< Home

Configuring a Layer 2 ACL

Prerequisites

If you need to configure a time-based ACL, create a time range and associate the time range with the ACL rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A Layer 2 ACL defines rules to filter traffic based on Ethernet frame information, such as source MAC addresses, destination MAC addresses, VLAN IDs, and Layer 2 protocol types.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a Layer 2 ACL. You can create a numbered or named ACL.

    • Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a numbered Layer 2 ACL (4000-4999) and enter the Layer 2 ACL view.

    • Run the acl name acl-name { link | acl-number } [ match-order { auto | config } ] command to create a named Layer 2 ACL and enter the Layer 2 ACL view.

    By default, no ACL exists on the device.

    If the parameter match-order is not specified when you create an ACL, the default matching order config is used. For details about the ACL matching order, see ACL Matching.

    The default step of a created ACL is 5. If the default step cannot meet your ACL configuration requirements, you can change the step value. For details about the step, see ACL Increment; for configuration of the step, see Adjusting the Increment of ACL Rules.

  3. (Optional) Run description text

    A description is configured for the ACL.

    By default, an ACL has no description.

    The ACL description helps you understand and remember the functions or purpose of an ACL.

  4. Run rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

    Rules are configured in the Layer 2 ACL.

    The S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735-S-I, and S5735S-S do not support cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.

    The S6720-LI, S5730-SI, S5730S-EI, S6720S-LI, S6720-SI, and S6720S-SI do not support cvlan-8021p 802.1p-value.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    For details about the time range, source/destination MAC addresses and their wildcard masks, VLAN IDs and their masks, see ACLs Supported by Switches and Common Matching Conditions. Configuring rules for a Layer 2 ACL provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring rules for a Layer 2 ACL

  • Configuring packet filtering rules based on the source MAC address, destination MAC address, and Layer 2 protocol types

    To allow ARP packets with the specified destination and source MAC addresses, and Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow ARP packets with the destination MAC address of 0000-0000-0001, source MAC address of 0000-0000-0002, and Layer 2 protocol type of 0x0806 to pass, configure the following rule in ACL 4001.
    <HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806
    To reject PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject PPPoE packets with the Layer 2 protocol type of 0x8863, configure the following rule in ACL 4001.
    <HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863

  • Configuring a packet filtering rule based on the source MAC address segment and inner VLAN IDs

    To reject packets from the specified MAC address segments in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject packets from the source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in the Layer 2 ACL deny-vlan10-mac.
    <HUAWEI> system-view
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000

  • Configuring a time-based ACL rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >