No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for ACLs

Licensing Requirements and Limitations for ACLs

Involved Network Elements

Other network elements are not required.

Licensing Requirements

ACL configuration commands are available only after the S1720GW, S1720GWR, and S1720X have the license (WEB management to full management Electronic RTU License) loaded and activated and the switches are restarted. ACL configuration commands on other models are not under license control.

For details about how to apply for a license, see S Series Switch License Use Guide.

Version Requirements

Table 2-15  Products and versions supporting ACL

Product

Product Model

Software Version

S1700

S1720GFR

V200R006C10, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S1720GW and S1720GWR

V200R010C00, V200R011C00, V200R011C10

S1720GW-E and S1720GWR-E

V200R010C00, V200R011C00, V200R011C10

S1720X and S1720X-E

V200R011C00, V200R011C10

Other S1700 models

Models that cannot be configured using commands. For details about features and versions, see S1700 Documentation Bookshelf.

S2700

S2700SI

Not supported.

S2700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI

V100R006(C03&C05)

S2720EI

V200R006C10, V200R009C00, V200R010C00, V200R011C10

S2750EI

V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S3700

S3700SI and S3700EI

V100R005C01, V100R006(C00&C01&C03&C05)

S3700HI

V100R006C01, V200R001C00

S5700

S5700LI

V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700S-LI

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5710-C-LI

V200R001C00

S5710-X-LI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700SI

V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00

S5700EI

V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5720LI and S5720S-LI

V200R010C00, V200R011C00, V200R011C10

S5720SI and S5720S-SI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5700HI

V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S5730SI

V200R011C10

S5730S-EI

V200R011C10

S6700

S6700EI

V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)

S6720LI and S6720S-LI

V200R011C00, V200R011C10

S6720SI and S6720S-SI

V200R011C00, V200R011C10

S6720EI

V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10

S6720S-EI

V200R009C00, V200R010C00, V200R011C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

When creating ACL rules:
  • If an ACL rule that you want to create already exists, the system does not create the rule again.

  • If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

When configuring ACL rules:
  • Repeated ACL names can only be used between basic ACL and basic ACL6, and between advanced ACL and advanced ACL6.

  • The match order of an ACL affects packet matching results. Therefore, consider the match order when configuring rules. If the match-order parameter is not specified when you create an ACL, the default match order config is used.

  • When the first rule of an ACL is created without the rule-id parameter specified, the switch uses the step value as the rule ID. If an ACL has the rules with manually configured IDs and a new rule is added without the rule-id parameter specified, the system allocates the minimum multiple of the step value which is greater than the largest rule ID in the ACL to this new rule. In addition, a rule ID must be an integer. This rule is located at the bottom of the ACL. For example, an ACL contains rule 5 and rule 12, and the default step is 5. When a new rule needs to be added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).

  • If the rule-id parameter is not specified when you configure an ACL6, the switch automatically allocates rule IDs. The allocated rule IDs start from 0 and increase by 1 each time a rule is created. If a rule ID is in use, the next one is allocated. For example, if an ACL6 contains rule 0, rule 1, and rule 3, the system allocates 2 to a new rule when the rule-id is not manually specified.

  • To associate a time range with an ACL rule, ensure that the system time of the switch is the same as that of other devices on the network; otherwise, the rule cannot take effect. The time-name must already exist; otherwise, the rule cannot be bound to the time range.

  • When the source source-address source-wildcard or destination destination-address destination-wildcard parameter is specified in a rule, the IP address wildcard mask (source-wildcard or destination-wildcard) is an inverse mask similar to the IP address inverse subnet mask.

  • If the vpn-instance vpn-instance-name parameter is not specified for an ACL rule, the switch matches the packets of both public and private networks.

When applying ACL rules:
  • Apply an ACL to a correct direction of an interface. If an ACL is applied to an inbound direction of an interface, the switch matches the packets received by this interface against ACL rules; if an ACL is applied to an outbound direction of an interface, the switch matches the packets sent by this interface against ACL rules.

  • If an ACL rule defines deny and ACL-based traffic policy or ACL-based traffic-filter is applied to the outbound direction on the S5720EI, S5720HI, S6720EI, and S6720S-EI, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.
  • When WLAN service is configured on the switch, the switch can deliver only the following types of ACL rules to APs:
    1. Rules 0-127 of advanced ACLs 3000-3031

    2. Rules 0-127 of Layer 2 ACLs 4000-4031 (supported in V200R010 and later versions)

    3. Rules 0-127 of user ACLs 6000-6031

When deleting ACL rules:

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

ACL resource allocation mode:

To configure the ACL resource allocation mode for an S5720HI, run the assign resource-template acl-mode command.
Table 2-16  ACL specifications in different resource allocation modes
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 16K 16K 8K 8K 16K 16K(IPV4)+8K(IPV6)
l2-ipv4 32K 32K 0 0 32K 32K
l2-ipv6 0 0 16K 16K 16K 16K
ipv4 64K 0 0 0 0 64K
l2 0 0 0 0 64K 64K
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 219432

Downloads: 712

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next