No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of ACL.

Principles of ACLs

An ACL manages all configured rules and provides the matching algorithm for packets.

ACL Rule Management

An ACL can contain multiple rules. A rule is identified by a rule ID, which can be set by a user or automatically generated based on the ACL step. All rules in an ACL are arranged in ascending order of rule IDs.

There is an ACL step between rule IDs. For example, if an ACL step is set to 5, rules are numbered 5, 10, 15, and so on. If an ACL step is set to 2 and rule IDs are configured to be automatically generated, the system automatically generates rule IDs starting from 2. The step makes it possible to add a new rule between existing rules.

ACL Rule Matching

When a packet reaches a device, the device retrieves information from the packet and matches it with ACL rules. Once a matching rule is found, the device stops matching. If no rule matches the packet, the device does not process the packet.

ACL rules can be classified into permit rules and deny rules.

In summary, the ACL classifies packets into the following types:
  • Packets matching permit rules.
  • Packets matching deny rules.
  • Packets that do not match rules.

Different features have different manners to process the three types of packets. For details, see feature manuals.

ACL Classification

ACLs can be classified into different types according to different rules.

  • ACLs can be classified into numbered ACLs and named ACLs according to the ACL naming mode.
    • A numbered ACL is identified by a number.
      NOTE:
      The number is the identifier of the ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL.
    • A named ACL is identified by a name.
  • The Table 12-15 lists the ACL classification.
    Table 12-15 ACL classification

    Category

    IP Version

    Function

    Note

    Basic ACL

    IPv4

    A basic ACL matches packets only based on the source IP address, fragment flag, and time range.

    A basic IPv4 ACL is also called a basic ACL.

    Basic ACLs are numbered from 2000 to 2999.

    Advanced ACL

    IPv4

    An advanced ACL matches packets based on the source IPv4 address, destination IPv4 address, IP precedence, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination port, and User Datagram Protocol (UDP) source/destination port.

    An advanced IPv4 ACL is also called an advanced ACL.

    Advanced ACLs are numbered from 3000 to 3999.

    Layer 2 ACL

    IPv4&IPv6

    A Layer 2 ACL matches packets based on Layer 2 information in packets, such as source and destination Media Access Control (MAC) addresses, and Layer 2 protocol types.

    The number of a Layer 2 ACL ranges from 4000 to 4999.

    User-defined ACL

    IPv4&IPv6

    A user-defined ACL matches certain contents in the packets according to the offset position and offset value.

    The number of a user-defined ACL ranges from 5000 to 5999.

    Basic ACL6

    IPv6

    A basic ACL6 matches packets based on the source IPv6 address, fragmentation flag, and time range.

    A basic IPv6 ACL is also called a basic ACL6.

    Basic ACL6 numbers range from 2000 to 2999.

    Advanced ACL6

    IPv6

    An advanced ACL6 matches packets based on the source IPv6 address and destination IPv6 address of data packets, protocol type supported by IPv6, features of the protocol such as the source port number and destination port number, ICMPv6 protocol, and ICMPv6 code.

    An advanced IPv6 ACL is also called an advanced ACL6.

    Advanced ACL6 numbers range from 3000 to 3999.

    NOTE:

    A basic ACL and a basic ACL6 can use the same number, and an advanced ACL and an advanced ACL6 can use the same number.

ACL Naming

You can specify a unique name to an ACL. Each ACL has only one name. A named ACL is identified by the name, which can be specified to reference the ACL.

You can choose whether to specify a name when an ACL is created. After the ACL is created, you cannot modify or delete the ACL name, or specify names to unnamed ACLs.

You can configure a number for a named ACL. If no ACL number is specified for a named ACL, the system allocates an ACL number to the named ACL.

NOTE:

A basic ACL and a basic ACL6 or an advanced ACL and an advanced ACL6 can use the same number.

Step of an ACL

Definition

A step is the difference between ACL rule IDs automatically allocated by the system. For example, if the step is set to 5, the rule IDs are multiples of 5 (beginning with 5), such as 5, 10, and 15.

  • If the step value is changed, ACL rule IDs are rearranged automatically. For example, the original rule IDs 5, 10, 15, and 20 will become 2, 4, 6, and 8 if you change the ACL step to 2.

  • When the step restores to the default value, the device rearranges ACL rule IDs using the default step value. For example, ACL rule group 3001 contains four rules with IDs being 2, 4, 6, and 8, and the step is 2. After the ACL step restores to the default value 5, the ACL rule IDs become 5, 10, 15, and 20.
Function

The step value allows a space between ACL rule IDs. That is, you can insert new rules to existing ACL rules and control the matching order of the ACL rules. For example, four rules are configured in the ACL rule group: rules 5, 10, 15, and 20. To insert a new rule behind rule 5 (the first rule), run the command to insert rule 7 between rule 5 and rule 10.

In addition, you do not need to manually specify a rule ID for when creating an ACL rule. The system will allocate the ACL rule with a rule ID, which is the sum of the current maximum ID and a step value. For example, the current maximum rule ID is 25 and the step value is 5, the system allocates the rule ID 30 to the new rule.

Packet Fragmentation Supported by ACLs

The Switch Module can filter fragmented packets. It can match all Layer 3 IP packets with Layer 3 filtering rules.

  • If fragment is not specified in an ACL rule, the device matches non-initial fragmented packets in addition to non-fragmented packets and initial-fragmented packets (they are processed using the same method).

  • If fragment is specified in the ACL rule, the device matches non-initial fragmented packets only.

When attackers construct fragmented packets to attack the network, you can specify fragment in an ACL rule to enable the device to filter non-initial fragmented packets only. This prevents the device from filtering other non-fragmented packets to protect normal service transmission.

Time Range of an ACL

A time range specifies a period of time. In practice, some ACL rules are required to be valid during a certain period of time, and invalid outside of that period of time, meaning that ACL rules are used to filter packets based on the time range. For example, if staff members are prohibited from browsing entertainment websites during business hours but are allowed to visit these entertainment websites during after-hours, a time range must be defined for an ACL to execute these conditions. To implement this function, configure one or more time ranges, and reference time ranges using commands.

If no time range referenced by the rule is configured, the rule does not take effect until the referenced time range is specified and the system time is within the specified time range.

IPv6 ACL

IPv6 ACL classifies IPv6 packets based on configured rules. The implementation of IPv6 ACL is the same as that of ACL.

IPv6 ACL can also be called ACL6.

ACL6 Classification

ACL6 can be classified into the following types:

Category

Number Range

Usage Scenario

Basic ACL6

The number ranges from 2000 to 2999.

A basic ACL6 filters packets based only on the source IPv6 address, Virtual Private Network (VPN) instance, fragment flag, and time range.

Advanced ACL6

The number ranges from 3000 to 3999.

An advanced ACL6 filters packets based on the source IPv6 address and destination IPv6 address of data packets, protocol type supported by IPv6, features of the protocol such as the source port number and destination port number, ICMPv6 protocol, and ICMPv6 Code.

NOTE:

An ACL6 and an ACL can use the same number because their commands are different.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58573

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next