No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Summary of ACL Configuration Tasks

Summary of ACL Configuration Tasks

The device supports the following types of ACLs: basic ACL, advanced ACL, Layer 2 ACL, user ACL, user-defined ACL, basic ACL6 and advanced ACL6.

Table 1-19 lists ACL configuration tasks. The configuration tasks can be performed in any sequence. You need to select at least one of them.

Table 1-19  ACL configuration tasks

Scenario

Description

Task

Configure and apply a basic ACL.

A basic ACL defines rules to filter IPv4 packets based on information such as source IP addresses, fragment information, and time ranges.

If you only need to filter packets based on source IP addresses, you can configure a basic ACL.

Configuring and Applying a Basic ACL

Configure and apply an advanced ACL.

An advanced ACL defines rules to filter IPv4 packets based on source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IP addresses, configure an advanced ACL.

Configuring and Applying an Advanced ACL

Configure and apply a Layer 2 ACL.

A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types.

If you only need to filter packets based on Layer 2 information, configure a Layer 2 ACL.

Configuring and Applying a Layer 2 ACL

Configure and apply a user-defined ACL.

A user-defined ACL defines rules based on packet headers, offsets, character string masks, and user-defined character strings. With such a user-defined ACL configured, the system performs an AND operation on the packet bytes from a certain position behind the packet header and the character string mask, compares the extracted character string against the user-defined character string, and then filters IPv4 and IPv6 packets.

Compared with basic ACL, advanced ACL, and Layer 2 ACL, user-defined ACL is more accurate, flexible, and provides more functions. For example, if you want to filter ARP packets based on source IP addresses and ARP packet types, you can configure a user-defined ACL.

Configuring and Applying a User-Defined ACL

Configure and apply a user ACL.

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

To filter packets based on UCL groups, configure a user ACL.

Configuring and Applying a User ACL

Configure and apply a basic ACL6.

A basic ACL6 defines rules to filter IPv6 packets based on information such as source IPv6 addresses, fragment information, and time ranges.

If you only need to filter packets based on source IPv6 addresses, you can configure a basic ACL6.

Configuring and Applying a Basic ACL6

Configure and apply an advanced ACL6.

An advanced ACL6 defines rules to filter IPv6 packets based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol types, TCP source/destination port numbers, UDP source/destination port numbers, fragment information, and time ranges.

Compared with a basic ACL6, an advanced ACL6 is more accurate, flexible, and provides more functions. For example, if you want to filter packets based on source and destination IPv6 addresses, configure an advanced ACL6.

Configuring and Applying an Advanced ACL6
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 146561

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next