No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL

ACL

An ACL classifies packets according to matching rules. The rules can be source addresses, destination addresses, or the port numbers of the packets.

Context

ACLs are classified into the following types:
  • Basic ACL: matching packets based on source IP addresses at Layer 3
  • Advanced ACL: matching packets based on the Layer 3 or Layer 4 information of packets, such as source IP addresses, destination IP addresses, type of the protocol over IP, and the protocol feature
  • Layer 2 ACL: matching packets based on Layer 2 information of packets, such as source MAC addresses, destination MAC addresses, 802.1P priorities, and the Layer 2 protocol type

Procedure

  • Query an ACL.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Set the search criteria.
    3. Click Query to display all matching records.
  • Create an ACL.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Click Create to open the Create ACL page.
    3. Click the ACL tab, as shown in Figure 2-151.

      Figure 2-151  Creating an ACL

      Table 2-87 describes the parameters on the page.

      Table 2-87  Parameters for creating an ACL

      Parameter

      Description

      ACL type

      Indicates the ACL type, including:
      • Basic ACL
      • Advanced ACL
      • Layer 2 ACL

      IP version

      To create an IPv4 or IPv6 ACL, click the IPv4 or IPv6 check box.
      NOTE:

      If you select Layer 2 ACL, the IP version cannot be set.

      ACL ID

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value of the ACL number is an integer, including:
      • 2000-2999: basic ACL
      • 3000-3999: advanced ACL
      • 4000-4999: Layer 2 ACL
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • An ACL number or ACL name is required to identify an ACL.

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The ACL name is a string starting with a letter. Spaces are not allowed.
      • An ACL number or ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      Step

      Indicates the interval between two rule IDs.
      NOTE:

      The Step text box is unavailable after you set IP version to IPv6.

      ACL description

      Indicates the description of an ACL. This parameter is optional.
      NOTE:

      The ACL description text box of the ACL is unavailable after you set IP version to IPv6.

    4. Click Apply.
    5. Click the Rules tab.

      If the ACL is a basic ACL, the rule page is displayed, as shown in Figure 2-152.

      Figure 2-152  Creating a basic ACL

      Table 2-88 describes the parameters for creating a basic ACL.

      Table 2-88  Parameters for creating a basic ACL

      Parameter

      Description

      Rule number

      Indicates the number of a rule.
      NOTE:

      If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.

      Action

      Indicates whether to permit or deny packets. The default action is to permit.

      Log

      Indicates whether to record logs when packets are permitted. To record logs when packets are permitted, click the check box.

      Match IP

      All source IP

      Indicates that packets from any source IP address are permitted.

      Specify source IP

      Enter the specified IP address and the wildcard. By default, all source IP addresses are specified.
      NOTE:
      • To create an IPv4 ACL, enter the wildcard.
      • To create an IPv6 ACL, enter the prefix length.

      Time range name

      Click Select to set the time range name.
      NOTE:

      The time range name is displayed on the configuration result page.

      Fragment

      Indicates that the rule is valid for only non-initial fragments.

      NOTE:
      • The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
      • When you modify the ACL rule, the ACL ID and rule number cannot be modified.

      If the ACL is an advanced ACL, the rule page is displayed, as shown in Figure 2-153.

      Figure 2-153  Creating an advanced ACL

      Table 2-89 describes the parameters for creating an advanced ACL.

      Table 2-89  Parameters for creating an advanced ACL

      Parameter

      Description

      Rule number

      Indicates the number of a rule.
      NOTE:

      If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.

      Action

      Indicates whether to permit or deny packets. The default action is to permit.

      Log

      Indicates whether to record logs when packets are permitted.

      Protocol type

      Indicates the type of the protocol. This parameter is mandatory. The advanced IPv4 ACL supports the following protocols:
      • IGMP
      • GRE
      • IP
      • IPINIP
      • OSPF
      • TCP
      • UDP
      • ICMP
      • Custom
        NOTE:

        The text box is valid only when the protocol type can be defined by users.

      The advanced IPv6 ACL supports the following protocols:
      • GRE
      • ICMPv6
      • IPv6
      • OSPF
      • TCP
      • UDP
      • Custom
        NOTE:

        The text box is valid only when the protocol type can be defined by users.

      ICMP parameters (Type/Code)

      ICMPv6 parameters (Type/Code)

      Indicates the type and code of ICMP/ICMPv6 packets, which are valid only when the protocol of packets is ICMP/ICMPv6. If this parameter is not specified, all types of ICMP/ICMPv6 packets are matched. The ICMP/ICMPv6 packets can be matched based on:
      • Type: filters packets based on ICMP/ICMPv6 message type.
      • Code: indicates the message code of the ICMP/ICMPv6 message type.

      Match IP

      All source IP

      Indicates that packets from any source IP address are permitted.

      Specify source IP

      Enter the specified IP address and the wildcard. By default, all source IP addresses are specified.
      NOTE:
      • To create an IPv4 ACL, enter the wildcard.
      • To create an IPv6 ACL, enter the prefix length.

      All destination IP addresses

      Indicates that packets from any destination IP address are permitted.

      NOTE:

      This parameter cannot be configured in advanced IPv6 ACLs on the S1720GFR and S2720.

      Point destination IP

      Enter the specified IP address and the wildcard. By default, all destination IP addresses are specified.
      NOTE:
      • To create an IPv4 ACL, enter the wildcard.
      • To create an IPv6 ACL, enter the prefix length.
      • This parameter cannot be configured in advanced IPv6 ACLs on the S1720GFR and S2720.

      Match Port

      Source port

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Select a matching source port from the drop-down list box. The value can be equal, greater, smaller, or in the range. Enter the TCP or UDP port number in the text box.

      Destination port

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Select a matching destination port from the drop-down list box. The value can be equal, greater, smaller, or in the range. Enter the TCP or UDP port number in the text box.

      Match Priority

      IP precedence

      Indicates that packets are filtered based on the precedence field. By default, this parameter is empty.

      NOTE:

      This parameter cannot be configured in advanced IPv6 ACLs on the S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches.

      DSCP value

      Specifies the Differentiated Services Code Point (DSCP).

      NOTE:
      • If you set the IP precedence or TOS, the DSCP priority cannot be set.
      • If you set the DSCP priority, the IP precedence or TOS cannot be set.
      • This parameter cannot be configured in advanced IPv6 ACLs on the S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches.

      TOS

      Indicates that packets are filtered based on the type field.

      NOTE:

      This parameter cannot be configured in advanced ACLs on the S1720GFR and S2720.

      This parameter cannot be configured in advanced IPv6 ACLs on the S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches.

      Time range name

      Click Select to set the time range name.
      NOTE:

      The time range name is displayed on the configuration result page.

      Fragment

      Indicates that the rule is valid for only non-initial fragments.

      NOTE:
      • The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
      • When you modify the ACL rule, the ACL ID and rule number cannot be modified.

      If the ACL is a Layer 2 ACL, the rule page is displayed, as shown in Figure 2-154.

      Figure 2-154  Creating a Layer 2 ACL rule

      Table 2-90 describes the parameters for creating a Layer 2 ACL.

      Table 2-90  Parameters for creating a Layer 2 ACL rule

      Parameter

      Description

      Rule number

      Indicates the number of a rule.
      NOTE:

      If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.

      Action

      Indicates whether to permit or deny packets. The default action is to permit.

      Match MAC

      Source MAC

      Indicates the source MAC address used by the ACL rule. The value is in H-H-H format.

      Mask

      Indicates the mask of the source MAC address used by the ACL rule. The value is in the format H-H-H. The default value contains only Fs.

      Destination MAC

      Indicates the destination MAC address used by the ACL rule. The value is in H-H-H format.

      Mask

      Indicates the mask of the destination MAC address used by the ACL rule. The value is in the format H-H-H. The default value contains only Fs.

      Match Protocol Type

      Packet encapsulation format

      Indicates the encapsulation format of protocol packets. The value can be Ethernet II, 802.3, or SNAP.

      Layer 2 protocol

      Indicates the type of Layer 2 protocols.

      Layer 2 protocol mask

      Indicates the mask of the Layer 2 protocol.

      Source VLAN ID

      Indicates the source VLAN ID.

      Source VLAN ID mask

      Indicates the mask of the source VLAN ID. The value is in hexadecimal notation. It ranges from 0 to 0xFFF. The default value is 0xFFF.

      802.1p priority

      Indicates the 802.1p priority of the ACL. By default, this parameter is empty.

      Time range name

      Click Select to set the time range name.
      NOTE:

      The time range name is displayed on the configuration result page.

      NOTE:
      • The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
      • When you modify the ACL rule, the ACL ID and rule number cannot be modified.

    6. Click the Action tab, as shown in Figure 2-155.

      Figure 2-155  Creating an ACL action

      Table 2-91 describes the parameters on the page.

      Table 2-91  Parameters for creating an ACL action

      Parameter

      Description

      Flow Filter

      Indicates whether to enable the Flow Filter. This parameter is optional.

      Traffic Statistics

      Indicates whether to enable the traffic statistics. The value can be Enabled or Disabled. By default, the value is Disabled.

      Configure Traffic Policing

      CIR

      Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.

      PIR

      Specifies the peak information rate (PIR), which is the maximum rate at which traffic can pass through.

      NOTE:
      • The value of PIR cannot be smaller than the value of CIR. By default, the value of PIR is equal to the value of CIR.

      CBS

      Specifies the committed burst size (CBS), which is the committed burst volume of traffic that can pass through.

      PBS

      Specifies the peak burst size (PBS), which is the peak burst volume of traffic that can pass through.

      Green packets

      Green packets

      Indicates whether green packets are allowed to pass through. The action can be pass or discard. By default, the action is pass.

      NOTE:

      The S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches cannot be modified.

      Re-mark 802.1P Priority

      Indicates whether to re-mark the 802.1p priority.

      NOTE:

      The S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720HI, S5720LI, S5720S-LI, and S5700S-LI switches do not support this parameter.

      Re-mark DSCP Priority

      Indicates whether to re-mark the DSCP priority.

      NOTE:

      The S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720HI, S5720LI, S5720S-LI, and S5700S-LI switches do not support this parameter.

      Yellow packets

      Yellow packets

      Indicates whether yellow packets are allowed to pass through. The action can be pass or discard. By default, the action is pass.

      Re-mark 802.1P Priority

      Indicates whether to re-mark the 802.1p priority.

      NOTE:

      The S5720HI does not support this parameter.

      Re-mark DSCP Priority

      Indicates whether to re-mark the DSCP priority.

      NOTE:

      The S5720HI does not support this parameter.

      Red packets

      Red packets

      Indicates whether red packets are allowed to pass through. The action can be pass or discard. By default, the action is discard.

      Re-mark 802.1P Priority

      Indicates whether to re-mark the 802.1p priority.

      NOTE:

      The S5720HI does not support this parameter.

      Re-mark DSCP Priority

      Indicates whether to re-mark the DSCP priority.

      NOTE:

      The S5720HI does not support this parameter.

      Configure Re-mark Action

      802.1p priority

      Select the check box of 802.1p to configure the 802.1p priority.

      Local priority

      Select the check box of the local priority to configure the local priority.

      NOTE:

      You cannot set both the 802.1p priority and the local priority for redirection in a traffic behavior.

      IP priority

      Select the check box of the IP precedence to configure the IP precedence.

      DSCP priority

      Select the check box of DSCP to configure the DSCP priority.

      Destination MAC

      Select the corresponding check box to configure the destination MAC address.

      The value is in the format H-H-H.

      NOTE:

      The S1720GFR, S2720, S2750, S5700LI, S5720LI, S5720S-LI, S5700S-LI, S5710-X-LI, S5720SI, S5720S-SI, and S5720HI switches do not support this parameter.

      VLAN ID

      Select the check box of VLAN ID to configure VLAN ID.

      Inner VLAN

      Select the check box of the inner VLAN to configure the inner VLAN.

      NOTE:

      The S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches do not support this parameter.

      Configure Redirection Action

      CPU

      Indicates that packets are redirected to the CPU.

      Redirect to interface

      Indicates the interface where packets are redirected, for example, GigabitEthernet 0/0/1.

      Redirect to next hop IP

      1. Select an IP address type. The value can be IPv4 and IPv6.
      2. Configure the redirected next hop address according to the IP address type.
      NOTE:
      • You cannot configure both the next hop address where packets are redirected and the re-marked destination MAC address.
      • The S1720GFR, S2720, S2750, S5720SI, S5720S-SI, S5710-X-LI, S5700LI, S5720LI, S5720S-LI, and S5700S-LI switches do not support this parameter.

    7. Click the Apply tab.

      • If the object is interface, the Target field is displayed as Interface, as shown in Figure 2-156.
        Figure 2-156  Applying an ACL to an interface

        Table 2-92 describes the parameters on the page.

        Table 2-92  Parameters for applying an ACL to an interface

        Parameter

        Description

        Name

        Indicates all the interfaces on the device.

        Inbound

        • You can select all ACLs. You can specify all inbound interfaces by clicking the check boxes of all inbound interfaces.
        • You can select an ACL. You can specify an inbound interface by clicking the check box of an inbound interface.
        • You can select multiple interfaces. You can specify multiple inbound interfaces by clicking the check boxes of multiple inbound interfaces.

        Outbound

        • You can select all ACLs. You can select all outbound interfaces by clicking the check box of all outbound interfaces.
        • You can select an ACL. You can specify an outbound interface by clicking the check box of an outbound interface.
        • You can select multiple interfaces. You can specify multiple outbound interfaces by clicking the check boxes of multiple outbound interfaces.
        NOTE:

        You can select the inbound and outbound interfaces or one of them at one time.

      • If the object is interface, the Target field is displayed as Global, as shown in Figure 2-157.
        Figure 2-157  Applying an ACL globally

        Table 2-93 describes the parameters on the page.

        Table 2-93  Parameters for applying an ACL globally

        Parameter

        Description

        VLAN ID

        • If the check box of VLAN is not selected and the VLAN ID text box is not available, the ACL is not applied to any VLAN.
        • If the check box of VLAN is selected, the ACL is applied to VLAN.

        Direction

        NOTE:

        You can select the inbound and outbound interfaces or one of them at one time.

    8. Set parameter on each tab page.
    9. Click OK.

      NOTE:
      • After the ACL is created, ACL rules are configured, and the action has been applied by clicking Apply on the Action tab page, the ACL can be successfully applied to an interface or globally.
      • If the ACL is not created, the system prompts you to create the ACL when you click Apply on the Rules tab page.
      • If the ACL is not created, the system prompts you to create the ACL when you click Apply on the Apply tab page.

  • Edit an ACL.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Click the icon to open the Edit ACL page.
    3. Click the ACL tab, as shown in Figure 2-158.

      Figure 2-158  Editing an ACL

      NOTE:
      • Table 2-87 describes the parameters on the page.
      • The ACL type and ACL identifier cannot be modified.
      • The IPv6 ACL cannot be modified.

    4. Click the Rules tab. The procedure for modifying a rule is similar to the procedure for creating a rule.
    5. Click the Action tab. The Action tab page does not display the created action. The procedure for modifying a rule is similar to the procedure for creating a rule.
    6. Click the Apply tab. The Apply tab page displays the object to which the rule is applied.

      NOTE:
      • The Apply tab page displays the object to which the ACL is applied.
      • If an action is created, the new action will replace the original action and be delivered to objects when you click the Apply tab.

    7. Modify the configuration parameter on the tab page.
    8. Click OK.
  • Delete an ACL.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK. If the operation succeeds, the system returns to the ACL page; otherwise, an error message is displayed.
  • Check basic ACL objects.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Select a record that you want to check and click Objects to open the Object List page, as shown in Figure 2-159.

      Figure 2-159  Object list

      Table 2-94 describes the parameters on the page.

      Table 2-94  Checking basic ACL objects

      Parameter

      Description

      Object Name

      Indicates all objects that this ACL is applied to.

      ACL

      Indicates all ACLs applied to this object.

  • Delete basic ACL objects.
    1. Choose ACL > ACL in the navigation tree to open the ACL page.
    2. Select the ACL whose objects you want to delete and click Objects to open the Object List page.
    3. Select the object name and click Delete. The system asks you whether to delete the record.
    4. Click OK.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000114003

Views: 46620

Downloads: 1041

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next