ACL Application [All About Switches 19]

Latest reply: Apr 7, 2018 15:06:48 5906 3 3 0

In this thread, I'll tell you the application of ACL and ACL configuration method.

1  ACL Application Scope

ACL cannot independently control network access behaviors or restrict network traffic. It must be applied to a service module.

55b9cdb7a34c9.gifHow is an ACL applied to a service module?

ACL can be applied to the following types of service modules.

Type

Scenario

Service Module

Login control

The switch restricts access permission of users. Only authorized users can log in to the switch.

For example, only the administrator can log in to the switch. You can apply an ACL to the Telnet service and specify the hosts that can log in to the device or the hosts that cannot log in.

Telnet, SNMP, FTP, TFTP, SFTP, HTTP

Filters the forwarded packets

The switch filters received packets, and then discards, modifies priorities of, redirects, or performs IPSec protection on the filtered packets.

For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

QoS policy, NAT, IPSec

Filters the packets to be sent to the CPU

If too many protocol packets are sent to the CPU, the CPU usage increases and the CPU performance degrades. The switch restricts the packets to be sent to the CPU.

For example, when a user sends a large number of ARP attack packets to the switch, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

Blacklist, Whitelist, user-defined flows

Route filtering

The ACL can be applied to various dynamic routing protocols to filter advertised and received routes.

For example, you can apply an ACL to a routing policy to prevent the switch from sending the routes of a network segment to the neighboring router.

BGP, IS-IS, OSPF, OSPFv3, RIP, RIPng, multicast protocol

 

2  Working Mechanism of the ACL Module

Different service modules handle the packets matching and not matching the ACL in different ways.

For example, an ACL is applied to a traffic policy. If the ACL contains rules but packets do not match these rules, the packets are forwarded. However, if the ACL is applied to the Telnet service, these packets are discarded.

If an ACL is applied to a blacklist, the packets matching the rules are discarded no matter whether the ACL rules are permit or deny.

Therefore, you must exercise when applying an ACL to a service module.

The following table provides the ACL handling mechanism of each module.

Service Module

Packets Match the permit Rule

Packets Match the deny Rule

Packets Do Not Match Any Rule in an ACL

An ACL Does Not Contain Rules

ACL Is Not Created

Telnet, SNMP, FTP, TFTP, SFTP,HTTP

 

permit (allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

Traffic policy

When the traffic behavior is permit, the packets are forwarded; when the traffic behavior is deny, the packets are discarded

deny (discarded)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

NAT

permit (NAT performed)

permit (NAT does not take effect, and packets are forwarded without NAT)

permit (NAT does not take effect, and packets are forwarded without NAT)

permit (NAT does not take effect, and packets are forwarded without NAT)

permit (NAT does not take effect, and packets are forwarded without NAT)

IPSec

permit (processed by IPSec, and then forwarded)

Error will occur

permit (IPSec does not take effect, and packets are forwarded without IPSec)

Error will occur

Error will occur

Local attack defense

Whitelist

permit (processed by CPU first)

deny (discarded)

permit (whitelist does not take effect, and packets are forwarded)

permit (whitelist does not take effect, and packets are forwarded)

permit (whitelist does not take effect, and packets are forwarded)

Blacklist

deny (discarded)

deny (discarded)

permit (blacklist does not take effect, and packets are forwarded)

permit (blacklist does not take effect, and packets are forwarded)

permit (blacklist does not take effect, and packets are forwarded)

User-defined flow

When the user-defined action is deny, packets are discarded; when the user-defined action is car, the rate of packets is limited.

deny (discarded)

permit (user-defined flow does not take effect, and packets are forwarded)

permit (user-defined flow does not take effect, and packets are forwarded)

permit (user-defined flow does not take effect, and packets are forwarded)

Route

Route policy

When the matching mode is permit, route policy takes effect. When the matching mode is deny, route policy does not take effect.

deny (route policy does not take effect)

deny (route policy does not take effect)

permit (route policy takes effect for all routes)

deny (route policy does not take effect)

Filter policy

permit (route advertisement or reception is allowed)

deny (route advertisement or reception is not allowed)

deny (route advertisement or reception is not allowed)

deny (route advertisement or reception is not allowed)

permit (route advertisement or reception is allowed)

Multicast

igmp-snooping ssm-policy

permit (added to SSM group address range)

deny (not added to SSM group address range)

deny (not added to SSM group address range)

deny (not added to SSM group address range, and no group is in the SSM group address range)

deny

(not added to SSM group address range, and only the temporary group addresses 232.0.0.0-232.255.255.255 are in the SSM group address range)

igmp-snooping group-policy

When default-permit is configured, permit (added to multicast group); when

default-permit is not configured, permit (added to multicast group)

When default-permit is configured, deny (not added to multicast group); when

default-permit is not configured, deny (not added to multicast group)

When default-permit is configured, permit (added to multicast group); when

default-permit is not configured, deny (not added to multicast group)

When default-permit is configured, permit (added to multicast group); when

default-permit is not configured, deny (not added to multicast group)

When default-permit is configured, permit (added to multicast group); when

default-permit is not configured, deny (not added to multicast group)

 

3 ACL Configuration

The ACL configuration varies according to the service modules. The following table lists the ACL configuration on each module.

Service Module

ACL Configuration

ACL Number

Telnet

Method 1:

Run the telnet [ ipv6 ] server acl acl-number command in the system view.

Method 2:

a. Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY user interface view.

b. Run the acl [ ipv6 ] acl-number { inbound | outbound } command.

2000-3999

HTTP

Run the http acl acl-number command in the system view.

2000-3999

SNMP

SNMPv1/SNMPv2c:

Run the snmp-agent acl acl-number or snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl acl-number ] * command in the system view.

SNMPv3:

Run the snmp-agent acl acl-number and snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl acl-number ] or snmp-agent usm-user v3 user-name [ group group-name | acl acl- number ] * commands in the system view.

2000-2999

FTP

Run the ftp [ ipv6 ] acl acl-number command in the system view.

2000-3999

TFTP

Run the tftp-server [ ipv6 ] acl acl-number command in the system view.

2000-3999

SFTP

Method 1:

Run the ssh [ ipv6 ] server acl acl-number command in the system view.

Method 2:

a. Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY user interface view.

b. Run the acl [ ipv6 ] acl-number { inbound | outbound } command.

2000-3999

Traffic policy

(a)    Run the traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ] command in the system view to enter the traffic classifier view.

(b)    Run the if-match acl { acl-number | acl-name } command to apply the ACL to the traffic classifier.

(c)    Run the traffic behavior behavior-name command to define a traffic behavior and enter the traffic behavior view.

(d)    Configure the traffic behavior. There are two behaviors: deny or permit.

(e)    Run the traffic policy policy-name [ match-order { auto | config } ] command in the system view to define a traffic policy and enter the traffic policy view.

(f)     Run the classifier classifier-name behavior behavior-name command to configure a traffic behavior for the specified traffic classifier. That is, bind the traffic behavior to the classifier. Run the traffic-policy policy-name { inbound | outbound } command in the system, interface, or VLAN view to apply the traffic policy.

ACL: 2000-5999

ACL6: 2000-3999

NAT

Method 1:

(a)     Run the nat address-group group-index start-address end-address command in the system view to configure a public address pool.

(b)     Run the interfaceinterface-type interface-number.subnumber command to enter the sub-interface view.

(c)     Run the nat outboundacl-number address-group group-index [ no-pat ] command to associate NAT Outbound with an address pool.

Method 2:

(a)     Run the interfaceinterface-type interface-number.subnumber command to enter the sub-interface view.

(b)     Run the nat outbound acl-number command to configure Easy IP.

2000-3999

IPSec

Method 1:

(a)      Run the ipsec policypolicy-name seq-number manual command in the system view to create a manual IPSec policy and enter the manual IPSec policy view.

(b)      Run the security aclacl-number command to apply an ACL to the IPSec policy.

Method 2:

(a)     Run the ipsec policypolicy-name seq-number isakmp command in the system view to configure an IPSec policy in IKE negotiation mode and enter the IPSec policy view.

(b)     Run the security aclacl-number command to apply an ACL to the IPSec policy.

Method 3:

(a)     Run the ipsec policy-templatetemplate-name seq-number command in the system view to create an IPSec policy template and enter the IPSec policy template view.

(b)     Run the security aclacl-number command to apply an ACL to the IPSec policy.

(c)     Run the ipsec policypolicy-name seq-number isakmp template template-name command in the system view to apply the template to the IPSec policy.

3000-3999

Local attack defense

Whitelist

(a)     Run the cpu-defend policypolicy-name command in the system view to create an attack defense policy and enter the attack defense policy view.

(b)     Run the whitelistwhitelist-id acl acl-number command to create a whitelist.

(c)     Run the cpu-defend-policypolicy-name [ global ] command in the system view or the cpu-defend-policypolicy-name command in the slot view to apply the attack defense policy.

2000-4999

Blacklist

(a)     Run the cpu-defend policypolicy-name command in the system view to create an attack defense policy and enter the attack defense policy view.

(b)     Run the blacklistblacklist-id acl acl-number command to create a blacklist.

(c)     Run the cpu-defend-policypolicy-name [ global ] command in the system view or the cpu-defend-policypolicy-name command in the slot view to apply the attack defense policy.

2000-4999

User-defined flow

(a)     Run the cpu-defend policypolicy-name command in the system view to create an attack defense policy and enter the attack defense policy view.

(b)     Run the user-defined-flowflow-id acl acl-number command to configure user-defined flow.

(c)     Run the cpu-defend-policypolicy-name [ global ] command in the system view or the cpu-defend-policypolicy-name command in the slot view to apply the attack defense policy.

2000-4999

Routing

Route Policy

(a)     Run the route-policyroute-policy-name { permit | deny } node node command in the system view to create a routing policy and enter the routing policy view.

(b)     Run the if-match acl{ acl-number | acl-name } command to configure ACL rules or configure the apply sub-clause to define actions for the routing policy. For example, run the apply cost [ + | - ] cost command to set route cost.

(c)     Apply a routing policy. The commands vary according to routing protocols. For example, for OSPF, run the import-route { limit limit-number | { bgp [ permit-ibgp ] | direct | unr | rip [ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] } [ cost cost | type type | tag tag | route-policy route-policy-name ]* } command in the OSPF view to import the routes of other routing protocols to OSPF. For RIP, run the import-route { { static | direct | unr } | { { rip | ospf | isis } [ process-id ] } } [ cost cost | route-policy route-policy-name ] * command in the RIP view.

2000-2999

Filter Policy

The commands vary according to routing protocols and route filtering directions. For example, to filter the routes imported to RIP, run the filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import [ interface-type interface-number ] command in the RIP view. To filter the routes advertised by RIP, run the filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name } export [ protocol [ process-id ] | interface-type interface-number ] command in the RIP view.

2000-2999

Multicast

igmp-snooping ssm-policy

Run the igmp-snooping ssm-policybasic-acl-number command in the VLAN view.

2000-2999

igmp-snooping group-policy

Run the igmp-snooping group-policyacl-number [ version version-number ] [ default-permit ] command in the VLAN view.

2000-3999

 

55b9cdb7b8be2.gifNow, you can configure ACL easily. Let's have a try.

4  ACL Configuration Cases

Case 1: Use ACL to restrict Telnet access permission.

To ensure the security of remotely maintained devices, only the administrator (10.1.1.1/32) can log in to the switch through Telnet.

55b9d34f8876c.png 

To meet this requirement, you need to apply an ACL to the Telnet module. Then, how do you configure ACL rules? Do we need to configure a permit rule to allow the user with IP address 10.1.1.1/32 to log in, and then configure multiple deny rules to reject other users? The answer is No.

According to the preceding ACL matching table, when packets match the permit rule in an ACL, the user sent the packets is allowed to log in. When packets do not match any rules in the ACL, the users cannot log in to the device.

Service Module

Packets Match the permit Rule

Packets Match the deny Rule

Packets Do Not Match Any Rule in an ACL

An ACL Does Not Contain Rules

ACL Is Not Created

Telnet

permit (allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

 

Therefore, we only need to configure a permit rule to allow the user with IP address 10.1.1.1/32 to log in. The packets of other users will be rejected.

The configuration file of case 1 is as follows:

#

telnet server port 1025
     
#
     
acl number 2001    //Create basic ACL 2001.
     
rule 5 permit source 10.1.1.1 0   //Allow the user with IP address 10.1.1.1/32 to log in.
     
#
     
aaa
     
local-user admin1234 password irreversible-cipher ******  //Here, ****** indicates the login
     
 password. Change it according to actual situation.
     
local-user admin1234 privilege level 3
     
local-user admin1234 service-type telnet
     
#
     
user-interface maximum-vty 8
     
user-interface vty 0 7
     

 acl 2001 inbound    //Restrict user login.

 

Case 2: Use ACL to restrict the server access time range.

An enterprise does not allow the R&D and marketing departments to access the salary query server at 10.10.4.9/32 in work hours (8:00-17:30), whereas the president's office can access the server at any time.

55b9d3641ce62.png


Actually, we need to restrict the traffic from 10.10.1.0/24 and 10.10.2.0/24 to 10.10.4.9/32 in the specified time range. Other access traffic does not need to be restricted. Therefore, we can configure the ACL and apply ACL to traffic policy as follows:

(1)      Search the service module and ACL matching table for the ACL matching mechanism of the traffic policy module to configure ACL rules.

When the ACL contains rules and packets match the deny rule, the packets are discarded. If packets do not match any rule in the ACL, the packets are forwarded. Therefore, we only need to configure deny rules for the two types of traffic. The packets from other addresses to the server do not match any rule, so they are forwarded.

Service Module

Packets Match the permit Rule

Packets Match the deny Rule

Packets Do Not Match Any Rule in an ACL

An ACL Does Not Contain Rules

ACL Is Not Created

Traffic policy

When the traffic behavior is permit, the packets are forwarded; when the traffic behavior is deny, the packets are discarded.

deny (discarded)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

 

(2)      The access traffic needs to be restricted in the specified time range. Therefore, we need to configure the time range in the rule.

For example, we can create a time range named control-time, specify the time range 8:00-17:30, and set the time-name parameter to control-time. Then the time range is associated with the ACL.

(3)      Determine the ACL application mechanism of the traffic policy module and apply the ACL to the traffic policy.

Configure two traffic classifiers c_market and c_rd for the marketing and R&D departments respectively, apply the ACL that contains the two deny rules to two traffic classifiers, and then set the two traffic behaviors to deny. Create traffic policies p_market and p_ rd for the marketing and R&D departments respectively, bind the traffic classifier and behavior to the traffic policy, and apply the traffic policy to an interface.

The packets sent from the marketing and R&D departments need to be filtered. That is, the packets entering the switch through GE1/0/0 and GE1/0/1 need to be filtered. Therefore, the traffic policy must be applied to the inbound direction.

55b9cdb7b8be2.gifTips: We can also perform the following configurations to meet the enterprise's requirement. Configure two rules in an ACL. Apply the ACL to a traffic classifier, set the traffic behavior to deny, and then create and apply a traffic policy. This configuration is simple, but has a problem: How will the enterprise do to restrict the access of the marketing department to other servers?

If the marketing and R&D departments use the same ACL, traffic classifier, traffic behavior, and traffic policy (all these configurations form an "ACL policy"), you must configure a new ACL policy for the marketing department. If the two departments use different ACL policies, you only need to add a rule to the ACL policy of the marketing department. Therefore, it is recommended that you configure an ACL policy for each department.

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_230335
Created Aug 10, 2015 09:21:58 Helpful(0) Helpful(0)

good,studying
  • x
  • convention:

All_About_Switch
Official Created Jul 30, 2015 07:24:50 Helpful(1) Helpful(1)

 The configuration file of case 2 is as follows:

time-range control-time 08:00 to 17:30 working-day  //Configure the time range 8:00-17:30 on work days.

#

acl number 3002

 rule 5 deny ip source 10.10.1.0 0.0.0.255 destination 10.10.4.9 0 time-range control-time     //Prohibit the marketing department from accessing the salary query server in work hours.

#

acl number 3003

 rule 5 deny ip source 10.10.2.0 0.0.0.255 destination 10.10.4.9 0 time-range control-time    //Prohibit the R&D department from accessing the salary query server in work hours.

#

traffic classifier c_market operator or precedence 5  //Configure ACL-based traffic classifier for the marketing department.

 if-match acl 3002  //Classify the packets matching ACL 3002 (the source IP address is the IP address of the marketing department).

traffic classifier c_rd operator or precedence 10  //Configure ACL-based traffic classifier for the R&D department.

 if-match acl 3003  //Classify the packets matching ACL 3003 (the source IP address is the IP address of the R&D department).

#

traffic behavior b_market

 deny  //Configure the traffic behavior to reject the packets matching the rules.

traffic behavior b_rd

 deny  //Configure the traffic behavior to reject the packets matching the rules.

#

traffic policy p_market match-order config   //Configure the traffic policy for the marketing department.

 classifier c_market behavior b_market    //Bind the traffic classifier and behavior to the traffic policy.

traffic policy p_rd match-order config    //Configure a traffic policy for the R&D department.

 classifier c_rd behavior b_rd  //Bind the traffic classifier and behavior to the traffic policy.

#

interface GigabitEthernet1/0/0

 port link-type access

 port default vlan 10

 traffic-policy p_market inbound   //Apply the traffic policy to an interface (marketing department accesses the switch through GE1/0/0).

#

interface GigabitEthernet1/0/1

 port link-type access

 port default vlan 20

 traffic-policy p_rd inbound  //Apply the traffic policy to an interface (R&D department accesses the switch through GE1/0/1).

ACL series document links:

Name

Introduction

Basic Knowledge About ACL

Describes concepts related to ACL, including definition, functions, classifications, rules, and step based on a figure.

ACL Matching

Describes the ACL matching mechanism, matching sequence, and matching conditions.

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

  • x
  • convention:

wissal
MVE Created Apr 7, 2018 15:06:48 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login