[All About Switches] 17 Basic Knowledge About ACL

Created: Jul 30, 2015 11:18:34Latest reply: Oct 23, 2017 17:05:39 4968 2 1 0

An Access Control List (ACL) consists of a set of rules that describe the packet matching conditions. These conditions can be source addresses, destination addresses, and port numbers of packets.

The ACL is a packet filter that filters packets according to service requirements based on packet characteristics.

Using the packet filtering technique, we can block attack packets, provide differentiated service for different packet flows, and control the Telnet login and FTP file downloading operations. In this way, we can improve network security and transmission reliability.

Here is a figure of ACL.

 

Next, I'll introduce ACL concepts to you based on this figure.

1         ACL Classification

The figure shows numbered ACL 2000. An ACL ID is similar to the identity card number. An identity card has a number and a name. Similarly, there is another type of ACLs, which are called named ACLs. A named ACL has a name.

 

Like a domain name that facilitates memorization of an IP address, an ACL name also facilitates memorization of the ACL.

Actually, an ACL name can consist of the name and number. That is, you can also specify the ACL number when you define an ACL name. If you do not specify an ACL number, the system will automatically allocate a number to an ACL. As shown in the preceding figure, the ACL name consists of a name deny-telnet-login and a number 3998.

Now, we have seen two ACLs, of which the numbers are 2000 and 3998. Is there any difference between the two numbers?

Based on functions, ACLs are classified into basic ACL, advanced ACL, Layer 2 ACL, user-defined ACL, and user ACL. Each ACL type matches a number range. ACL 2000 is a basic ACL, and ACL 3998 is an advanced ACL. The advanced ACL defines more specific and flexible rules than the basic ACL. Therefore, the advanced ACL provides more functions.

ACL Type

Rule Description

Number Range

Basic ACL

A basic ACL filters packets only based on the source IP address, fragment flag, and time range.

2000-2999

Advanced ACL

An advanced ACL matches packets based on the source IP address, destination IP address, IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination ports, and User Datagram Protocol (UDP) source/destination ports.

3000-3999

Layer 2 ACL

A Layer 2 ACL matches packets based on Ethernet frame information in packets, such as source and destination Media Access Control (MAC) addresses, and Layer 2 protocol types.

4000-4999

User-defined ACL

A user-defined ACL matches the offset position and offset value in packets.

5000-5999

User ACL

A user ACL matches packets based on the source IP address or user control list (UCL) group, destination IP address or UCL group, IP protocol type, ICMP type, TCP source/destination ports, and UDP source/destination ports.

6000-9999

 

2         ACL Rules

The deny | permit clauses in the figure are ACL rules. "Deny" and "permit" are the ACL actions.

Each rule has an ID, such as 5, 10, and 4294967294. The rule IDs can be manually set or automatically allocated by the system.

The ACL rule IDs range from 0 to 4294967294. The rule IDs in an ACL are allocated in an ascending order. Therefore, the rule with the smallest ID is placed in the top line and the rule with the largest ID is placed in the bottom line. The system matches packets against the rules with the IDs listed in an ascending order, and stops matching if the packets match a rule. I will tell you how to match packets against ACL rules in the next thread.

In addition to ACL actions and rule IDs, the source address and effective time range are included in an ACL rule. These fields are called matching conditions. They are an important part of ACL rules.

ACL provides rich matching conditions. For example, you can choose Layer 2 Ethernet frame information (source/destination MAC addresses, Ethernet frame type), Layer 3 packet information (source/destination IP addresses, protocol type), or Layer 4 packet information (TCP/UDP port numbers).

First of all, you need to determine the characteristics of the packets to be filtered, and then select ACL matching conditions.

3         Step

Now, let's learn about an important concept related to ACL ? step. After you understand the meaning of step, you will know how the system automatically allocates rule IDs.

The step is the increment between neighboring rule IDs. That is, the system allocates IDs to ACL rules based on the increment value.

As shown in the following figure, the step of ACL 2000 is 5. The system allocates the IDs to ACL rules in the order of 5, 10, 15…. If the step value is changed to 2, the system changes the rule IDs to 2, 4, 6….

 

 

Tips: The default step value of an ACL is 5. To view information about ACL rules and step, run the display acl acl-number command. To change the step value, run the step step command.

What are the functions of a step?

The step facilitates insertion of new ACL rules.

Here is an example:

An ACL includes rule 5, rule 10, and rule 15. Now, you want to add a rule that denies the packets with source IP address 1.1.1.3. How will you do?

rule 5 deny source 1.1.1.1 0  //Deny the packets with source address 1.1.1.1.                  

rule 10 deny source 1.1.1.2 0 //Deny the packets with source address 1.1.1.2.                   

rule 15 permit source 1.1.1.0 0.0.0.255 //Permit the packets with source address 1.1.1.0.

 

The system stops matching packets once the packets matching a rule. Therefore, the packets with source address 1.1.1.1 or 1.1.1.2 match rule 5 and rule 10, and are discarded; the packets with source address 1.1.1.3 match rule 15, and are forwarded. To deny the packets with source address 1.1.1.3, we should add a new deny rule.

rule 5 deny source 1.1.1.1 0  //Deny the packets with source address 1.1.1.1.                  

rule 10 deny source 1.1.1.2 0 //Deny the packets with source address 1.1.1.2.                   

rule 11 deny source 1.1.1.3 0 //Deny the packets with source address 1.1.1.3. 

rule 15 permit source 1.1.1.0 0.0.0.255 //Permit the packets with source address 1.1.1.0.

 

After rule 11 is added between rule 10 and rule 15, the packets with source address 1.1.1.3 will match rule 11, so these packets are discarded.

Assume that the step is 1 (rule 1, rule 2, rule 3…), but not 5. What will happen? If we want to add a rule, we must delete existing rules first. The process of adding a rule to ACL is complex and time-consuming.

If we set an appropriate step, adding rules to an ACL is easy.

Now, let's review what we have learned: What is an ACL? What are the functions of ACL? How many types can ACLs be classified into? How can we define rules? What is a step? What are the functions of a step?

In the next thread, I'll tell you more information about ACL-How does ACL match packets? In which sequence the ACL matches packets? Which are the matching conditions?

To be continued.

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689     Created Jul 30, 2015 11:54:56 Helpful(0) Helpful(0)

Thank you .
  • x
  • convention:

dm     Created Oct 23, 2017 17:05:39 Helpful(0) Helpful(0)

nice
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top