No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of ACLs

Overview of ACLs


Access Control Lists (ACLs) filter packets based on rules that define the packet filtering conditions, such as the source address, destination address, and port number of packets.

An ACL is a packet filter, while ACL rules are the filter elements. Based on ACL rules, a device perform packet filtering to control whether to forward or discard packets that match the rules according to the policies used by the service module to which the ACL is applied.

An ACL can be applied to various service modules, such as Telnet, FTP, and routing. Usually, an ACL is applied to a traffic policy or simplified traffic policy. This enables the device to deliver ACL rules globally, in a VLAN, or on an interface to filter packets to be forwarded. The service modules use different actions and mechanisms to process the packets filtered by ACL. For details, see Default ACL Actions and Mechanisms of Different Service Modules.


A configured ACL takes effect only after it is applied to a service module.


The fast growth of network technologies brings challenges to network security and Quality of Service (QoS). ACL is a security policy that is enforced on networks to prevent the following problems:
  • To prevent information leaks and unauthorized access of resources on key servers of an enterprise network

  • To prevent viruses on the Internet from entering and spreading on the enterprise intranet

  • To prevent random services from occupying network bandwidth, thereby guaranteeing bandwidth for delay-sensitive services such as voice and video

These problems are detrimental to network communication, so network security is critical.

ACL accurately identifies and controls packets on the network to manage network access behaviors, prevent network attacks, and improve bandwidth use efficiency. In this way, ACL ensures security and high service quality on networks.

Figure 2-1 shows a typical network with ACL configured.

Figure 2-1  ACL application scenario

  • To ensure financial data security, access to the financial server is allowed only from the president office; access from the R&D department to the financial server is blocked. The implementation method is as follows:

    Configure an ACL in the inbound direction of Interface 1 to block the packets from the R&D department to the financial server. The ACL does not need to be configured on Interface 2, so the packets from the president office to the financial server are allowed.

  • Protect the enterprise intranet against viruses entering and spreading from the Internet. The implementation method is as follows:

    Configure an ACL in the inbound direction of Interface 3 to block packets that match virus signatures.

Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231091

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next