No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Default ACL Actions and Mechanisms of Different Service Modules

Default ACL Actions and Mechanisms of Different Service Modules

Applying ACL to Service Modules

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

Usually, an ACL is applied to a traffic policy or simplified traffic policy. This enables the device to deliver ACL rules globally, in a VLAN, or on an interface to filter packets to be forwarded. In addition, an ACL can be applied to the service modules such as Telnet, FTP, and routing.

Table 1-10 describes how the service modules process ACLs.

Table 1-10  Applying ACLs to service modules
Service Category Usage Scenario Service Modules

Filtering packets to be forwarded

The device filters received packets globally, on an interface, or in a VLAN, and then discards, modifies priorities of, or redirects the filtered packets.

For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

Traffic policy, simplified traffic policy

Filtering packets to be sent to the CPU

If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance degrades. The device restricts the packets to be sent to the CPU.

For example, when a user sends a large number of ARP attack packets to the device, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

Blacklist

Login control

The device controls access permission of users. Only authorized users can log in to the device, and other users cannot log in without permission. This ensures network security.

For example, only the administrator is allowed to log in to the device. You can apply an ACL to the Telnet service and specify the hosts that can log in to the device or the hosts that cannot log in.

Telnet, STelnet, FTP, SFTP, HTTP, SNMP

Route filtering

ACLs can be applied to various dynamic routing protocols to filter advertised and received routes and multicast groups.

For example, you can apply an ACL to a routing policy to prevent the device from sending routes of a network segment to the neighboring router.

BGP, IS-IS, OSPF, OSPFv3, RIP, RIPng, multicast protocol

Default ACL Actions and Mechanisms

When an ACL is applied to service modules, the modules take different actions on the packets matching or not matching ACL rules.

For example, the default action of a traffic policy is permit and an ACL containing rules is applied to the traffic policy. If a packet does not match any ACL rules, the packet is permitted. The default action of the Telnet module is deny and an ACL containing rules is applied to the Telnet module. If a packet does not match any ACL rules, the packet is rejected.

The blacklist module processes ACL in a different way. After an ACL is applied to a blacklist, the packets matching any ACL rule are discarded no matter whether they match the permit or deny rule.

Table 1-11, Table 1-12, and Table 1-13 provide the default ACL actions and mechanisms taken by each service module.

Table 1-11  Default ACL actions and mechanisms of different service modules

Default ACL actions and mechanisms

Telnet

STelnet

HTTP

FTP

TFTP

Default ACL Action

deny

deny

deny

deny

deny

Packets Match the permit Rule

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

Packets Match the deny Rule

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

Packets Do Not Match Any Rule in an ACL

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

deny (not allowed to log in)

An ACL Does Not Contain Rules

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

ACL Is Not Created

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

permit (allowed to log in)

Table 1-12  Default ACL actions and mechanisms of different service modules

Default ACL actions and mechanisms

SFTP

SNMP

Traffic policy

Simplified traffic policy

Local attack defense policy (blacklist)

Default ACL Action

deny

deny

permit

permit

permit

Packets Match the permit Rule

permit (allowed to log in)

permit (allowed to log in)

  • When the traffic behavior is permit, the packets are forwarded.

  • When the traffic behavior is deny, the packets are discarded.

  • When the traffic behavior is neither permit nor deny, the packets are forwarded (action in traffic policy).

permit (the device takes the action defined in the simplified traffic policy)

deny (discarded)

Packets Match the deny Rule

deny (not allowed to log in)

deny (not allowed to log in)

deny (discarded)
NOTE:

The switch takes the action defined in the traffic behavior only when the traffic behavior is traffic statistics collection, MAC address learning disabled, or traffic mirroring.

  • When the action in the simplified traffic policy is traffic-filter or traffic-secure: deny

  • When the action in the simplified traffic policy is neither traffic-filter nor traffic-secure: permit

deny (discarded)

Packets Do Not Match Any Rule in an ACL

deny (not allowed to log in)

deny (not allowed to log in)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy)

permit (blacklist does not take effect, and packets are forwarded)

An ACL Does Not Contain Rules

permit (allowed to log in)

permit (allowed to log in)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy)

permit (blacklist does not take effect, and packets are forwarded)

ACL Is Not Created

permit (allowed to log in)

permit (allowed to log in)

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)

permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy)

permit (blacklist does not take effect, and packets are forwarded)

Table 1-13  Default ACL actions and mechanisms of different service modules

Default ACL actions and mechanisms

Route Policy

Filter Policy

igmp-snooping ssm-policy

igmp-snooping group-policy

Default ACL Action

deny

deny

deny

  • When default-permit is configured: permit

  • When default-permit is not configured: deny

Packets Match the permit Rule

  • When the matching mode is permit: permit (routing policy is enforced)

  • When the matching mode is deny: deny (routing policy is not enforced)

permit (route advertisement or reception is allowed)

permit (added to SSM group address range)

  • When default-permit is configured: permit (added to multicast group)

  • When default-permit is not configured: permit (added to multicast group)

Packets Match the deny Rule

deny (routing policy does not take effect)

deny (route advertisement or reception is not allowed)

deny (not added to SSM group address range)

  • When default-permit is configured: deny (not added to multicast group)

  • When default-permit is not configured: deny (not added to multicast group)

Packets Do Not Match Any Rule in an ACL

deny (routing policy does not take effect)

deny (route advertisement or reception is not allowed)

deny (not added to SSM group address range)

  • When default-permit is configured: permit (added to multicast group)

  • When default-permit is not configured: deny (not added to multicast group)

An ACL Does Not Contain Rules

permit (routing policy takes effect on all routes)

deny (route advertisement or reception is not allowed)

deny (not added to SSM group address range, and no group is in the SSM group address range)

  • When default-permit is configured: permit (added to multicast group)

  • When default-permit is not configured: deny (not added to multicast group)

ACL Is Not Created

deny (routing policy does not take effect)

permit (route advertisement or reception is allowed)

deny (not added to SSM group address range, and only the temporary group addresses 232.0.0.0-232.255.255.255 are in the SSM group address range)

  • When default-permit is configured: permit (added to multicast group)

  • When default-permit is not configured: deny (not added to multicast group)

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137203

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next