No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Reflective ACL to Implement Unidirectional Access Control

Example for Using Reflective ACL to Implement Unidirectional Access Control

Reflective ACL Overview

Reflective ACL is a type of dynamic ACL. The device creates a reflective ACL by swapping the source/destination IP addresses and source/destination port numbers of an ACL. A reflective ACL has an aging time. If packets passing the interface match the reflective ACL within the aging time, this reflective ACL is kept in the next aging time interval. If no packet passing the interface matches the reflective ACL within the aging time, the reflective ACL is deleted. This mechanism improves device security.

Reflective ACL implements unidirectional access control. An external host can access an internal host only after the internal host accesses the external host. Therefore, reflective ACL protects enterprises' internal networks against attacks initiated by external users.

In this example, an advanced reflective ACL is used to prevent the servers on the Internet from actively establishing UDP connections with internal hosts before the internal hosts connect to the external servers. Reflective ACL implements unidirectional access control between internal and external networks.

Configuration Notes

This example applies to all versions of modular switches, but does not apply to fixed switches.

Networking Requirements

As shown in Figure 15-4, Switch functions as the gateway to connect PCs to the Internet. There are reachable routes among the devices. To ensure internal network security, the administrator allows servers on the Internet to establish UDP connections with internal PCs only after the internal PCs have established UDP connections with the external servers.

Figure 15-4  Using reflective ACL to implement unidirectional access control

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure an advanced ACL based on which the device will generate a reflective ACL.
  2. Configure the reflective ACL function to allow internal PC1 to establish a UDP connection with a server on the Internet and prevent the external server from actively establishing a UDP connection with internal hosts.


  1. Configure an advanced ACL.

    # Create advanced ACL 3000 and configure a rule to permit UDP packets.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] acl 3000
    [Switch-acl-adv-3000] rule permit udp  //Allow UDP packets to pass.
    [Switch-acl-adv-3000] quit

  2. Configure the reflective ACL function.

    # Packets from the Internet are received by GE2/0/1; therefore, configure the reflective ACL function in the outbound direction of GE2/0/1 so that the Switch can generate reflective ACL for UDP packets.

    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000  //Apply the reflective ACL to the outbound direction of an interface.
    [Switch-GigabitEthernet2/0/1] quit

  3. Verify the configuration.

    Run the display traffic-reflect command to check reflective ACL information.

    [Switch] display traffic-reflect outbound acl 3000
    Proto  SP   DP   DIP             SIP             Count   Timeout  Interface
    UDP    2    80       9       300(s)   GigabitEthernet2/0/1
    * Total <1> flows accord with condition, <1> items was displayed.
    * Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff,
    * SP=Source port,DP=Destination port,Count=Packets count(data).

    The preceding information will be displayed only after internal hosts have established UDP connections with external servers. The preceding information shows that a reflective ACL has been generated on GE2/0/1 for the UDP packets between PC1 and server (, and provides packet statistics.

Configuration Files

Configuration file of the Switch

sysname Switch
acl number 3000
 rule 5 permit udp
interface GigabitEthernet2/0/1
 traffic-reflect outbound acl 3000
Updated: 2019-04-20

Document ID: EDOC1000069520

Views: 656152

Downloads: 29795

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next