ACL

An ACL classifies packets according to matching rules. The rules can be source addresses, destination addresses, or the port numbers of the packets.

Context

ACLs are classified into the following types:

Basic ACL: matching packets based on source IP addresses at Layer 3.
Advanced ACL: matching packets based on the Layer 3 or Layer 4 information of packets, such as source IP addresses, destination IP addresses, type of the protocol over IP, and the protocol feature.
Layer 2 ACL: matching packets based on Layer 2 information of packets, such as source MAC addresses, destination MAC addresses, VLAN priorities, and the Layer 2 protocol type.

Procedure

Query an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Set the search criteria.
3. Click Query to display all matching records.

Create an ACL.

Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
Click New to open the Create ACL page.

Click the ACL tab.

Table 1 describes the parameters on the page.

**Table 1** Create ACL
Parameter		Description
ACL Type		Indicates the ACL type, including: Basic ACL Advanced ACL Layer 2 ACL
IP Version		To create an IPv4 or IPv6 ACL, click the IPv4 or IPv6 check box. NOTE: If you select Layer 2 ACL, the IP version cannot be set.
ACL ID	ACL Number	Indicates the number of an ACL. It identifies an ACL. The value of the ACL number is an integer, including: 2000-2999: basic ACL 3000-3999: advanced ACL 4000-4999: Layer 2 ACL NOTE: When you modify an ACL, the ACL number cannot be changed. An ACL number or ACL name is required to identify an ACL.
ACL ID	ACL Name	Indicates the name of an ACL. The ACL name must be unique. NOTE: The ACL name is a string starting with a letter. Spaces or quotation marks are not allowed. The keyword all is not allowed. An ACL number or ACL name is required to identify an ACL. When you modify an ACL, the ACL name cannot be changed.
Step		Indicates the interval between two rule IDs. NOTE: The Step text box is unavailable after you set IP Version to IPv6.
ACL Description		Indicates the description of an ACL. This parameter is optional. NOTE: The Description text box of the ACL is unavailable after you set IP Version to IPv6.

Click the Rules tab.

If the ACL is a basic ACL, the rule page is displayed.

Table 2 describes the parameters on the page.

**Table 2** Create Basic ACL Rule
Parameter		Description
Rule Number		Indicates the number of a rule. NOTE: If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.
Action		Indicates whether to permit or deny packets. The default action is to permit.
Log		Indicates whether to record logs when packets are permitted. To record logs when packets are permitted, click the check box. NOTE: The basic ACL and basic IPv6 ACL in the S2700EI switches do not support this parameter.
Match IP	All Source IP	Indicates that packets from any IP address are permitted.
Match IP	Specify Source IP	Enter the specified IP address and the reverse mask. By default, all source IP addresses are specified. NOTE: To create an IPv4 ACL, enter the reverse mark. To create an IPv6 ACL, enter the prefix length.
Time Range Name		Click Select to set the time range name. NOTE: The time range name is displayed on the configuration result page.
Fragment		Indicates that the rule is valid for only non-initial fragments. NOTE: The basic ACL and basic IPv6 ACL in the S2700EI switches do not support this parameter.

NOTE:

The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
When you modify the ACL rule, the ACL number and rule number cannot be modified.

If the ACL is an advanced ACL, the rule page is displayed.

Table 3 describes the parameters on the page.

**Table 3** Create Advanced Rule
Parameter		Description
Rule Number		Indicates the number of a rule. NOTE: If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.
Action		Indicates whether to permit or deny packets. The default action is to permit.
Log		Indicates whether to record logs when packets are permitted. NOTE: The advanced ACL and advanced IPv6 ACL of the S2700EI switches do not support this parameter.
Protocol Type		Indicates the type of the protocol. The advanced ACL supports the following protocols: IGMP GRE IP IPINIP OSPF TCP UDP ICMP Customized NOTE: The text box is valid only when the protocol type can be defined by users. The advanced IPv6 ACL supports the following protocols: GRE ICMPv6 IPv6 OSPF TCP UDP Customized NOTE: The text box is valid only when the protocol type can be defined by users.
ICMP Parameters (Type/Code)		Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched. The IGMP packets can be matched based on: Type: filters packets based on ICMP message type. Code: indicates the message code of the ICMP message type. NOTE: The advanced ACL and advanced IPv6 ACL of the S2700EI switches do not support this parameter.
Match IP	All Source IP	Indicates that packets from any IP address are permitted.
	Specify Source IP	Enter the specified IP address and the reverse mask. By default, all source IP addresses are specified. NOTE: To create an IPv4 ACL, enter the reverse mark. To create an IPv6 ACL, enter the prefix length.
	All Destination IP	Indicates that packets from any IP address are permitted.
	Point Destination IP	Enter the specified IP address and the reverse mask. By default, all destination IP addresses are specified. NOTE: To create an IPv4 ACL, enter the reverse mark. To create an IPv6 ACL, enter the prefix length.
Match Port	Source Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. Select a matching source port from the drop-down list box. The value can be equal, greater, smaller, or in the range. Enter the TCP or UDP port number in the text box.
Match Port	Destination Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. Select a matching destination port from the drop-down list box. The value can be equal, greater, smaller, or in the range. Enter the TCP or UDP port number in the text box.
Match Priority	IP Precedence	Indicates that packets are filtered based on the precedence field. By default, this parameter is empty.
	DSCP Value	Specifies the Differentiated Services CodePoint (DSCP). NOTE: If you set the IP precedence or TOS, the DSCP priority cannot be set. If you set the DSCP priority, the IP precedence or TOS cannot be set.
	TOS	Indicates that packets are filtered based on the type field. This parameter is optional.
Time Range Name		Click Select to set the time range name. NOTE: The time range name is displayed on the configuration result page.
Fragment		Indicates that the rule is valid for only non-initial fragments. NOTE: The advanced ACL and advanced IPv6 ACL of the S2700EI switches do not support this parameter.

NOTE:

The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
When you modify the ACL rule, the ACL number and rule number cannot be modified.

If the ACL is a basic ACL, the rule page is displayed.

Table 4 describes the parameters on the page.

**Table 4** Create Layer 2 ACL Rule
Parameter		Description
Rule Number		Indicates the number of a rule. NOTE: If you do not specify a rule number, the system automatically allocates a number for the rule. The rule number cannot be changed.
Action		Indicates whether to permit or deny packets. The default action is to permit.
Match MAC	Source MAC	Indicates the source MAC address used by the ACL rule. The value is in H-H-H format.
	Mask	Indicates the mask of the source MAC address used by the ACL rule. The value is in the format H-H-H. The default value contains only Fs.
	Destination MAC	Indicates the destination MAC address used by the ACL rule. The value is in H-H-H format.
	Mask	Indicates the mask of the destination MAC address used by the ACL rule. The value is in the format H-H-H. The default value contains only Fs.
Match Protocol Type	Packet Encapsulation Format	Indicates the encapsulation format of protocol packets. The value can be ether-ii, 802.3, or snap.
	Layer 2 Protocol	Indicates the type of Layer 2 protocols.
	Layer 2 Protocol Mask	Indicates the mask of the Layer 2 protocol.
Source VLAN ID		Indicates the source VLAN ID.
Source VLAN ID Mask		Indicates the mask of the source VLAN ID. The value is in hexadecimal notation. It ranges from 0 to 0xFFF. The default value is 0xFFF.
802.1p Priority		Indicates the 802.1p priority of the ACL. By default, this parameter is empty.
Time Range Name		Click Select to set the time range name. NOTE: The time range name is displayed on the configuration result page.

NOTE:

The rule page displays all the rules of the ACL. Click a record to view the details about the record or modify the record. To deselect a record, click it again. You can add rules on the rule page.
When you modify the ACL rule, the ACL number and rule number cannot be modified.

Click the Action tab.

Table 5 describes the parameters on the page.

**Table 5** Create ACL Action
Parameter			Description
Flow Filter			Indicates whether to enable the Flow Filter. This parameter is optional.
Traffic Statistics			Indicates whether to enable the traffic statistics. The value can be Enable or Disable. By default, the value is Disable.
Configure Traffic Policing	CIR		Specifies the committed information rate (CIR), which is the allowed rate at which traffic can pass through.
	PIR		Specifies the peak information rate (PIR), which is the maximum rate at which traffic can pass through. NOTE: The value of PIR cannot be smaller than the value of CIR. By default, the value of PIR is equal to the value of CIR. The S2700EI switches do not support this parameter.
	CBS		Specifies the committed burst size (CBS), which is the committed burst volume of traffic that can pass through. NOTE: The value of the S2700EI switches ranges from 8192 to 4294967295.
	PBS		Specifies the peak burst size (PBS), which is the peak burst volume of traffic that can pass through. The default value of PBS is related to the value of PIR. NOTE: The S2700EI switches do not support this parameter.
	Green Packets NOTE: The S2700EI switches do not support this parameter.	Green Packets	Indicates whether green packets are allowed to pass through. The action can be pass or discard. By default, the action is pass.
		Re-mark 802.1P Priority	Indicates whether to re-mark the 802.1p priority.
		Re-mark DSCP Priority	Indicates whether to re-mark the DSCP priority.
	Yellow Packets NOTE: The S2700EI switches do not support this parameter.	Yellow Packets	Indicates whether yellow packets are allowed to pass through. The action can be pass or discard. By default, the action is pass.
		Re-mark 802.1P Priority	Indicates whether to re-mark the 802.1p priority.
		Re-mark DSCP Priority	Indicates whether to re-mark the DSCP priority.
	Red Packets NOTE: The S2700EI switches do not support this parameter.	Red Packets	Indicates whether red packets are allowed to pass through. The action can be pass or discard. By default, the action is discard.
		Re-mark 802.1P Priority	Indicates whether to re-mark the 802.1p priority.
		Re-mark DSCP Priority	Indicates whether to re-mark the DSCP priority.
Configure Re-mark Action	802.1P Priority		Select the check box of 802.1p to configure the 802.1p priority.
	Local Priority		Select the check box of the local priority to configure the local priority. NOTE: You cannot set both the 802.1p priority and the local priority for redirection in a traffic behavior.
	IP Priority		Select the check box of the IP precedence to configure the IP precedence. NOTE: The S2700EI switch do not support the function.
	DSCP Priority		Select the check box of DSCP to configure the DSCP priority.
	Destination MAC		Select the corresponding check box to configure the destination MAC address. The value is in the format H-H-H. Each H represents four hexadecimal digits. NOTE: The S2700EI switches do not support this parameter.
	VLAN ID		Select the check box of VLAN ID to configure VLAN ID.
	Inner VLAN		Select the check box of the inner VLAN to configure the inner VLAN. NOTE: The S2700EI, S2700EI-52P, S2710SI-52P or S3700 switches do not support this parameter.
Configure Flow Mirroring	Observing Port Index		Indicates the ID of the observing interface where all matching flows are mirrored.
Configure Flow Mirroring	Observing Port		Indicates the observing interface where all matching flows are mirrored, for example, Ethernet 0/0/1.
Configure Redirection Action NOTE: The S2700EI switches do not support this parameter.	CPU		Indicates that packets are redirected to the CPU.
	Redirect to Interface		Indicates the interface where packets are redirected, for example, Ethernet 0/0/1.
	Redirect to Next Hop IP		Select an IP address type. The value can be IPv4 and IPv6. Configure the redirected next hop address according to the IP address type. NOTE: You cannot configure both the next hop address where packets are redirected and the re-marked destination MAC address.

Click the Apply tab.

If the object is interface, the Target field is displayed as Interface.

Table 6 describes the parameters on the page.

**Table 6** Apply an ACL to an interface
Parameter		Description
Name		Indicates all the interfaces on the device.
Inbound		You can select all ACLs. You can specify all inbound interfaces by clicking the check boxes of all inbound interfaces. You can select an ACL. You can specify an inbound interface by clicking the check box of an inbound interface. You can select multiple interfaces. You can specify multiple inbound interfaces by clicking the check boxes of multiple inbound interfaces.
Outbound NOTE: The S2700EI , S2710SI-52P or S3700 switches do not support this parameter.		You can select all ACLs. You can select all outbound interfaces by clicking the check box of all outbound interfaces. You can select an ACL. You can specify an outbound interface by clicking the check box of an outbound interface. You can select multiple interfaces. You can specify multiple outbound interfaces by clicking the check boxes of multiple outbound interfaces. NOTE: You can select the inbound and outbound interfaces or one of them at one time.

If the object is interface, the Target field is displayed as Global.

Table 7 describes the parameters on the page.

**Table 7** Apply an ACL Globally
Parameter		Description
VLAN ID		If the check box of VLAN is not selected and the VLAN ID text box is not available, the ACL is not applied to any VLAN. If the check box of VLAN is selected, the ACL is applied to VLAN. This parameter is mandatory.
Direction NOTE: The S2700EI or S3700 switches do not support this parameter.		NOTE: You can select the inbound and outbound interfaces or one of them at one time.

Set parameter on each tab page.
Click OK.
NOTE:
- If no ACL is created, the system prompts you to create an ACL when you click the rule tab.
- If no ACL is created, the system prompts you to create an ACL when you click the action or the application tab.
- If an ACL rule is not created, the system displays a message indicating an empty ACL when you click the Apply tab.

Edit an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Click the icon to open the Edit ACL page.
3. Click the ACL tab.
  NOTE:
  - Table 1 describes the parameters on the page.
  - The ACL type and ACL identifier cannot be modified.
  - The IPv6 ACL cannot be modified.
4. Click the Rules tab. The procedure for modifying a rule is similar to the procedure for creating a rule.
5. Click the Action tab. The Action tab page does not display the created action. The procedure for modifying a rule is similar to the procedure for creating a rule.
6. Click the Apply tab. The Action tab page displays the object to which the rule is applied.
  NOTE:
  - The Apply tab page displays the object to which the ACL is applied.
  - If no new action is created, the system prompts you to create action when you click the Apply tab.
  - If an action is created, the new action will replace the original action and be delivered to objects when you click the Apply tab.
7. Modify the configuration parameter on the tab page.
8. Click OK.
  NOTE:
  If an ACL rule is not created, the system displays a message indicating an empty ACL when you click the Apply tab.
Delete an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.
  NOTE:
  - To select a record, click the check box of the record.
  - To delete records in batches, click the check boxes of the records.
3. Click OK. If the operation succeeds, the system returns to the ACL Configuration page; otherwise, an error message is displayed.
Check basic ACL objects.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Select a record that you want to check and click Objects to open the Object List page.
  Table 8 describes the parameters on the page.
  
  Table 8 Check Basic ACL Object
  
  Parameter
  
  Description
  
  Object Name
  
  Indicates all objects that this ACL is applied to.
  
  ACL
  
  Indicates all ACLs applied to this object.
Delete basic ACL objects.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Select the ACL whose objects you want to delete and click Objects to open the Object List page.
3. Select the object name and click Delete. The system asks you whether to delete the record.
  NOTE:
  - To select a record, click the check box of the record.
  - To delete records in batches, click the check boxes of the records.
4. Click OK.

Parameter	Description
Object Name	Indicates all objects that this ACL is applied to.
ACL	Indicates all ACLs applied to this object.