No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for ACLs

Licensing Requirements and Limitations for ACLs

Involved Network Elements

Other network elements are not required.

Licensing Requirements

ACL is a basic function of the switch, and as such is controlled by the license for basic software functions. The license for basic software functions has been loaded and activated before delivery. You do not need to manually activate it.

Version Requirements

Table 3-3 Products and minimum version supporting ACLs

Product Model

Minimum Version Required

CE12804/CE12808/CE12812

V100R001C00

CE12816

V100R003C00

CE12804S/CE12808S

V100R005C00

CE12804E/CE12808E/CE12816E

V200R002C50

For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Software version evolution: V100R001C00 -> V100R002C00 -> V100R003C00 -> V100R003C10 -> V100R005C00 -> V100R005C10 -> V100R006C00 -> V200R001C00 -> V200R002C50 -> V200R003C00 -> V200R005C00 -> V200R005C10 -> V200R019C00 -> V200R019C10

Feature Limitations

When deploying ACLs on the switch, pay attention to the following:

  • The deletion of the ACL validity time range makes some ACLs invalid. Exercise caution when performing this operation.

  • In the VXLAN scenario of the CE12800, when the destination port number of a UDP packet is 4789, the ACL rule cannot match the destination and source port numbers of this packet. In the non-VXLAN scenario, when the destination port number of a UDP packet is 65535, the ACL rule cannot match the destination and source port numbers of this packet.
  • Many services that are not configured with ACL rules also occupy ACL resources. You can run the display system tcam acl resource service brief command to view the ACL resources occupied by services.
  • If an ACL rule contains a Layer 4 port number, the switch does not match fragmented packets. Fragmented packets may be discarded by an ACL rule that does not contain a Layer 4 port number. To prevent fragmented packets from being discarded, you can configure a rule to allow fragmented packets to pass through.

    Example:

    rule 5 permit udp x.x.x.x source port xxx

    rule 10 deny ip

    When this ACL is configured, fragmented packets matching rule 5 are discarded, which may cause service failures.

    To avoid so, use the following ACL configuration:

    rule 5 permit udp x.x.x.x source port xxx

    rule 10 permit ip fragment-type fragment

    rule 15 deny ip

Translation
简体中文
Download
Updated: 2021-09-17

Document ID: EDOC1100075347

Views: 235023

Downloads: 100

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :