filter-policy acl

Function

The filter-policy acl command configures an interface to filter users based on ACL rules.

The undo filter-policy acl command restores the default configuration.

By default, the BAS interface does not filter users based on ACL rules.

This command is supported only on the NetEngine 8000 F1A.

Format

filter-policy acl acl-number { dhcp | ppp } *

undo filter-policy acl [ dhcp | ppp ]

Parameters

Parameter Description Value
acl-number

Specifies the ACL number.

The value is in integer, ranging from 4000 to 4999.
dhcp

Indicates DHCP users.

-
ppp

Indicates PPP users.

-

Views

BAS interface view (GE), BAS interface view (VE), BAS interface view (trunk)

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ppp write

Usage Guidelines

Usage Scenario

When DHCP or PPP users go online from a BAS interface, run the filter-policy acl command to match users' source MAC addresses against ACL rules. The users whose MAC addresses match ACL rules are allowed to log in.

Prerequisites

The access-type command has been run on the BAS interface.

Configuration Impact

If ACL rules are applied more than once to users of the same type, the latest configuration overrides the previous one.

Precautions

The command configures the device to filter users based on source MAC addresses, and only rules related to source MAC addresses can be configured in the ACL policy.

Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP packets, if you run the filter-policy acl dhcp command to filter users, the command filters users based on source MAC addresses contained in the DHCP packets, rather than those contained in the Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet headers are inconsistent with those contained in DHCP packets. To protect the device from this kind of attack, run the dhcp check chaddr enable command.

The filter-policy acl ppp command applies to PPPoE and L2TP users.

ACL filtering for PPP users takes effect on PPPoE packets regardless of whether the type field is configured in the ACL.

The ACL filtering configuration for DHCP users takes effect only for DHCPv4 packets, regardless of whether the type field is configured in the ACL.

Example

# Configure the BAS interface GE0/1/1.1 to filter DHCP users based on ACL rule 4000 and to filter PPP users based on ACL rule 4200.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet0/1/1.1
[*HUAWEI-GigabitEthernet0/1/1.1] commit
[~HUAWEI-GigabitEthernet0/1/1.1] bas
[~HUAWEI-GigabitEthernet0/1/1.1-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/1.1-bas] commit
[~HUAWEI-GigabitEthernet0/1/1.1-bas] filter-policy acl 4000 dhcp
[~HUAWEI-GigabitEthernet0/1/1.1-bas] filter-policy acl 4200 ppp
Parent Topic: AAA and User Management Configuration (Access User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >