No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for ACLs

Licensing Requirements and Limitations for ACLs

Involved Network Elements

Other network elements are not required.

Licensing Requirements

ACL is a basic feature of a switch and is not under license control.

Version Requirements

Table 1-15  Products and versions supporting ACL

Product

Product Model

Software Version

S9300

S9303, S9306, and S9312

V100R002, V100R003, V100R006(C00&C01), V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008(C00&C10), V200R009C00, V200R010C00, V200R011C10

S9300

S9310

V200R010C00, V200R011C10

S9300X

S9310X

V200R010C00, V200R011C10

S9300E

S9303E, S9306E, and S9312E

V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008(C00&C10), V200R009C00, V200R010C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

When creating ACL rules:
  • If an ACL rule that you want to create already exists, the system does not create the rule again.

  • If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

When configuring ACL rules:
  • Repeated ACL names can only be used between basic ACL and basic ACL6, and between advanced ACL and advanced ACL6.

  • The match order of an ACL affects packet matching results. Therefore, consider the match order when configuring rules. If the match-order parameter is not specified when you create an ACL, the default match order config is used.

  • When the first rule of an ACL is created without the rule-id parameter specified, the switch uses the step value as the rule ID. If an ACL has the rules with manually configured IDs and a new rule is added without the rule-id parameter specified, the system allocates the minimum multiple of the step value which is greater than the largest rule ID in the ACL to this new rule. In addition, a rule ID must be an integer. This rule is located at the bottom of the ACL. For example, an ACL contains rule 5 and rule 12, and the default step is 5. When a new rule needs to be added to the ACL, the system allocates ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).

  • If the rule-id parameter is not specified when you configure an ACL6, the switch automatically allocates rule IDs. The allocated rule IDs start from 0 and increase by 1 each time a rule is created. If a rule ID is in use, the next one is allocated. For example, if an ACL6 contains rule 0, rule 1, and rule 3, the system allocates 2 to a new rule when the rule-id is not manually specified.

  • To associate a time range with an ACL rule, ensure that the system time of the switch is the same as that of other devices on the network; otherwise, the rule cannot take effect. The time-name must already exist; otherwise, the rule cannot be bound to the time range.

  • When the source source-address source-wildcard or destination destination-address destination-wildcard parameter is specified in a rule, the IP address wildcard mask (source-wildcard or destination-wildcard) is an inverse mask similar to the IP address inverse subnet mask.

  • If the vpn-instance vpn-instance-name parameter is not specified for an ACL rule, the switch matches the packets of both public and private networks.

When applying ACL rules:
  • Apply an ACL to a correct direction of an interface. If an ACL is applied to an inbound direction of an interface, the switch matches the packets received by this interface against ACL rules; if an ACL is applied to an outbound direction of an interface, the switch matches the packets sent by this interface against ACL rules.

  • If an ACL rule defines deny and ACL-based traffic policy or ACL-based traffic-filter is applied to the outbound direction, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

When deleting ACL rules:

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

ACL resource allocation mode:

To configure the ACL resource allocation mode for the X series cards, run the assign acl-mode command.
Table 1-16  ACL specifications in different resource allocation modes (X1E/X1C series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 20K 20K 8K 8K 20K 20K(IPv4)+8K(IPv6)
l2-ipv4 36K 36K 0 0 36K 36K
l2-ipv6 0 0 16K 16K 16K 16K
ipv4 64K 0 0 0 0 64K
l2 0 0 0 0 64K 64K
Table 1-17  ACL specifications in different resource allocation modes (X2E series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 38K 38K 16K 16K 38K 38K(IPv4)+16K(IPv6)
l2-ipv4 70K 70K 0 0 70K 70K
l2-ipv6 0 0 32K 32K 32K 32K
ipv4 128K 0 0 0 0 128K
l2 0 0 0 0 128K 128K
Table 1-18  ACL specifications in different resource allocation modes (X2H series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 70K 70K 32K 32K 70K 70K(IPv4)+32K(IPv6)
l2-ipv4 134K 134K 0 0 134K 134K
l2-ipv6 0 0 64K 64K 64K 64K
ipv4 256K 0 0 0 0 256K
l2 0 0 0 0 256K 256K
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126793

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next