< Home

Configuring ACL-based Packet Filtering

Context

ACL-based packet filtering allows the device to permit or reject packets matching ACL rules to control network traffic.

Both the traffic-filter and traffic-secure commands are used to filter packets. You can run either the traffic-filter or traffic-secure command to configure packet filtering based on the following rules:

  • If the ACL referenced by the traffic-filter or traffic-secure command is not referenced by other ACL-based simplified traffic policies, and packets do not match both ACLs associated with packet filtering and simplified traffic policies, use the traffic-filter or traffic-secure command.

  • If the ACL referenced by the traffic-filter or traffic-secure command is referenced by other ACL-based simplified traffic policies, or packets match both ACLs associated with packet filtering and simplified traffic policies, the differences between the traffic-filter and traffic-secure commands are as follows:

    • On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-secure, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic-secure command and other ACL-based simplified traffic policies take effect.

    • On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, when the traffic-secure command and traffic-redirect commands are configured simultaneously, no matter whether the ACL defines the deny action or permit action, only the traffic-redirect command takes effect.

    • On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, when the traffic-secure and other ACL-based simplified traffic policies except traffic-redirect are configured simultaneously, and the ACL defines the deny action, only the traffic-secure, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, when the traffic-secure command and other ACL-based simplified traffic policies except traffic-redirect are configured simultaneously, and the ACL defines the permit action, the traffic-secure command and other ACL-based simplified traffic policies take effect.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-filter, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic policy that was configured first takes effect.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

When ACL-based packet filtering is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based packet filtering is implemented for user access control on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-filter acl.

Procedure

  • Configuring packet filtering globally or in a VLAN
    1. Run system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or run traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

  • Configuring packet filtering on an interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run the following commands as required.

      • Run traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-secure inbound acl { bas-acl | adv-acl | l2–acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-filter outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or run traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run traffic-secure inbound acl { l2–acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

Parent Topic: ACL-based Simplified Traffic Policy Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >