No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of ACL.

Principles of ACLs

An ACL manages all configured rules and provides the matching algorithm for packets.

ACL Rule Management

An ACL can contain multiple rules. A rule is identified by a rule ID, which can be set by a user or automatically generated based on the ACL step. All rules in an ACL are arranged in ascending order of rule IDs.

There is an ACL step between rule IDs. For example, if an ACL step is set to 5, rules are numbered 5, 10, 15, and so on. If an ACL step is set to 2 and rule IDs are configured to be automatically generated, the system automatically generates rule IDs starting from 2. The step makes it possible to add a new rule between existing rules.

ACL Rule Matching

When a packet reaches a device, the search engine retrieves information from the packet to constitute the key value and matches it with ACL rules. Once a matching rule is found, the system stops matching. If no rule matches the packet, the system does not process the packet.

ACL rules can be classified into permit rules and deny rules.

In summary, the ACL classifies packets into the following types:
  • Packets matching permit rules.
  • Packets matching deny rules.
  • Packets that do not match rules.

Different features have different manners to process the three types of packets. For details, see feature manuals.

ACL Classification

ACLs can be classified into different types according to different rules.

  • ACLs can be classified into numbered ACLs and named ACLs according to the ACL naming mode.
    • A numbered ACL is identified by a number.
      NOTE:
      The number is the identifier of the ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL.
    • A named ACL is identified by a name.
  • The Table 26-1 lists the ACL classification.
    Table 26-1  ACL classification

    Category

    IP Version

    Function

    Note

    Basic ACL

    IPv4

    A basic ACL matches packets only based on the source IP address, fragment flag, and time range.

    A basic IPv4 ACL is also called a basic ACL.

    Basic ACLs are numbered from 2000 to 2999.

    Advanced ACL

    IPv4

    An advanced ACL matches packets based on the source IPv4 address, destination IPv4 address, IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination port, and User Datagram Protocol (UDP) source/destination port.

    An advanced IPv4 ACL is also called an advanced ACL.

    Advanced ACLs are numbered from 3000 to 3999.

    Layer 2 ACL

    IPv4

    A Layer 2 ACL matches packets based on Layer 2 information in packets, such as source and destination Media Access Control (MAC) addresses, and Layer 2 protocol types.

    The number of a Layer 2 ACL ranges from 4000 to 4999.

    User ACL

    IPv4

    An user ACL matches packets based on the source IPv4 address or user group, destination IPv4 address or user group, IP precedence, Type of Service (ToS), DiffServ Code Point (DSCP) priority, IP protocol type, Internet Control Message Protocol (ICMP) type, TCP source/destination port, and User Datagram Protocol (UDP) source/destination port.

    The number of a user ACL ranges from 6000 to 6999.

ACL Naming

You can specify a unique name to an ACL. Each ACL has only one name. A named ACL is identified by the name, which can be specified to reference the ACL.

You can choose whether to specify a name when an ACL is created. After the ACL is created, you cannot modify or delete the ACL name, or specify names to unnamed ACLs.

You can configure a number for a named ACL. If no ACL number is specified for a named ACL, the system allocates an ACL number to the named ACL.

Setting the Step Value for an ACL

Definition

The step is the difference between rule IDs when the system automatically assigns rule IDs. For example, if the step is set to 5, the rule IDs are multiples of 5 (beginning with 5), such as 5, 10, and 15.

  • If the step value is changed, ACL rule IDs are arranged automatically. For example, the original rule numbers 5, 10, 15, and 20 will become 2, 4, 6, and 8 if you change the ACL step to 2.

  • When the step restores to the default value, the device arranges ACL rule IDs using the default step value. For example, ACL rule group 3001 contains four rules with IDs being 2, 4, 6, and 8, and the step is 2. After the ACL rule restores to the default value, the ACL rule IDs become 5, 10, 15, and 20 and the step value is 5.
Function

The step value can be used to add a new rule between existing rules so that the matching order of ACL rules is configured. For example, four rules are configured in the ACL rule group: rules 5, 10, 15, and 20. To insert a new rule after rule 5 (the first rule), run the command to insert rule 7 between rule 5 and rule 10.

In addition, you do not need to specify a rule ID for an ACL rule. In this case, the system allocates the rule ID which is the sum of the current maximum ID and a step value. For example, the current maximum rule ID is 25 and the step value is 5, the system allocates the rule ID 30 to a new rule.

Matching Order of ACL Rules

An ACL is composed of a list of rules. Each rule contains a permit or deny clause. These rules may overlap or conflict. One rule can contain another rule, but the two rules must be different.

The device supports two types of matching order: configuration order and automatic order. The matching order determines the priorities of the rules in an ACL. Rule priorities resolve the conflict between overlapping rules.

Configuration Order

The configuration order indicates that ACL rules are matched in ascending order of rule IDs. The rule with the smallest rule ID is matched first. The configuration order is used by default.

Automatic Order

The automatic order follows the depth first principle.

ACL rules are arranged in sequence based on rule precision. Stricter conditions (such as the protocol type, source IP address range, or destination IP address range), the stricter in an ACL rule makes the rule more precise. For example, an ACL rule can be configured based on the wildcard of IP addresses. A smaller wildcard identifies a narrower network segment and therefore makes a stricter ACL rule.

If the ACL rules have the same priority according the depth first principle, they are matched based on rule IDs in ascending order.

NOTE:

Similar to inverse mask, a wildcard mask is in dotted decimal notation. In a binary wildcard mask, the value 0 indicates that the bit in the IP address needs to be matched and the value 1 indicates that the bit in the IP address does not need to be matched. The value 0 and 1 in a wildcard mask can be discontinuous. For example, if the IP address is 192.168.1.169 and the wildcard mask is 0.0.0.172, the address is 192.168.1.x0x0xx01. The value x can be 0 or 1.

Table 26-2 lists the matching rules according to the depth first principle.
Table 26-2  Depth first principle

ACL Type

Matching rules

Basic ACL

  1. The rule that defines the smallest source IP address range is matched first. The mask with the most 1 bits identifies the smallest source IP address range.
  2. If the source IP address ranges are the same, the rule with the smallest ID is matched first.

Advanced ACL

  1. The rule that defines a protocol type is matched first.
  2. If the protocol types are the same, the rule that defines the smallest source IP address range is matched first. The mask with the most 1 bits identifies the smallest source IP address range.
  3. If the protocol types and source IP address ranges are the same, the rule that defines the smallest destination IP address range is matched first. The mask with the most 1 bits identifies the smallest destination IP address range.
  4. If the protocol types, source IP address ranges, and destination IP address ranges are the same, the rule that defines the smallest Layer 4 port number (TCP/UDP port number) range is matched first.
  5. If the preceding ranges are all the same, the rule with the smallest ID is matched first.

Layer 2 ACL

  1. The rule with the largest protocol type wildcard (with the most "1"s in the mask) is matched first.
  2. The rule that defines the smallest source MAC address range is matched first. The mask with the most 1 bits identifies the smallest source MAC address range.
  3. If the source MAC address ranges are the same, the rule that defines the smallest destination MAC address range is matched first. The mask with the most 1 bits identifies the smallest destination MAC address range.
  4. If the source and destination MAC address ranges are the same, the rule with the smallest ID is matched first.

User ACL

  1. The rule that defines a protocol type is matched first.
  2. If the protocol types are the same, the rule that defines the smallest source IP address range is matched first. The mask with the most 1 bits identifies the smallest source IP address range.
  3. If the protocol types and source IP address ranges are the same, the rule that defines the smallest destination IP address range is matched first. The mask with the most 1 bits identifies the smallest destination IP address range.
  4. If the protocol types, source IP address ranges, and destination IP address ranges are the same, the rule that defines the smallest Layer 4 port number (TCP/UDP port number) range is matched first.
  5. If the preceding ranges are all the same, the rule with the smallest ID is matched first.

Packet Fragmentation Supported by ACLs

The AP can filter fragmented packets. It can match all Layer 3 IP packets with Layer 3 filtering rules.

  • If fragment is not specified in an ACL rule, the device matches non-fragmented packets and fragmented packets.

  • If fragment is specified in the ACL rule, the device matches fragmented packets only.

When attackers construct fragmented packets to attack the network, you can specify fragment in an ACL rule to enable the device to filter non-initial fragmented packets only. This prevents the device from filtering other non-fragmented packets to protect normal service transmission.

Time Range of an ACL

A time range specifies a period of time. In practice, some ACL rules are required to be valid during a certain period of time, and invalid outside of that period of time, meaning that ACL rules are used to filter packets based on the time range. For example, if staff members are prohibited from browsing entertainment websites during business hours but are allowed to visit these entertainment websites during after-hours using a specified device, a time range must be defined for an ACL to execute these conditions. To implement this function, configure one or more time ranges, and reference time ranges using commands.

If no time range referenced by the rule is configured, the rule does not take effect until the referenced time range is specified and the system time is within the specified time range.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117386

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next