ACLs help accurately identify and control packets on the network to manage network access behavior, prevent network attacks, and improve bandwidth use efficiency.
An ACL is a set of one or more rules that describe packet matching conditions, such as the source address, destination address, and port number of packets. An ACL classifies packets according to the rules. When the rules are applied to a switch, the switch permits or denies packets based on the rules. For example, an ACL can be configured to reject Telnet login requests of all terminals or allow every terminal to send emails to a switch using the Simple Mail Transfer Protocol (SMTP).
Based on rule functions, ACLs are classified into basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, and user-defined ACLs.
This section describes only level-1 ACLs. For level-2 ACLs, see ACL.
Table 1 describes the rule definition method-based ACL classification.
Category |
IP Version |
Rule Definition Description |
Number Range |
|---|---|---|---|
Basic ACL |
IPv4 |
Rules are defined based on the source IP addresses, fragmentation information, and validity time ranges of packets. |
2000-2999 |
Layer 2 ACL |
IPv4 and IPv6 |
Rules are defined based on the information in Ethernet frame headers of packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. |
4000-4999 |
Basic ACL6 |
IPv6 |
Rules are defined based on the source IPv6 addresses, fragmentation information, and validity time ranges of packets. |
2000-2999 |
Configure ACL 2001 to allow packets with the source address of 192.168.32.1 to pass through.
<HUAWEI> system-view [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0