No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Default ACL Actions and Mechanisms of Different Service Modules

Default ACL Actions and Mechanisms of Different Service Modules

Applying ACL to Service Modules

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

Usually, an ACL is applied to a traffic policy or simplified traffic policy so that the device can deliver ACL rules globally, or on an interface to filter packets to be forwarded. In addition, an ACL can be applied to the service modules such as Telnet, FTP, and routing.

Table 5-10 describes how the service modules process ACLs.

Table 5-10  Applying ACLs to service modules
Service Category Usage Scenario Service Modules

Filtering packets to be forwarded

The device filters received packets globally, or on an interface, and then discards, modifies priorities of, or redirects the filtered packets.

For example, you can use ACL to reduce the service level for the bandwidth-consuming services, such as P2P downloading and online video. When network congestion occurs, these packets are discarded first.

Traffic policy, simplified traffic policy

Filtering packets to be sent to the CPU

If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance degrades. The device restricts the packets to be sent to the CPU.

For example, when a user sends a large number of ARP attack packets to the device, the CPU is busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.

Blacklist

Login control

The device controls access permission of users. Only authorized users can log in to the device, and other users cannot log in without permission. This ensures network security.

For example, only the administrator is allowed to log in to the device. You can apply an ACL to the Telnet service and specify the hosts that can log in to the device or the hosts that cannot log in.

Telnet, STelnet, FTP, SFTP, HTTP, SNMP

Route filtering

ACLs can be applied to various dynamic routing protocols to filter advertised and received routes and multicast groups.

For example, you can apply an ACL to a routing policy to prevent the device from sending routes of a network segment to the neighboring router.

BGP, IS-IS, OSPF, OSPFv3, RIP, RIPng, multicast protocol

Default ACL Actions and Mechanisms

When an ACL is applied to service modules, the modules take different actions on the packets matching or not matching ACL rules.

For example, the default action of a traffic policy is permit and an ACL containing rules is applied to the traffic policy. If a packet does not match any ACL rules, the packet is permitted. The default action of the Telnet module is deny and an ACL containing rules is applied to the Telnet module. If a packet does not match any ACL rules, the packet is rejected.

The blacklist module processes ACL in a different way. After an ACL is applied to a blacklist, the packets matching any ACL rule are discarded no matter whether they match the permit or deny rule.

Table 5-11 provides the default ACL actions and mechanisms taken by each service module.

Table 5-11  Default ACL actions and mechanisms of different service modules
Service Module Default ACL Action ACL Processing Mechanism
Packets Match the permit Rule Packets Match the deny Rule Packets Do Not Match Any Rule in an ACL An ACL Does Not Contain Rules ACL Is Not Created
Telnet deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
STelnet deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
HTTP deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
SNMP deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
FTP deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
TFTP deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
SFTP deny permit (allowed to log in) deny (not allowed to log in) deny (not allowed to log in) permit (allowed to log in) permit (allowed to log in)
Traffic policy permit
  • When the traffic behavior is permit, the packets are forwarded.

  • When the traffic behavior is deny, the packets are discarded.

  • When the traffic behavior is neither permit nor deny, the packets are forwarded (action in traffic policy).

deny (discarded)
NOTE:

The device takes the action defined in the traffic behavior only when the traffic behavior is traffic statistics collection or mirroring.

permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy) permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy) permit (traffic policy does not take effect, and packets are forwarded without the restriction of traffic policy)
Simplified traffic policy permit permit (the device takes the action defined in the simplified traffic policy)
  • When the action in the simplified traffic policy is traffic-filter or traffic-secure: deny

  • When the action in the simplified traffic policy is neither traffic-filter nor traffic-secure: permit

permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy) permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy) permit (simplified traffic policy does not take effect, and packets are forwarded without the restriction of simplified traffic policy)
Local attack defense policy (blacklist) permit deny (discarded) deny (discarded) permit (blacklist does not take effect, and packets are forwarded) permit (blacklist does not take effect, and packets are forwarded) permit (blacklist does not take effect, and packets are forwarded)
Routing Route Policy deny
  • When the matching mode is permit: permit (routing policy is enforced)

  • When the matching mode is deny: deny (routing policy is not enforced)

deny (routing policy does not take effect) deny (routing policy does not take effect) permit (routing policy takes effect on all routes) deny (routing policy does not take effect)
Filter Policy deny permit (route advertisement or reception is allowed) deny (route advertisement or reception is not allowed) deny (route advertisement or reception is not allowed) deny (route advertisement or reception is not allowed) permit (route advertisement or reception is allowed)
Multicast igmp-snooping ssm-policy deny permit (added to SSM group address range) deny (not added to SSM group address range) deny (not added to SSM group address range) deny (not added to SSM group address range, and no group is in the SSM group address range) deny (not added to SSM group address range, and only the temporary group addresses 232.0.0.0-232.255.255.255 are in the SSM group address range)
igmp-snooping group-policy

permit

permit (added to multicast group)

deny (not added to multicast group)

permit (added to multicast group)

permit (added to multicast group)

permit (added to multicast group)

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 136139

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next