No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Layer 2 ACL

Configuring a Layer 2 ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLANs, and Layer 2 protocol types.

If you only need to filter packets based on Layer 2 information, configure a Layer 2 ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a Layer 2 ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered Layer 2 ACL (4000-4999) and enter the Layer 2 ACL view.

    • Run the acl name acl-name { link | acl-number } [ match-order { auto | config } ] command to create a named Layer 2 ACL and enter the Layer 2 ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

    Rules are configured in the Layer 2 ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    For details about the time range, source/destination MAC addresses and their wildcard masks, VLAN IDs and their masks, see Matching Conditions. Configuring rules for a Layer 2 ACL provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule.

Configuration Tips

Configuring rules for a Layer 2 ACL
  • Configuring packet filtering rules based on the source MAC address, destination MAC address, and Layer 2 protocol types

    To allow the ARP packets with the specified destination and source MAC addresses and Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow the ARP packets with destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule in ACL 4001.
    <HUAWEI> system-view
    [HUAWEI] acl 4001
    [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806
    
    To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863, configure the following rule in ACL 4001.
    <HUAWEI> system-view
    [HUAWEI] acl 4001
    [HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
  • Configuring a packet filtering rule based on the source MAC address segment and inner VLAN IDs

    To reject the packets from the specified MAC address segments in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject the packets from source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL deny-vlan10-mac.
    <HUAWEI> system-view
    [HUAWEI] acl name deny-vlan10-mac link
    [HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137327

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next