Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
implicit permit at the en...

implicit permit at the end of ACL

Latest reply: Oct 11, 2021 12:00:08 2575 8 0 0 0
View the author 1#
Hello guys,


I have read in the book for HCNA certification that at the end of ACL's is a "implicit permit".
Is just the opposite from cisco that has "implicit deny".

Please can you confirm that.

Best Regards
George

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Implementation of Link Aggregation in LACP Mode
Next: Admin password for my B2368-66
(0) (0)
2#
TTTony
Created Mar 28, 2018 17:22:07

hello if you configure the acl in vty . the default is deny. if you configure the acl to deny the traffic . the default is permit
View more
  • x
  • convention:
(0) (0)
3#
chenhui
Admin Created Sep 26, 2021 03:48:51

It's not much easy.
For the ACL different applications, the default action might be different.
View more
  • x
  • convention:

jumbox
jumbox Created Oct 7, 2021 09:42:21 (0) (0)
please refer to the huawei documents...and share it with us please :)  
(0) (0)
4#
fuzi_yao
Admin Created Sep 27, 2021 00:51:05

Hi george2018,
I noticed your question. The description about HCIA and our product manual is correct. ACLs are classified into software ACLs and hardware ACLs. If a software ACL is used, the default action is deny. If a hardware ACL is used, the default action is permit. The differences between software ACLs and hardware ACLs are described as follows:
Software-based ACL: filters the interactive protocol packets destined for the local device, which must be sent to the CPU, for example, FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast protocol packets.

Hardware-based ACL: filters all packets by delivering ACL resources. Such ACLs include the ACL referenced by a traffic policy or simplified traffic policy, reflective ACL, user group ACL, and ACL for adding outer VLAN tags to the packets received on interfaces.

The software-based and hardware-based ACLs are different in the following aspects:
They filter different types of packets. A software-based ACL filters the packets that must be sent to the CPU for processing, whereas a hardware-based ACL filters all packets.

They filter packets in different ways. A software-based ACL is referenced by upper-layer software to filter packets, which consumes CPU resources. A hardware-based ACL is delivered to hardware for packet filtering, which consumes hardware resources. Packet filtering is faster using a hardware-based ACL.

They take different actions on the packets that match no ACL rule. When packets do not match any ACL rule, a software-based ACL rejects the packets, whereas a hardware-ACL permits the packets.
View more
  • x
  • convention:

jumbox
jumbox Created Oct 7, 2021 09:14:29 (0) (0)
Opposite way,,,, meaning is that: Tested in ar169, 3260...etc
NOT Correct:
If a software ACL is used, the default action is deny. If a hardware ACL is used, the default action is permit.
Correction:
If a software ACL is used, the default action is permit. If a hardware ACL is used, the default action is deny.

by the way can you give reference about your comment...or could you share formal huawei documantations because i couldnt find huawei documantation about this topic....
take car 
fuzi_yao
fuzi_yao Reply jumbox  Created Oct 8, 2021 00:36:08 (0) (0)
bro
s serial switchs:https://support.huawei.com/hedex/hdx.do?docid=EDOC1100210952&id=EN-US_CONCEPT_0177110606&lang=en
ar serial routers:https://support.huawei.com/hedex/hdx.do?docid=EDOC1100069307&id=dc_cfg_acl_1010&lang=en  
(0) (0)
5#
jumbox
Created Oct 7, 2021 09:40:12

Posted by chenhui at 2021-09-26 03:48 It's not much easy.For the ACL different applications, the default action might be different.
please refer to the huawei documents...and share it with us please
View more
  • x
  • convention:
(0) (0)
6#
jumbox
Created Oct 11, 2021 12:00:08

I think there is miss understanding...I was talking about down belove situation.
Tested on AR series routers...
acl number 3000  
rule 10 permit ip source x.x.x.0 0.0.0.255 destination y.y.y.0 0.0.0.255 

--------->there is a implicit permit at the end(as permit ip)
int ge0/0/0
traffic-filter outbound acl 3000

acl number 3000  
rule 10 permit ip source x.x.x.0 0.0.0.255 destination y.y.y.0 0.0.0.255
-----> Now when it is applied to the policy as a match statement there is a implicit deny at the end of acl (as deny ip)

traffic classifier testclass operator or
if-match acl 3000 <-----

traffic behavior testpermit
permit
traffic behavior testdeny
deny

traffic policy testpc
classifier testclass behavior testpermit
classifier default-class behavior testdeny

int ge0/0/0
traffic-policy testpc outbound
Thanx
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.