Configuring a Layer 2 ACL Rule
Context
Layer 2 ACLs classify packets by matching packet information against its rules. After an ACL is created, configure rules in the ACL.
When the device receives a packet, it matches the packet against ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.
Procedure
- Run system-view
The system view is displayed.
- Run acl { [ number ] acl-number | name acl-name { [ number ] acl-number | link } }
A Layer 2 ACL is created, and the Layer 2 ACL view is displayed.
The parameter acl-number specifies the number of a Layer 2 ACL. The value ranges from 4000 to 4999.
By default, no ACL is created.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | [ ether-ii | 802.3 | snap ] | vlan vlan-id | 8021p 8021p | inner-vlan inner-vlan-id [ inner-vlan-mask ] | inner-8021p inner-8021p | double-tag | time-range time-name ] *
A Layer 2 ACL rule is configured.
When you configure a Layer 2 ACL rule:- The CE12800E configured with ED-E, EG-E, and EGA-E series cards does not support 802.3 parameter.
- If ether-ii | 802.3 | snap is specified, only packets with a specified encapsulation type are filtered.
- If ether-ii | 802.3 | snap is not specified, all the packets are filtered.
When you specify the parameter time-range to reference a time range to the ACL, the ACL cannot be bound to the specified time range if the specified time-name does not exist.
- (Optional) Run rule rule-id description description
The description of a Layer 2 ACL rule is configured.
By default, no description is configured for an ACL rule.
You are not allowed to configure the description for a rule that has not been created.
- Run commit
The configuration is committed.