Introduction To The Acl; Classification Of Acls Supported By The S9300 - Huawei Quidway S9300 Configuration Manual

11 ACL Configuration

11.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL.
To filter packets, a set of rules needs to be configured on the S9300 to determine the data packets
that can pass through. These rules are defined in an ACL.
An ACL is a series of orderly rules composed of permit and deny clauses. The clauses are
described based on the source address, destination address, and port number of a packet, and so
on. The ACL classifies packets according to the rules. After these rules are applied to the
interfaces on the S9300, the S9300 can determine packets that are received and rejected.

11.2 Classification of ACLs Supported by the S9300

This section describes the classification of ACLs supported by the S9300.
Classification of ACLs
The S9300 supports basic ACLs, advanced ACLs, and Ethernet frame header ACLs for IPv4
packets.
l
l
l
The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
l
Application of ACLs
ACLs defined on the S9300 can be applied in the following scenarios:
l
11-2
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers
to the access control list that is used to filter IPv6 packets.
Basic ACLs: classify and define data packets according to their source addresses,
fragmentation flag, and effective time range.
Advanced ACLs: classify and define data packets more refinedly according to the source
address, destination address, source port number, destination port number, protocol type,
precedence, and effective time range.
Frame header-based ACLs: classify and define data packets according to the source MAC
address, destination MAC address, and protocol type.
A basic ACL6 can use the source IP address, fragmentation flag, and effective time range
as the elements of rules.
An advanced ACL6 can use the source IP address and destination IP address of data packets,
protocol type supported by IP, features of the protocol such as the source port number and
destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is
configured, the ACL is imported to classify packets. Note that when the ACL is imported
by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in
the ACL is set to be in permit mode, the packets matching the ACL are processed by the
S9300 according to the action defined by the traffic behavior in QoS. For details on the
traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide -
QoS.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 06 (2010–01–08)