Introduction To The Acl; Classification Of Acls Supported By The S3700 - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security

10.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL.
To filter packets, a set of rules needs to be configured on the S3700 to determine the data packets
that can pass through. These rules are defined in an ACL.
An ACL is a series of orderly rules composed of permit and deny clauses. The clauses are
described based on the source address, destination address, and port number of a packet, and so
on. The ACL classifies packets according to the rules. After these rules are applied to the
S3700, the S3700 can determine packets that are received and rejected.

10.2 Classification of ACLs Supported by the S3700

This section describes the classification of ACLs supported by the S3700.
Classification of ACLs
The S3700 supports basic ACLs, advanced ACLs, layer 2 ACLs and user defined ACLs for IPv4
packets.
l
l
l
l
The S3700 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
l
Application of ACLs
ACLs defined on the S3700 can be applied in the following scenarios:
l
Issue 01 (2011-07-15)
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers
to the access control list that is used to filter IPv6 packets.
Basic ACLs: classify and define data packets according to their source addresses,
fragmentation flag, and effective time range.
Advanced ACLs: classify and define data packets more refinedly according to the source
address, destination address, source port number, destination port number, protocol type,
precedence, and effective time range.
Layer 2 ACLs: classify and define data packets according to the source MAC address,
destination MAC address, and protocol type.
User defined ACLs: classify and define data packets according to the rules that user definds.
A basic ACL6 can use the source IP address, fragmentation flag, and effective time range
as the elements of rules.
An advanced ACL6 can use the source IP address and destination IP address of data packets,
protocol type supported by IP, features of the protocol such as the source port number and
destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is
configured, the ACL is imported to classify packets. Note that when the ACL is imported
by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in
the ACL is set to be in permit mode, the packets matching the ACL are processed by the
S3700 according to the action defined by the traffic behavior in QoS. For details on the
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10 ACL Configuration
224