No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying a Layer 2 ACL

Configuring and Applying a Layer 2 ACL

(Optional) Creating a Time Range in Which an ACL Takes Effect

Context

For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect in Configuring and Applying a Basic ACL.

Configuring a Layer 2 ACL

Pre-configuration Tasks

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet frame information, such as source Media Access Control (MAC) addresses, destination MAC addresses, VLANs, and Layer 2 protocol types.

If you only need to filter packets based on Layer 2 information, configure a Layer 2 ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a Layer 2 ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered Layer 2 ACL (4000-4999) and enter the Layer 2 ACL view.

    • Run the acl name acl-name { link | acl-number } [ match-order { auto | config } ] command to create a named Layer 2 ACL and enter the Layer 2 ACL view.

    By default, no ACL exists on the device.

    For details about the numbered and named ACLs, see ACL Classification.

    If the match-order parameter is not specified when you create an ACL, the default match order config is used. For details about ACL match order, see Matching Order.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see Step; for configuration of the step, see Adjusting the Step of ACL Rules.

    To delete an ACL that has taken effect, see Deleting an ACL in Configuring a Basic ACL.

  3. (Optional) Run:

    description text

    A description is configured for the ACL.

    By default, an ACL does not have a description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | time-range time-name ] *

    Rules are configured in the Layer 2 ACL.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the match order of the rules according to service requirements.

    For details about the time range, source/destination MAC addresses and their wildcard masks, VLAN IDs and their masks, see Matching Conditions. Configuring rules for a Layer 2 ACL provides a rule configuration example.

  5. (Optional) Run:

    rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule does not have a description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the rules existing on the device. That is, you cannot configure a description for a rule before creating the rule. If an ACL rule for which a description has been configured is deleted, the description is also deleted.

Configuration Tips
Configuring rules for a Layer 2 ACL
  • Configuring packet filtering rules based on the source MAC address, destination MAC address, and Layer 2 protocol types

    To allow the ARP packets with the specified destination and source MAC addresses and Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow the ARP packets with destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule in ACL 4001.
    <Huawei> system-view
    [Huawei] acl 4001
    [Huawei-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806
    
    To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863, configure the following rule in ACL 4001.
    <Huawei> system-view
    [Huawei] acl 4001
    [Huawei-acl-L2-4001] rule deny l2-protocol 0x8863
  • Configuring a packet filtering rule based on the source MAC address segment and inner VLAN IDs

    To reject the packets from the specified MAC address segments in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject the packets from source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL deny-vlan10-mac.
    <Huawei> system-view
    [Huawei] acl name deny-vlan10-mac link
    [Huawei-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000
  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Applying a Layer 2 ACL

Context

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

Usually, an ACL is applied to a traffic policy or simplified traffic policy so that the device can deliver ACL rules globally, or on an interface to filter packets to be forwarded. In addition, an ACL can be applied to the service modules such as local attack defense.

Procedure

  1. Apply a Layer 2 ACL.

    Table 4-17 describes the application of a Layer 2 ACL.

    Table 4-17  Applying a Layer 2 ACL
    Service Category Usage Scenario How ACLs Are Used

    Filtering packets to be forwarded

    The device filters received packets globally, or on an interface, and then discards, modifies priorities of, or redirects the filtered packets.

    For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

    • Simplified traffic policy: See ACL-based Simplified Traffic Policy Configuration in Huawei AR Series IOT Gateway Configuration Guide - QoS.

    • Traffic policy: See MQC Configuration in Huawei AR Series IOT Gateway Configuration Guide - QoS.

    • Packet filtering firewall: See Configuring the Packet Filtering Firewall in Huawei AR Series IOT Gateway Configuration Guide - Firewall.
    • Dynamic NAT: See Configuring Dynamic NAT in the Huawei AR Series IOT Gateway Configuration Guide - IP Services.
    • NAT server: See Configuring an Internal NAT Server in the Huawei AR Series IOT Gateway Configuration Guide - IP Services.

    Filtering packets to be sent to the CPU

    If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance degrades. The device restricts the packets to be sent to the CPU.

    For example, when a user sends a large number of ARP attack packets to the device, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

    Blacklist: See Configuring a Blacklist in Local Attack Defense Configuration.

Verifying a Layer 2 ACL Configuration

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check ACL configuration.
  • Run the display time-range { all | time-name } command to view information about the time range.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1100034236

Views: 100456

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next