Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Routing Policy and Routin...

Routing Policy and Routing Control - Route Control Tool - Route Matching Tool - ACL

Latest reply: Jul 25, 2021 19:25:05 521 13 14 0 3
View the author 1#

Routing Control Tool - Route Matching Tool - ACL


OBJECTIVE


The purpose of this post is to present an introduction to Routing Policy and Routing Control - Route Control Tool.


Route Matching Tool 1: ACL


• An access control list (ACL) is a matching tool that can match and distinguish packets and routes.


• An ACL consists of multiple permit, deny, or both clauses. Each statement is a rule of the ACL. The permit or deny action in each statement is an action bound to the rule.


03


• An ACL consists of the following elements:


▫ ACL number: Each ACL configured on a device is assigned a number, which is called an ACL number and is used to identify the ACL. The ACL number range varies according to the ACL type.


▫ Rule: As mentioned above, an ACL is usually consists of multiple permit, deny, or both clauses, and each clause is a rule of the ACL.


▫ Rule number: Each rule has a rule number. which identifies and ACL rule. The value can be user-defined or automatically allocated by the system. The number of an ACL rule is an integer ranging from 0 to 4294967294. All ACL rules are numbered in ascending order.


▫ Action: "Permit" or "Deny"  in each rule is an action bound to a rule. ACLs are usually used together with other technologies. The meanings of actions vary according to the scenarios.


▪ For example, if and ACL is used together with a traffic filtering technology (the ACL is applied to the traffic filtering function), "permit" indicates that traffic is allowed to pass, and "deny" indicates that traffic is rejected.


▫ Item to be matched against: The ACL defines abundant items to be matched against. In this example, the source IP address is used. The ACL also supports many other items. For instance, the items can be Layer 2 Ethernet frame header information (such as a source MAC address, destination MAC address, and Ethernet frame protocol type), Layer 3 packet information (such as a destination address and protocol type), or Layer 4 packet information (such as a TCP/UDP port number).


• Question: What does the rule 5 permit source 1.1.1.0 0.0.0.255 command meanh This will be introduced later.


Wildcard


04


Matching rule:


    0: match; 1: no match


05

• For an IP address to be matched against a matching rule, the address is followed by a 32-bit mask. The 32-bit mask is called a wildcard.


• The wilcard is in dotted decimal notation. After it is converted into the binary format, value 0 indicates a "match" and value 1 indicates "no match". 1s or 0s in the wildcard may be discontinuous.


• There are two examples:


▫ rule 5: rejects packets with source IP address 10.1.1.1. The all-0 wilcard indicates that each bit must be exactly matched. Therefore, the host IP address 10.1.1.1 matches the rule.


▫ rule 15: permits packets whose source IP address belong to network segment 10.1.1.0/24. The wildcard is 0.0.0.111111111, and the right-most 8 bits are 1, which indicates that these bits in packets can be ignored. As such, the right-most 8 bits in 10.1.xxxxxxxx can be any value, and the network segment 10.1.1.0/24 matches this rule.


• Example: To exactly match the network segment address of 192.168.1.1/24, which wildcard can be used?


▫ It can be concluded that network bits must be exactly matched and host bits can be ignored. Therefore, the wildcard is 0.0.0.255.


• Two special wildcards:


▫ The all-0 wildcard is used to exactly match a specific IP address.


▫ When the all-1 wilcard is used to match 0.0.0.0, it indicates that all IP addresses are matched.


ACL Classification and Basic ACLs


• Classification based on the ACL rule definition mode


06


• Basic ACL


07


• Only basic ACLs can be used to match routes.


ACL Fundamentals


08


• The ACL matching mechanism is as follows:


▪ After a device configured with an ACL receives a packet, the device matches the packey against ACL rules one by one. If the packet does not match an ACL rule, the device attempts to match the packet against a next rule.


▪ Once the packet matches a rule, the device performs the action defined in the rule on the packet and no longer matches the packet against other rules.


• Matching process:


• The device checks whether an ACL is configured.


• If no ACL is configured, the device returns the result "negative match".


• If an ACL is configured, the device checks whether the ACL contains rules.


▫ If the ACL does not contatin rules, the device returns the result "negative match".


▫ If the ACL contains rules, the device matches the packets against the rules in ascending order of rule IDs.


When the packets match a permit rule, the device stops matching and returns the result "positive match (permit)".


When the packets match a deny rule, the device stops matching and returns the result "positive match (deny)"


If the packets do not match any rule in the ACL, the device returns the result "negative match."


Matching Order and Result of ACL Rules


Configuration sequence (config mode)


▫ The system matches packets against ACL rules in ascending order by rule ID. A rule with a smaller ID is earlier to be matched.


09


• An ACL consists of multiple deny | permit clauses, each of which describes a rule. These rules may repeat or conflict . In this situation, the matching order decides the matching result.


• Huawei devices support two matching orders: automatic order (auto mode) and configured order (config mode). The configured mode is used by default.


▫ Automatic order: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. This process is complex, so we will not go into details here. Anyone interested in this can read materials after class.


▫ Configured order: The system matches packets againsta ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. This is the matching order we mentioned earlier.


If another rule is added, the rule is added to a corresponding position, and packets are still matched against the rules in ascending order by rule ID.


i_f42.gifACLs are always used together with other technologies. The actual functions of "permit" and "deny" vary with technologies. For example, when an ACL is used together with route filtering, "permit" means that a route is a match, and "deny" means that a route is not a match.


Common Matching Examples


10


Basic Configuration Commands os Basic ACLs


1. Create a basic ACL.


11


2. Configure a basic ACL rule.


12


• Create a basic ACL.


• [Huawei] acl [ number ] acl-number [ match-order config ]


▫ acl-number: specifies the number of an ACL.


▫ match-order config: indicates the matching order of ACL rules. config indicates the configuration order.


• [Huawei] acl name acl-name { basic | acl-number } [ match-order config ]


▫ acl-name: specifies the name of an ACL.


▫ basic: indicates a basic ACL.


• Configure a basic ACL rule.


• [Huawei-acl-basic-2000] rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-name ]


▫ rule-id: specifies the ID of an ACL rule.


▫ deny: rejects packets that meet the matching conditions.


▫ permit: permits the packets that meet the matching conditions.



Reference:


HCIP-Datacom-Core Technology V1.0 Training Material


--- End


Routing ControlRoute-PolicyACL

Like (14) Dislike (0) Favorite(3) Share Report
Previous: Port forwarding when you have multiple Global IPs
Next: Understanding of QinQ - Example for Configuring Selective QinQ
(0) (0)
2#
carlosalcosta
Created Jul 19, 2021 17:10:37

That's awesome. I'm learning everyday with those contents.
Thanks for sharing.
View more
  • x
  • convention:

Ayeshaali
Ayeshaali Created Jul 19, 2021 17:32:11 (0) (0)
 
Ayeshaali
Ayeshaali Created Jul 19, 2021 17:32:18 (0) (0)
 
ulrichwandja
ulrichwandja Reply Ayeshaali  Created Jul 25, 2021 19:24:34 (0) (0)
 
(0) (0)
3#
Ayeshaali
Created Jul 19, 2021 17:31:37

Good
View more
  • x
  • convention:
(0) (0)
4#
Ayeshaali
Created Jul 19, 2021 17:31:45

Thanks for sharing
View more
  • x
  • convention:

PanchakS
PanchakS Created Jul 21, 2021 04:28:35 (0) (0)
 
(0) (0)
5#
victorrocha
Created Jul 19, 2021 17:32:47

great!
View more
  • x
  • convention:
(0) (0)
6#
Vlada85
MVE Author Created Jul 19, 2021 21:23:19

Very useful article!
View more
  • x
  • convention:
(0) (0)
7#
clecio_pinange
Created Jul 20, 2021 16:05:58

Very good my friend!
View more
  • x
  • convention:

PanchakS
PanchakS Created Jul 21, 2021 04:28:42 (0) (0)
 
(0) (0)
8#
wissal
MVE Created Jul 21, 2021 14:26:09

Good information
View more
  • x
  • convention:
(0) (0)
9#
ulrichwandja
Created Jul 25, 2021 19:25:05

thanks for sharing
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.