No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Fundamentals

ACL Fundamentals

An ACL matches packets against the rules in contains to filter packets. The device supports software and hardware-based ACLs. The two types of ACLs differ in types of packets to be filtered, filter methods, and actions to be taken on the packets that do not match any rule.

ACL Structure

Figure 2-2 shows the structure of an ACL.

Figure 2-2  ACL structure

  • ACL number: identifies a numbered ACL.

    ACLs are classified into basic ACL, advanced ACL, Layer 2 ACL, user ACL, and user-defined ACL. These ACLs have different number ranges. For details, see ACL Classification.

    You can also define the name of an ACL to help you remember the ACL's purpose. In this situation, an ACL name is like a domain name that represents an IP address. Such an ACL is called named ACL.

    An ACL number can be part of an ACL name. That is, you can also specify an ACL number when you define an ACL name. If you do not specify an ACL number, the system will automatically allocate a number to an ACL. The following is an ACL name consisting of a name deny-telnet-login and a number 3998.

    acl name deny-telnet-login 3998                                                 
     rule 0 deny tcp source destination 0 destination-port eq telnet                                                               
     rule 5 deny tcp source destination 0 destination-port eq telnet                                                            
  • Rule: describes packet matching conditions.

    • Rule ID: identifies an ACL rule. The rule IDs can be manually set or automatically allocated by the system.

      The ACL rule IDs range from 0 to 4294967294. The rule IDs in an ACL are allocated in an ascending order. Therefore, in Figure 2-2, rule 5 is in the first line and rule 4294967294 is in the bottom line of an ACL. The system matches packets against the rules from the first line to the bottom line, and stops matching if the packets match a rule.

    • Action: includes permit and deny.

    • Matching option: ACLs support many matching conditions. In addition to the source IP address and time range, they support Layer 2 Ethernet frame header information (source MAC, destination MAC, and Ethernet protocol type), Layer 3 packet information (destination address and protocol type), and Layer 4 packet information (TCP/UDP port number). For details about ACL matching conditions, see Matching Conditions.

Matching Mechanism

The device stops matching packets against ACL rules as long as the packets match one rule, as shown in Figure 2-3.

Figure 2-3  ACL matching mechanism

The device checks whether an ACL is configured.
  • If no ACL is configured, the device returns the result "negative match."

  • If an ACL is configured, the device checks whether the ACL contains rules.

    • If the ACL does not contain rules, the device returns the result "negative match."

    • If the ACL contains rules, the device matches the packets against the rules in ascending order of rule IDs.

      • When the packets match a permit rule, the device stops matching and returns the result "positive match (permit)."

      • When the packets match a deny rule, the device stops matching and returns the result "positive match (deny)."

      • If the packets do not match any rule in the ACL, the device returns the result "negative match."

The ACL matching results include "positive match" and "negative match."
  • Positive match: Packets match a rule in an ACL.

    The result is "positive match" regardless of whether packets match a permit or deny rule in an ACL.

  • Negative match: No ACL exists, the ACL does not contain rules, or packets do not match any rule in an ACL.

Different service modules process the packets that match and do not match ACL rules in different ways. For example, the Telnet module forwards the packets matching the permit rules. Conversely, the traffic policy module discards the packets matching the permit rule if the action configured in the traffic policy module is deny. For details about ACL processing in each service module, see Default ACL Actions and Mechanisms of Different Service Modules.

ACL Implementation Modes

The device supports two ACL implementation modes:

  • Software-based ACL: applied to the interactive protocol packets sent to the local device, for example, FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast protocol packets. These packets must be sent to the CPU.

  • Hardware-based ACL: applied to all packets (especially the forwarded data packets), for example, the ACLs referenced by traffic policy, ACL-based simplified traffic policy, user group ACL, and ACL for adding outer VLAN tags for the packets received by interfaces.

The differences between the two implementations are as follows:
  • They filter different types of packets. Software-based ACL filters the packets to be sent to the CPU, whereas hardware-based ACL filters all packets (it is generally applied to data packets).

  • They filter packets in different ways. Software-based ACL is referenced by upper-layer software and consumes CPU resources, whereas hardware-based ACL is delivered to hardware for packet filtering and consumes hardware resources. Hardware-based ACL provides faster packet filtering.

  • They take different actions on the packets that do not match any ACL rule. When packets do not match any ACL rule, software-based ACL rejects the packets, whereas hardware-ACL permits the packets.

Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222377

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next