No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Layer 2 ACL

Configuring a Layer 2 ACL

A Layer 2 ACL defines rules to filter packets.

Usage Scenario

Layer 2 ACLs can be used in QoS and routing policies to filter packets.

Figure 3-7 Configuring a Layer 2 ACL

As shown in Figure 3-7, a Layer 2 ACL is created on Device D to deny all packets sent from a host (MAC address 1-1-1) connected to Device A to Device C and to permit all packets sent from a host (MAC address 2-1-1) connected to Device B to Device C.

Configuration Procedures

Figure 3-8 Flowchart for configuring a Layer 2 ACL

(Optional) Creating a Validity Period in Which an ACL Rule Takes Effect

You can create a validity period in which an ACL rule takes effect to control network traffic in a specified period.

Context

To control certain types of traffic in a specified period, you can configure the validity period of an ACL rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, limit the volume of traffic for common online users.

After this configuration task is performed, a time range is created. Then you can specify the time range as the validity period when creating an ACL rule.

The validity period of an ACL rule can be either of the following types:

  • Absolute time range: The validity period is fixed.

  • Relative time range: The validity period is a periodic period, for example, each Monday.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }

    The validity period of an ACL rule is created.

    • You can configure up to 256 time ranges.
    • Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.

  3. Run commit

    The configuration is committed.

Creating a Layer 2 ACL

This section describes how to create a Layer 2 ACL and how to configure the related parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]

    A Layer 2 ACL is created.

    The number of a Layer 2 ACL ranges from 4000 to 4999.

  3. (Optional) Run step step

    An ACL step is set.

    You can use an ACL step to maintain ACL rules and add new ACL rules conveniently.
    NOTE:
    Assume that a user has created four rules numbered from 1 to 4 in an ACL. The user can reconfigure the ACL step, for example, to 2 by running the step 2 command in the ACL view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 command to add a rule numbered 3 between the renumbered rules 2 and 4.

  4. (Optional) Run description text

    The ACL description is configured.

    The description command configures a description for an ACL in any of the following situations:

    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.
    • Names of named ACLs cannot fully explain the ACLs' functions.

  5. Run commit

    The configuration is committed.

Configuring Rules for a Layer 2 ACL

This section describes how to configure rules for a Layer 2 ACL.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]

    The Layer 2 ACL view is displayed.

  3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | 8021p 8021p | cvlan-8021p cvlan-8021p | time-range time-name ] *

    The rules for the Layer 2 ACL are configured.

    • Adding new rules to an ACL will not affect the existing rules.

    • When an existing rule is modified and the modified contents conflict with the original contents, the modified contents take precedence.

    NOTE:
    During the configuration of rules for the Layer 2 ACL:
    • If time-range is specified, the specified time range name must exist. If the specified time range name does not exist, the ACL rules will not take effect.

  4. (Optional) Run rule description text

    The description for an ACL rule is configured.

    The description of an ACL rule can contain the functions of the ACL rule. Configuring a description for an ACL rule is recommended to prevent misuse of the rule in the following situations:
    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.

  5. Run commit

    The configuration is committed.

Applying a Layer 2 ACL

Layer 2 ACLs can be used in QoS services.

Context

Table 3-5 describes the typical applications of Layer 2 ACLs.

Table 3-5 Typical applications of Layer 2 ACLs

Typical Application

Usage Scenario

Operation

QoS

To process different types of traffic, users can configure a Layer 2 ACL to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL rules.

To find out more about the procedures for processing different types of traffic, see how to configure traffic policing, traffic shaping, and traffic behaviors.

Typical Cases of Applying a Layer 2 ACL

Cases of applying a Layer 2 ACL in QoS services

For example, a user configures a device as follows:
  • Configuring an Ethernet frame header-based ACL in firewall traffic behavior (packet filtering)
    acl number 4001
     rule permit 8021p 3 source-mac 1-1-1 ffff-ffff-ffff
     rule 10 deny 
    traffic classifier acl 
     if-match acl 4001
    traffic behavior test
     permit
    traffic policy test
     classifier acl behavior test
    interface GigabitEthernet0/2/0
     traffic-policy test inbound

    Matching result: Only VLAN packets with the 802.1p priority 3 in the outer VLAN tag, source MAC address 1-1-1, and source MAC address mask ffff-ffff-ffff are permitted.

  • Configuring an Ethernet frame header-based ACL in common traffic behavior
    acl number 4001
     rule permit 8021p 3 source-mac 1-1-1 ffff-ffff-ffff
     rule 10 deny 
    traffic classifier acl 
     if-match acl 4001
    traffic behavior test
     remark 8021p 7
    traffic policy test
     classifier acl behavior test
    interface GigabitEthernet0/2/0
     traffic-policy test inbound

    Matching result: Only VLAN packets with the 802.1p priority 3 in the outer VLAN tag, source MAC address 1-1-1, and source MAC address mask ffff-ffff-ffff are permitted, and the packets' 802.1p priority is re-marked 7.

Verifying the Configuration of a Layer 2 ACL

After configuring a Layer 2 ACL, verify the configuration.

Prerequisites

A Layer 2 ACL has been configured.

Procedure

  • Run the display acl { acl-number | name acl-name | all } command to check the configuration of a Layer 2 ACL.
  • Run the display time-range { time-name | all } command to check the configuration of a specified time range or all time ranges.

Example

Run the display acl command to view the ACL number, ACL rule number, ACL step, and ACL rule contents.

<HUAWEI> display acl 4000
L2 ACL 4000, 1 rule
ACL's step is 5
 rule 1 permit dest-mac 0-0-1 source-mac 0-0-2 type 0800(3 times matched)

Run the display time-range command to view the configuration and status of the current time range.

<HUAWEI> display time-range time1
Current time is 2006-3-15 14:19:16 Wednesday

Time-range : time1 ( Inactive )
 10:00 to 12:00 daily
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 17609

Downloads: 35

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next