Huawei quidway s3526 series Getting Started page 414

Command Manual - QoS/ACL
Quidway S3500 Series Ethernet Switches
Note:
The Layer-3 ACL includes the advanced ACL.
In the description of the rules: MAC----MAC address, PORT----the switch port,
IP----the host IP address, ANY----any MAC address in Layer-2 ACL and any IP
address in Layer-3 ACL, NET----the segment IP address. The MAC, IP, ANY, NET
and PORT before the character "-" represent the source addresses or receive port;
the ones behind are the destination addresses or transmit port.
MAC-MAC stands for a Layer-2 ACL rule from source MAC address to destination
MAC address, such as "rule 0 permit ingress 00e0-fc01-0101 1 egress
00e0-fc01-0102 1 time-range huawei ".
PORT-PORT stands for a Layer-2 ACL rule from received ethernet port to sent
ethernet port, such as "rule 0 permit ingress interface ethernet0/1 egress interface
ethernet 0/2 time-range huawei ".
MAC-PORT stands for a Layer-2 ACL rule from source MAC address to sent
ethernet port, such as "rule 0 permit ingress 00e0-fc01-0101 1 egress interface
ethernet 0/1 time-range huawei ".
IP-IP stands for lay-3 ACL rules from source host IP address to destination host IP
address (the wildcard parameter can only be 0) , such as "rule 0 permit ip source
1.1.1.1 0 destination 2.2.2.2 0 time-range huawei".
NET-NET stands for lay-3 ACL rules from source segment IP address to destination
segment IP address (the wildcard parameter can not be 0), such as "rule 0 permit ip
source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255 time-range huawei".
MAC-any stands for lay-2 ACL rule from source MAC address to any destination
MAC address, such as "rule 0 permit ingress 00e0-fc01-0101 1 egress any
time-range huawei", and so do any-MAC, IP-any, any-IP, NET-any and any-NET
rules.
For the MAC-MAC rule, the source and destination MAC addresses must be
configured in the same VLAN. That is, configure the same VLAN ID for the source
and destination MAC addresses in defining ACL.
For the rules of IP-any, any-IP, NET-any and any-NET, S3526 does not support
packet filtering of special protocols. You can only configure protocol type as IP (the
value of the parameter protocol in rule command can only be IP) in defining these
types of rules in S3526. Otherwise, error information will be returned when confirm
the rule.
IP-IP and MAC-MAC rules will function on the two directions, that is, user defines a
rule to filter packets from source address to destination address, the rule will also
filter the packets from the destination address to source address. For the rules of
IP-any, any-IP, NET-any, any-NET, MAC-any, any-MAC, they only function on one
direction which user defined.
Huawei Technologies Proprietary
1-12
Chapter 1 ACL Commands