No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Principle

ACL Principle

An ACL matches packets against the rules in contains to filter packets.

ACL Structure

Figure 4-2 shows the structure of an ACL.

Figure 4-2  ACL structure

  • ACL number: identifies a numbered ACL.

    ACLs are classified into basic ACL, advanced ACL, Layer 2 ACL, user ACL. These ACLs have different number ranges. For details, see ACL Classification.

    You can also define the name of an ACL to help you remember the ACL's purpose. In this situation, an ACL name is like a domain name that represents an IP address. Such an ACL is called named ACL.

    An ACL number can be part of an ACL name. That is, you can also specify an ACL number when you define an ACL name. If you do not specify an ACL number, the system will automatically allocate a number to an ACL. The following is an ACL name consisting of a name deny-telnet-login and a number 3998.

    #                                                                               
    acl name deny-telnet-login 3998                                                 
     rule 0 deny tcp source 10.152.0.0 0.0.63.255 destination 10.64.0.97 0 destination-port eq telnet                                                               
     rule 5 deny tcp source 10.242.128.0 0.0.127.255 destination 10.64.0.97 0 destination-port eq telnet                                                            
    #                          
  • Rule: describes packet matching conditions.

    • Rule ID: identifies an ACL rule. The rule IDs can be manually set or automatically allocated by the system.

      The ACL rule IDs range from 0 to 4294967294. The rule IDs in an ACL are allocated in an ascending order. Therefore, in Figure 4-2, rule 5 is in the first line and rule 4294967294 is in the bottom line of an ACL. The system matches packets against the rules from the first line to the bottom line, and stops matching if the packets match a rule.

    • Action: includes permit and deny.

    • Matching option: ACLs support many matching conditions, including Layer 2 Ethernet frame header information (source MAC, destination MAC, and Ethernet protocol type), Layer 3 packet information (destination address and protocol type), and Layer 4 packet information (TCP/UDP port number). For details about ACL matching conditions, see Matching Conditions.

Matching Mechanism

The device stops matching packets against ACL rules as long as the packets match one rule, as shown in Figure 4-3.

Figure 4-3  ACL matching mechanism

The device checks whether an ACL is configured.
  • If no ACL is configured, the device returns the result "negative match."

  • If an ACL is configured, the device checks whether the ACL contains rules.

    • If the ACL does not contain rules, the device returns the result "negative match."

    • If the ACL contains rules, the device matches the packets against the rules in ascending order of rule IDs.

      • When the packets match a permit rule, the device stops matching and returns the result "positive match (permit)."

      • When the packets match a deny rule, the device stops matching and returns the result "positive match (deny)."

      • If the packets do not match any rule in the ACL, the device returns the result "negative match."

The ACL matching results include "positive match" and "negative match."
  • Positive match: Packets match a rule in an ACL.

    The result is "positive match" regardless of whether packets match a permit or deny rule in an ACL.

  • Negative match: No ACL exists, the ACL does not contain rules, or packets do not match any rule in an ACL.

NOTE:

Different service modules process the packets that match and do not match ACL rules in different ways. For example, the Telnet module forwards the packets matching the permit rules, whereas the traffic policy module discards the packets matching the permit rule if the action configured in the traffic policy module is deny. For details about ACL processing in each service module, see Default ACL Actions and Mechanisms of Different Service Modules.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14645

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next