[All About Switches] 18 ACL Matching

Created Jul 30, 2015 11:40:44Latest reply Apr 07, 2018 23:04:27 4021 3 3 0

 In the last thread, I have shown you a figure of ACL structure and introduced the concepts, functions, and classification of ACL. You must have known that ACL filters packets by matching the packets against conditions defined in ACL rules. Today, I'll tell you details about how ACL matches packets.

1         ACL Matching Mechanism

In the last thread, I have mentioned that ACL stops matching packets once the packets match a rule. This is the basic principle of ACL matching mechanism. There are many problems to be solved in ACL matching. For example: What will the system do if the ACL does not exist? What will the system do if the ACL exists but ACL rule does not exist? Now, I give you an ACL matching flowchart for you understanding the ACL matching mechanism.

 

The ACL matching results include "Positive match" and "Negative match."

l  Positive match: Packets match a rule in an ACL, no matter whether the action is permit or deny.

l  Negative match: No ACL exists, the ACL does not contain rules, or packets do not match any rule in an ACL.

Tips: Whether the packets are discarded or forwarded depends on the service module to which the ACL is applied, no matter whether the packets do not match ACL, match the permit rule, or match the deny rule. Different service modules process the packets that match and do not match ACL rules in different ways. For example, the Telnet module forwards the packets matching the permit rules, while the traffic policy module discards the packets matching the permit rule if the action configured in the traffic policy module is deny. In the next thread, I will tell you how the service modules process the packets matching ACL rules.

2      ACL Matching Sequence

As shown in the preceding flowchart, the system matches packets against the ACL rules until they match a rule.

In which sequence the system matches packets against ACL rules?

Before answer this question, let's see an example. Run the following commands:

rule deny ip destination 1.1.0.0 0.0.255.255   //Deny the packets destined for 1.1.0.0.

rule permit ip destination 1.1.1.0 0.0.0.255   //Permit the packets destined for 1.1.1.0. This network segment has a smaller range than 1.1.0.0.

 

The two rules conflict. Assume that a packet has a destination address 1.1.1.1. If the system matches the packet against the deny rule first, the packet is discarded. If the system matches the packet against the permit rule first, the packet is forwarded.

Therefore, if the rules overlap or conflict with each other, the matching sequence decides the packet matching result. There are two types of matching sequence: Config and Auto.

Config: The system matches packets against ACL rules in the ascending order of rule IDs. That is, the rule with the smallest ID is matched first. If you add a rule to an ACL and assign a smaller ID to the new rule, the rule is matched before the rules with greater IDs.

Tips: To make ACL rules take effect, apply the ACL to a service module. When an ACL is applied to a service module, you can modify the ACL rules; however, whether the new rules can take effect immediately depends on the mechanism used by the service module. I'll tell you how ACL is applied to service modules in the next thread.

Auto: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rule with highest precision first. A rule has a high precision means that the rule consists of strict conditions. The rule has the highest precision has the highest priority and the smallest ID. For example, a rule matches the packets destined for host 2.2.2.2/32, and another rule matches the packets destined for network segment 2.2.2.0/24. The first rule has a smaller range than the second rule, so the first rule has a higher precision. Then the system matches packets against the first rule first.

Tips: If you add a rule to an ACL in Auto mode, the rule ID is automatically assigned by the system. The system automatically identifies the rule priority and assigns an ID to the rule.

For example, ACL 3001 in Auto mode has the following two rules:

 

 

A rule rule deny ip destination 1.1.1.1 0 is added to ACL 3001 (the destination IP address is a host address, and this rule has a higher priority than the previous two rules). The system re-assigns IDs to the rules according to the rule priorities. The new sequence is as follows:

 

The rule rule deny ip destination 1.1.1.1 0 has the highest priority, so it is listed before the other rules.

 

3         ACL Matching Conditions

Next, I'll introduce you the most important part of ACL rules ? matching conditions.

In the last thread, I have mentioned ACL classification. For example, basic ACL can use source IP addresses as matching conditions; advanced ACL can use source IP addresses, destination IP addresses, protocol types, and port numbers.

Now, I introduce you some commonly used matching conditions: protocol type, destination address, and effective time range.

The use method of source address is the same as that of destination address, and is not mentioned here.

l  Protocol Type

Format: protocol-numbericmp | tcp | udp | gre | igmp | ip | ipinip | ospf

Advanced ACL can filter many types of packets, such as ICMP (protocol number 1), TCP (protocol number 6), UDP (protocol number 17), GRE (protocol number 47), IGMP (protocol number 2), IP (any IP layer protocol), IPinIP (protocol number 4), and OSPF (protocol number 89). The value of protocol-number ranges from 1 to 255.

In which situation the protocol type can be used as matching condition?

For example, a large number of attackers connect to a switch's interface, so you want to prevent all users connecting to this interface from accessing the network. You can specify the protocol type as IP to prevent the IP traffic of these users. The configuration is as follows:

rule deny ip //Deny IP packets.

After transparent firewall function is enabled on a switch, the transparent firewall discards all packets entering the interzone by default, including service and protocol packets. If you want the packets of a dynamic routing protocol, such as OSPF, to pass, specify the protocol type as OSPF. The configuration is as follows:

rule permit ospf //Permit OSPF packets.

l  Destination Address

Format: destination { destination-address destination-wildcard | any }

?  destination-address: specifies the destination IP addresses of packets.

?  destination-wildcard: specifies the wildcard. The wildcard can be 0, an equivalence of 0.0.0.0, indicating that the destination IP address is the host IP address.

?  any: matches any destination address.

 

In which situation the destination address can be used as matching condition?

For example, a company has an important server with IP address 1.1.1.1. The administrator wants to restrict access to this server. The administrator can specify the destination address as the matching condition. The configuration is as follows:

rule deny ip destination 1.1.1.1 0  //Deny the packets destined for 1.1.1.1.

 

Tips: If you specify the destination address as matching condition, you must also specify the wildcard. The wildcard and destination address segment determines an address range.

The wildcard format is the same as the IP address format (32-bit string). The wildcard specifies the bits in the destination address to be checked. The value 0 indicates that the bits need to be checked and the value 1 indicates that the bits are not checked.

As shown in the following figure, if the lower 8 bits are all 0s, the lower 8 bits in the destination IP address are checked. If all bits are 1, the destination address is not checked.

 

To further understand the wildcard, think about this question:

 

Which address range is specified by destination-address =172.30.16.0  destination -wildcard = 0.0.15.255?

1.         First of all, determine the higher two bytes in the address range according to the destination address and wildcard. The higher two bytes in the destination address are 172.30, and the higher two bytes of the wildcard are 0.0. The higher two bytes determined by the destination address and wildcard are 172.30.

2.         Then, check the third byte. The third byte in the wildcard is 15, which is 00001111 in binary format. The ***ysis process is as follows:

 

3.         The higher 4 bytes are 0000 and lower four bytes are 1111; therefore, the third byte determined by the destination address and wildcard is address segment 00010000-00011111, which is 16-31 in decimal notation. Similarly, the last byte in the destination address is 0, and the last byte in the wildcard is 255 (all 1s in binary). The fourth byte determined by the destination address and wildcard is address segment 00000000-11111111, which is 0-255 in decimal notation.

After the preceding ***ysis is complete, we get this result: destination-address =172.30.16.0  destination-wildcard = 0.0.15.255 determines address range 172.30.16.0/24-172.30.31.0/24; the smallest IP address is 172.30.16.0 and the largest IP address is 172.30.31.255.

l  Effective Time Range

?  Mode 1-periodic time ranges: defines a time range based on weeks.

Format: time-range time-name start-time to end-time { days } &<1-7>

  • time-range: indicates the name of a time range. It is a string starting with a letter.
  • start-time to end-time: indicates the start and end time of the time range. The format is [hour:minute] to [hour:minute]. 
  • days: includes the following values:
    • Any of or a combination of Mon, Tue, Wed, Thu, Fri, Sat, and Sun, or numerals (0 indicates Sunday, 1 indicates Monday…6 indicates Saturday. 
    • working-day: from Monday to Friday
    • daily: from Monday to Sunday
    • off-day: Saturday and Sunday

?  Mode 2-Absolute time range: from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm.

Format: time-range time-name from time1 date1 [ to time2 date2 ]

  • time: [hour:minute]
  • date: [YYYY/MM/DD], indicating year/month/date

 

In which situation the effective time range can be used as matching condition?

For example, the P2P and downloading services affect other data services during the rush hours 20:00-22:00; therefore, you can lower the bandwidth for the P2P and downloading services in this period, to prevent network congestion. The configuration is as follows:

time-range time1 20:00 to 22:00 daily

Another example: A company allows external hosts to access an internal server in the period 2014-01-01 00:00 to 2014-12-31 23:59. The company permits the packets from external network to the internal server only in this period. The configuration is as follows:

time-range time2 from 00:00 2014/1/1 to 23:59 2014/12/31

After configuring a time range, associate it with ACL rules; otherwise, the time range will not take effect. The configuration is as follows:

acl acl-number

rule [ rule-id ] { deny | permit } other-options time-range time-name

That's all about ACL matching conditions. Let's review what we have learned in this thread. We have learned the ACL matching mechanism, matching sequence, and matching conditions. You must have known that how ACL matches packets, which are the matching results, in which sequence the ACL matches packets, and how can the matching conditions be used.

In the next thread, I'll tell you how to apply ACL, the scope in which the ACL is applied, and how to configure ACL.

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689  Expert   Created Jul 30, 2015 11:55:14 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

yaba_mobhe     Created Sep 07, 2016 21:49:03 Helpful(0) Helpful(0)

thank you

  • x
  • convention:

wissal     Created Apr 07, 2018 23:04:27 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top