Example for Using User-Defined ACLs to Filter the Specified Packets

Networking Requirements

As shown in Figure 1, users are connected to the Switch through GE0/0/1. The Switch needs to discard certain packets (with four bytes following the 14th byte in the Layer 2 header being 0x0180C200) sent by users.

Figure 1 Using user-defined ACLs to filter the specified packets

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

Configure a user-defined ACL and an ACL-based traffic classifier to filter certain packets (with four bytes following the 14th byte in the Layer 2 header being 0x0180C200).
Configure a traffic behavior to discard the packets matching the ACL.
Configure and apply a traffic policy to make the ACL and traffic behavior take effect.

Procedure

Configure an ACL.

# Configure a user-defined ACL.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 5000
[Switch-acl-user-5000] rule deny l2-head 0x0180C200 0xFFFFFFFF 14
[Switch-acl-user-5000] quit

Creating a traffic classifier based on the user-defined ACL.
# Configure the traffic classifier tc1 to classify packets that match ACL 5000.
```
[Switch] traffic classifier tc1
[Switch-classifier-tc1] if-match acl 5000
[Switch-classifier-tc1] quit
```

Configure a traffic behavior.

# Configure the traffic behavior tb1 to reject packets.

[Switch] traffic behavior tb1
[Switch-behavior-tb1] deny
[Switch-behavior-tb1] quit

Configure a traffic policy.
# Define the traffic policy, and associate the traffic classifier and traffic behavior with the traffic policy.
```
[Switch] traffic policy tp1
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
[Switch-trafficpolicy-tp1] quit
```

Apply the traffic policy to an interface.

# Apply the traffic policy to the inbound direction of GE0/0/1.

[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Switch-GigabitEthernet0/0/1] quit

Verify the configuration.

# Check the configuration of the ACL rule.

[Switch] display acl 5000
User ACL 5000, 1 rule
Acl's step is 5
 rule 5 deny 0x0180c200 0xffffffff 14

# Check the configuration of the traffic classifier.

[Switch] display traffic classifier user-defined
  User Defined Classifier Information:                                          
   Classifier: tc1                                                              
    Operator: OR                                                                
    Rule(s) : if-match acl 5000                                                 
                                                                                
Total classifier number is 1

# Check the configuration of the traffic policy.

[Switch] display traffic policy user-defined tp1
  User Defined Traffic Policy Information:                                      
  Policy: tp1                                                                   
   Classifier: tc1                                                              
    Operator: OR                                                                
     Behavior: tb1                                                              
      Deny

Configuration Files

Switch configuration file

#
sysname Switch
#
acl number 5000
 rule 5 deny 0x0180c200 0xffffffff 14 
#
traffic classifier tc1 operator or
 if-match acl 5000 
#
traffic behavior tb1
 deny
#
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
#
interface GigabitEthernet0/0/1
 traffic-policy tp1 inbound
#
return