ACLs help accurately identify and control packets on the network to manage network access behavior, prevent network attacks, and improve bandwidth use efficiency.
An ACL is a set of one or more rules that describe packet matching conditions, such as the source address, destination address, and port number of packets. An ACL classifies packets according to the rules. When the rules are applied to a switch, the switch permits or denies packets based on the rules. For example, an ACL can be configured to reject Telnet login requests of all terminals or allow every terminal to send emails to a switch using SMTP.
Based on rule functions, ACLs are classified into basic ACLs, basic ACL6s, advanced ACLs, advanced ACL6s, Layer 2 ACLs, and user-defined ACLs.
This section describes only level-2 ACLs. For level-1 ACLs, see ACL.
Table 1 describes the rule definition method-based ACL classification.
Category |
IP Version |
Rule Definition Description |
Number Range |
|---|---|---|---|
Advanced ACL |
IPv4 |
Defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol type, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges. |
3000-3999 |
User-defined ACL |
IPv4and IPv6 |
Defines rules based on packet headers, offsets, character string masks, and user-defined character strings. The ACL performs an AND operation on the packet bytes from a certain position behind the packet header and the character string mask. Then, the ACL compares the extracted character string against the user-defined character string. |
5000-5999 |
Advanced ACL6 |
IPv6 |
Defines rules based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol type, ICMPv6 type, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges. |
3000-3999 |
Configure ACL 3000 to filter ICMP packets.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 1 permit icmp