No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Common Operation Guide

This document describes the CLI-based configurations of universal protocols and common features for Huawei switches on basic networks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-Defined Character Strings

Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-Defined Character Strings

  • To reject ARP packets from the specified host, configure a rule in a user-defined ACL. For example, to reject ARP packets from the host at 192.168.0.2, configure the following rule in ACL 5001.

    In the following rule:
    • 0x00000806 indicates the ARP protocol.
    • 0x0000ffff is the character string mask.
    • 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
    • c0a80002 is the hexadecimal format of 192.168.0.2.
    • 26 and 30 respectively indicate the offsets of the higher 2 bytes and lower 2 bytes in the source IP addresses in ARP packets (without VLAN ID). The source IP address in an ARP packet begins at the 28th byte in the Layer 2 header and occupies 4 bytes. The Layer 2 header offset defined in a user-defined ACL must be 4n + 2 (n is an integer). Therefore, the source IP address is divided into two segments for matching. The lower 2 bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher 2 bytes among the 4 bytes behind offset 30 (4 x 7 + 2) are matched separately.
    To filter ARP packets carrying VLAN IDs, add 4 to each of the following offsets.
    Figure 15-1  Source IP address field offset in the Layer 2 header of an ARP packet

    <HUAWEI> system-view
    [HUAWEI] acl 5001
    [HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26 0x00020000 0xffff0000 30
    NOTE:

    The user ACLs configured on S1720GFR, S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S2750EI, S5700EI, S5700LI, S5700S-LI, S5700SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720LI, S5720S-LI, S5720S-SI, S5720SI, S5730S-EI, S5730SI, S6720LI, S6720S-LI, S6720S-SI, and S6720SI do not support this configuration, and can match only character strings.

  • To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

    In the following rule:
    • 0x00060000 indicates the TCP protocol.
    • 8 indicates the protocol type offset in the IP packets. (The protocol type field in an IP packet begins at the 10th byte in the IPv4 header and occupies 1 byte. The IPv4 header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore, the second higher byte among the 4 bytes behind offset 8 in the IPv4 header is matched.)
    <HUAWEI> system-view
    [HUAWEI] acl name deny-tcp user
    [HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
    Figure 15-2  TCP protocol field offset in the IPv4 header

Related Information

Support Community

Videos

Configure ACL

Translation
Download
Updated: 2018-09-03

Document ID: EDOC1000057410

Views: 84819

Downloads: 12115

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next