Licensing Requirements and Limitations for ACLs
Involved Network Elements
Other network elements are not required.
Licensing Requirements
ACL is a basic feature of a switch and is not under license control.
Feature Support in V200R019C10
All models of S2720, S5700, and S6700 series switches support ACL.
For details about software mappings, visit Hardware Query Tool and search for the desired product model.
Feature Limitations
- S5720-HI, S5720-EI, S6720-EI, S6720S-EI, S5720I-SI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S: all versions
- S2720-EI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI: V200R012C00 and later versions
- S6700-EI, S5700-HI, S5710-HI, and S5710-EI: V200R005
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
Repeated ACL names can only be used between basic ACL and basic ACL6, and between advanced ACL and advanced ACL6.
The match order of an ACL affects packet matching results. Therefore, consider the match order when configuring rules. If the match-order parameter is not specified when you create an ACL, the default match order config is used.
To associate a time range with an ACL rule, ensure that the system time of the switch is the same as that of other devices on the network; otherwise, the rule cannot take effect. The time-name must already exist; otherwise, the rule cannot be bound to the time range.
Apply an ACL to a correct direction of an interface. If an ACL is applied to an inbound direction of an interface, the switch matches the packets received by this interface against ACL rules; if an ACL is applied to an outbound direction of an interface, the switch matches the packets sent by this interface against ACL rules.
- If an ACL rule defines deny and ACL-based traffic policy or ACL-based traffic-filter is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.
When WLAN service is configured on the switch, the switch can deliver only the following types of ACL rules to APs:
- Rules 0-127 of advanced ACLs 3000-3031
- Rules 0-127 of Layer 2 ACLs 4000-4031 (supported in V200R011C10 and later versions)
- Rules 0-127 of user ACLs 6000-6031
- In V200R013 and later versions, when an ACL6 numbered 3000-3031 is configured on a switch that supports the WLAN AC function, the switch automatically delivers the ACL to the APs connected to the switch.
- When a rule is automatically delivered to an AP, the time range field is not supported. Support for other rules varies according to specific AP models. The rules containing fields that are supported by the switch but not APs will not be delivered to APs. For details about the rules supported by APs, see the AP product documentation at http://e.huawei.com.
- When an ACL is applied to a physical interface configured with a sub-interface, the ACL also takes effect on the sub-interface.
When deleting ACL rules:
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.
ACL resource allocation mode:
To configure the ACL resource allocation mode for the S5720-HI, run the assign resource-template acl-mode command.
ACL support is the same for a stack as for a standalone device. The ACL configuration on the active switches is propagated to all standby and slave switches in the stack.