresses. The DHCP packets are sent to the CPU for processing; therefore,
the ACL in a traffic policy does not take effect on these packets. The device
cannot use ACLs to prevent users connected to interfaces from obtaining IP
addresses through DHCP.
● When a host pings a device, the ICMP packet is sent to the CPU of the device
for processing; therefore, the ACL in a traffic policy does not take effect on
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 121
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
the ICMP packet. The device cannot use ACLs to block ping packets from
hosts.
To filter the protocol packets to be sent to the CPU, you can apply an ACL to the
blacklist configured in the local attack defense policy. The configuration procedure
is as follows:
1. Run the cpu-defend policy policy-name command in the system view to
create an attack defense policy.
2. Run the blacklist blacklist-id acl acl-number command to create a blacklist.
3. Run the cpu-defend-policy policy-name [ global ] command in the system
view or run the cpu-defend-policy policy-name command in the slot view to
apply the attack defense policy.
2.14.6 After a Traffic Policy Is Configured, Two ACL Rules Are
Occupied Based on the display acl resource Command Output.
Why?
Packets sent to the CPU for processing and packets for inter-board communication
exist on the switch. To prevent these packets from being affected by a traffic
policy, the switch delivers two ACL rules for the traffic policy.
2.14.7 How Are deny and permit in ACL Rules Used in
Different Services?
The deny and permit parameters in ACL rules have different functions in different
services.
● Traffic policy
a. When permit is used in the ACL rule, the system executes the specified
traffic behavior only when packets match the ACL rule. When the traffic
behavior is deny, the system discards packets matching the rule. When
the traffic behavior is permit, the system forwards packets matching the
rule.
b. When deny is used in the ACL rule, the system discards the packets
matching the ACL rule regardless of the action defined the traffic
behavior (except traffic statistics collection and traffic mirroring).
c. If an ACL does not contain rules, the traffic policy using the ACL does not
take effect.
● Simplified traffic policy
a. When permit is used in the ACL rule, the system executes the behavior in
the simplified traffic policy, for example, allowing the matching packets
to pass and limiting the rate of matching packets.
b. When deny is used in the ACL rule, the system discards the matching
packets if the ACL is applied to the packet filtering function or executes
the behavior in the simplified traffic policy if the ACL is applied to other
functions.
c. If an ACL does not contain rules, the simplified traffic policy using the
ACL does not take effect.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 122
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
● IPSec
a. When permit is used in the ACL rule, the system uses IPSec policies to
protect traffic matching the ACL rule, and then forwards the traffic.
b. When deny is used in the ACL rule, the system will not use IPSec policies
to protect traffic matching the ACL rule, and directly forward the traffic.
c. When an ACL does not contain rules, the IPSec policy referencing the ACL
does not take effect. That is, the system forwards the packets passing the
interface without performing any operation.
● Firewall
a. When permit is used in the ACL rule:
▪ When the ACL is applied to the inbound traffic, the system forwards
the packets matching the ACL rule sent from the low-priority zone to
the high-priority zone.
▪ When the ACL is applied to the outbound traffic, the system
forwards the packets matching the ACL rule sent from the high-
priority zone to the low-priority zone.
b. When deny is used in the ACL rule:
▪ When the ACL is applied to the inbound traffic, the system discards
the packets matching the ACL rule sent from the low-priority zone to
the high-priority zone.
▪ When the ACL is applied to the outbound traffic, the system discards
the packets matching the ACL rule sent from the high-priority zone
to the low-priority zone.
c. When an ACL does not contain rules:
▪ When the ACL is applied to the inbound traffic, the ACL does not
take effect, and the system discards all packets sent from the low-
priority zone to the high-priority zone.
▪ When the ACL is applied to the outbound traffic, the ACL does not
take effect, and the system discards all packets sent from the high-
priority zone to the low-priority zone.
● NAT
a. When permit is used in the ACL rule, the system uses the address pool to
translate addresses for the packets of which the source IP address is
specified in the ACL rule.
b. When deny is used in the ACL rule or the ACL does not contain rules, the
NAT policy referencing the ACL does not take effect. That is, the system
searches routes for packets, but does not translate addresses.
● Telnet
a. When permit is used in the ACL rule:
▪ If the ACL is applied in the inbound direction, other devices that
match the ACL rule can access the local device.
▪ If the ACL is applied in the outbound direction, the local device can
access other devices that match the ACL rule.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 123
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
b. When deny is used in the ACL rule:
▪ If the ACL is applied in the inbound direction, other devices that
match the ACL rule cannot access the local device.
▪ If the ACL is applied in the outbound direction, the local device
cannot access other devices that match the ACL rule.
c. When the ACL rule is configured but packets from other devices do not
match the rule:
▪ If the ACL is applied in the inbound direction, other devices cannot
access the local device.
▪ If the ACL is applied in the outbound direction, the local device
cannot access other devices.
d. When the ACL contains no rule:
▪ If the ACL is applied in the inbound direction, any other devices can
access the local device.
▪ If the ACL is applied in the outbound direction, the local device can
access any other devices.
● HTTP
a. The device with the specified source IP address can establish an HTTP
connection with the local device only when permit is used in the ACL
rule.
b. When deny is used in the ACL rule, other devices cannot establish HTTP
connections with the local device.
c. When the ACL rule is configured but packets from other devices do not
match the rule, other devices cannot establish HTTP connections with the
local device.
d. When the ACL contains no rule, any other devices can establish HTTP
connections with the local device.
● FTP
a. The device with the specified source IP address can establish an FTP
connection with the local device only when permit is used in the ACL
rule.
b. When deny is used in the ACL rule, other devices cannot establish FTP
connections with the local device.
c. When the ACL rule is configured but packets from other devices do not
match the rule, other devices cannot establish FTP connections with the
local device.
d. When the ACL contains no rule, any other devices can establish FTP
connections with the local device.
● TFTP
a. The device with the specified source IP address can establish a TFTP
connection with the local device only when permit is used in the ACL
rule.
b. When deny is used in the ACL rule, the local device cannot establish TFTP
connections with other devices.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 124
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Security 2 ACL Configuration
c. When the ACL rule is configured but packets from other devices do not
match the rule, other devices cannot establish TFTP connections with the
local device.
d. When the ACL contains no rule, the local device can establish TFTP
connections with any other devices.
● SNMP
a. When permit is used in the ACL rule, an NMS with a specified source IP
address can access the local device.
b. When deny is used in the ACL rule, the local device rejects access from
other NMS.
c. When the ACL does not contain rules, the local device access from any
other NMS.
● NTP
a. When permit is used in the ACL rule, the ntp-service access command
takes effect.
b. When deny is used in the ACL rule, the ntp-service access command
does not take effect.
c. When the ACL does not contain rules, the ntp-service access command
does not take effect.
Issue 01 (2021-08-31) Copyright © Huawei Technologies Co., Ltd. 125
You might also like
- Lesson12-ACL Principles and ConfigurationNo ratings yetLesson12-ACL Principles and Configuration31 pages
- Introducing ACL Operation: Access Control ListsNo ratings yetIntroducing ACL Operation: Access Control Lists17 pages
- CCNA 200-301 Official Cert Guide, Volume 2-28No ratings yetCCNA 200-301 Official Cert Guide, Volume 2-283 pages
- Access Control Lists: Huawei Technologies Co., LTDNo ratings yetAccess Control Lists: Huawei Technologies Co., LTD14 pages
- Access Control Lists: Huawei Technologies Co., LTDNo ratings yetAccess Control Lists: Huawei Technologies Co., LTD14 pages
- Access Control List: ITU 08102 Network Management and AdministrationNo ratings yetAccess Control List: ITU 08102 Network Management and Administration88 pages
- CCNA 200-301 Official Cert Guide, Volume 2-25No ratings yetCCNA 200-301 Official Cert Guide, Volume 2-253 pages
- Configuring IP Access Lists: Document ID: 23602No ratings yetConfiguring IP Access Lists: Document ID: 2360218 pages
- Securing Networks: Access Control List (ACL) ConceptsNo ratings yetSecuring Networks: Access Control List (ACL) Concepts4 pages
- Ch. 11 - Access Control Lists: CCNA 2 Version 3.0 Rick Graziani Cabrillo CollegeNo ratings yetCh. 11 - Access Control Lists: CCNA 2 Version 3.0 Rick Graziani Cabrillo College90 pages
- AN020 - X1 - T1 - A1 - C1 - Ethernet& Ntrip ConfigurationNo ratings yetAN020 - X1 - T1 - A1 - C1 - Ethernet& Ntrip Configuration10 pages
- 4.3.1.1 It's Network Access Time InstructionsNo ratings yet4.3.1.1 It's Network Access Time Instructions1 page
- Options and Derivatives Programming in C++23: Algorithms and Programming Techniques For The Financial Industry, 3rd Edition Carlos Oliveira Latest PDF 2025No ratings yetOptions and Derivatives Programming in C++23: Algorithms and Programming Techniques For The Financial Industry, 3rd Edition Carlos Oliveira Latest PDF 202584 pages
- Assessment System: Take Assessment - Enetwork Chapter 2 - Ccna Exploration: Network Fundamentals (Version 4.0)No ratings yetAssessment System: Take Assessment - Enetwork Chapter 2 - Ccna Exploration: Network Fundamentals (Version 4.0)4 pages
- Network Routing Basics Understanding IP Routing in Cisco Systems100% (1)Network Routing Basics Understanding IP Routing in Cisco Systems436 pages
- Dell Emc Networking S4100 Series Spec SheetNo ratings yetDell Emc Networking S4100 Series Spec Sheet5 pages
- Slide 8 IP Packet Tracer Practical Workout INo ratings yetSlide 8 IP Packet Tracer Practical Workout I28 pages
- BRKRST-2041-WAN Architectures and Design Principles100% (1)BRKRST-2041-WAN Architectures and Design Principles99 pages
- Uniflair: WWW - Uniflair.su +7 (495) 204-30-01 8 (800) 775-42-13 E-Mail: Info@uniflair - Su100% (1)Uniflair: WWW - Uniflair.su +7 (495) 204-30-01 8 (800) 775-42-13 E-Mail: Info@uniflair - Su54 pages