Operation Manual – ACL
Quidway S3900 Series Ethernet Switches-Release 1510 Chapter 1 ACL Configuration
Huawei Technologies Proprietary
1-1
Chapter 1 ACL Configuration
1.1 ACL Overview
An access control list (ACL) is used primarily to identify traffic flows. In order to filter
data packets, a series of match rules must be configured on the network device to
identify the packets to be filtered. After the specific packets are identified, and based on
the predefined policy, the network device can permit/prohibit the corresponding packets
to pass.
ACLs classify packets based on a series of match conditions, which can be the source
addresses, destination addresses and port numbers carried in the packets.
The packet match rules defined by ACLs can be referenced by other functions that
need to differentiate traffic flows, such as the definition of traffic classification rules in
QoS.
According to the application purpose, ACLs fall into the following four types:
z Basic ACL: rules are made based on the L3 source IP addresses only.
z Advanced ACL: rules are made based on the L3 and L4 information such as the
source and destination IP addresses of the data packets, the type of protocol over
IP, protocol-specific features, and so on.
z Layer 2 ACL: rules are made based on the Layer 2 information such as the source
and destination MAC address information, VLAN priority, Layer 2 protocol, and so
on.
z User-defined ACL: such rules specify a byte in the packet, by its offset from the
packet header, as the starting point to perform logical AND operations, and
compare the extracted string with the user-defined string to find the matching
packets for processing.
1.1.1 Ways to Apply ACL on a Switch
I. ACLs activated directly on the hardware
In the switch, an ACL can be directly activated on the switch hardware for packet
filtering and traffic classification in the data forwarding process. In this case, the match
order of multiple rules in an ACL is determined by the hardware of the switch, and any
user-defined match order, even if it is configured when the ACL is defined, will not work.
ACLs are directly activated on the switch hardware in the following situations: the
switch references ACLs to implement the QoS functions, and the forwards data through
ACLs.
To Next Page
Loading...
Need help?
General