FAQ-How Are deny and permit in ACL Rules Used in Different Services

Publication Date:  2015-05-06 Views:  482 Downloads:  0
Issue Description
How Are deny and permit in ACL Rules Used in Different Services?
Solution

The deny and permit clauses in ACL rules have different functions in different services.

Traffic policy

If packets do not match any ACL rules, the system processes packets according to the original forwarding mode.
  • When the ACL rule defines permit, the system processes packets according to the action in the traffic behavior.
If the traffic behavior defines deny, the system discards matching packets.
If the traffic behavior defines permit, the system allows matching packets to pass through.
  • When the ACL rule defines deny, the system directly discards matching packets.
  • When no ACL rule is configured, the system processes packets according to the original forwarding mode.
IPSec
  • When permit is used in the ACL rule, the system uses IPSec policies to protect traffic matching the ACL rule, and then forwards the traffic.
  • In V2R3C00 version and earlier versions of V2R3C00, when deny is used in the ACL rule, the device rejects packets that match the ACL rule. In V2R3C01 version, when deny is used in the ACL rule, the IPSec policy referencing the ACL does not take effect. That is, the system forwards the packets passing the interface without performing any operation;
  • When packets do not match the permit or deny ACL rule, the IPSec policy referencing the ACL does not take effect, and the device directly forwards packets.
  • When an ACL does not contain rules, the IPSec policy referencing the ACL does not take effect. That is, the system forwards the packets passing the interface without performing any operation.
Firewall

If packets match an ACL rule, the packets are filtered based on the ACL rule; if packets match no ACL rule, the packets are processed based on the default packet filtering mode.
  • When permit is used in the ACL rule:
When the ACL is applied to the inbound traffic, the system forwards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
When the ACL is applied to the outbound traffic, the system forwards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
  • When deny is used in the ACL rule:
When the ACL is applied to the inbound traffic, the system discards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
When the ACL is applied to the outbound traffic, the system discards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
  • When an ACL does not contain rules:
When the ACL is applied to the inbound traffic, the ACL does not take effect, and the system discards all packets sent from the low-priority zone to the high-priority zone.
When the ACL is applied to the outbound traffic, the ACL does not take effect, and the system discards all packets sent from the high-priority zone to the low-priority zone.

NAT
  • When permit is used in the ACL rule, the system uses the address pool to translate addresses for the packets of which the source IP address is specified in the ACL rule.
  • When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect. That is, the system searches routes for packets, but does not translate addresses.
Smart policy routing
  • When permit or deny is used in the ACL rule, the system selects routes for the packets matching the ACL rule according to link quality.
  • If packets match no ACL rule, the system searches routes for the packets according to the destination addresses.
  • When the ACL does not contain rules, the smart policy routing referencing the ACL does not take effect, and the system searches routes for the packets according to the destination addresses.
Local policy routing
  • When permit is used in the ACL rule, the system executes the behavior specified in the local routing policy for the packets matching the ACL rule. When the behavior is permit, the system enforces the policy on the packets matching the rule. When the behavior is deny, the system searches routes for the packets according to the destination addresses.
  • If packets match no ACL rule, the system searches routes for the packets according to the destination addresses.
  • When deny is used in the ACL rule or the ACL does not contain rules, the local policy routing referencing the ACL does not take effect, and the system searches routes for the packets according to the destination addresses.
Telnet
  • When permit is used in the ACL rule:
If the ACL is applied in the inbound direction, other devices that match the ACL rule can access the local device.
If the ACL is applied in the outbound direction, the local device can access other devices that match the ACL rule.
  • When deny is used in the ACL rule:
If the ACL is applied in the inbound direction, other devices that match the ACL rule cannot access the local device.
If the ACL is applied in the outbound direction, the local device cannot access other devices that match the ACL rule.
  • When the ACL rule is configured but packets from other devices do not match the rule:
If the ACL is applied in the inbound direction, other devices cannot access the local device.
If the ACL is applied in the outbound direction, the local device cannot access other devices.
  • When the ACL contains no rule:
If the ACL is applied in the inbound direction, any other devices can access the local device.
If the ACL is applied in the outbound direction, the local device can access any other devices.

FTP
  • Other devices that match the ACL rule can establish an FTP connection with the local device only when permit is used in the ACL rule.
  • When deny is used in the ACL rule, other devices that match the ACL rule cannot establish FTP connections with the local device.
  • When the ACL rule is configured but packets from other devices do not match the rule, other devices cannot establish FTP connections with the local device.
  • When the ACL contains no rule, any other devices can establish FTP connections with the local device.
TFTP
  • The local device can establish TFTP connections with other devices that match the ACL rule only when permit is used in the ACL rule.
  • When deny is used in the ACL rule, the local device cannot establish TFTP connections with other devices that match the ACL rule.
  • When the ACL rule is configured but packets from other devices do not match the rule, the local device cannot establish TFTP connections with other devices.
  • When the ACL contains no rule, the local device can establish TFTP connections with any other devices.
SNMP
  • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
  • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
  • If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.
  • When no ACL rule is configured, all NMSs can access the local device.
NTP

By default, the peer device's right to access the NTP service on the local device is peer.
  • When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp-service access command.
  • When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.
  • When a packet matches no ACL rule, the peer device that sends the packet has the default right to access the NTP service on the local device.
  • When no ACL rule is configured, all peer devices have the default right to access the NTP service on the local device.

END