No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Matching Order

Matching Order

An ACL consists of multiple deny | permit clauses, each of which describes a rule. These rules may repeat or conflict. For example, an ACL contains two rules:

rule deny ip destination 10.1.0.0 0.0.255.255   //Reject the packets destined for network segment 10.1.0.0/16.
rule permit ip destination 10.1.1.0 0.0.0.255   //Permit the packets destined for network segment 10.1.1.0/24, which has a smaller range than 10.1.0.0/16.

The permit and deny rules conflict. If the system first matches a packet destined for 10.1.1.1 against the deny rule, the packet is discarded. However, if the system matches the packet against the permit rule first, the packet is forwarded.

Therefore, if ACL rules repeat or conflict, the matching order decides the matching result.

The device supports two matching orders: the configuration order (config) and the automatic order (auto). The default order is config.

Config Order

The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first.

  • If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier.

  • If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step; therefore, this rule is processed last.

Auto Order

The system arranges rules according to the precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first. Table 5-2 describes how the auto order is applied to each type of ACL.

For details about the ACL matching conditions mentioned in Table 5-2, such as IP address wildcard mask, types of protocols carried by IP, TCP/UDP ports, Layer 2 protocol type wildcard mask, and MAC address wildcard mask, see Matching Conditions.

Table 5-2  Auto matching order

ACL Type

Matching Rules

Basic ACL and basic ACL6

  1. The rule that defines a VPN instance is processed first.
  2. The rule that defines the smallest source IP address range is processed. The wildcard mask with the most 0 bits identifies the smallest source IP address range.
  3. If the source IP address ranges are the same, the rule with the smallest ID is processed.

Advanced ACL and advanced ACL6

  1. The rule that defines a VPN instance is processed first.
  2. The rule that defines a protocol type is processed.
  3. If the protocol types are the same, the rule that defines the smallest source IP address range is processed. The wildcard mask with the most 0 bits identifies the smallest source IP address range.
  4. If the protocol types and source IP address ranges are the same, the rule that defines the smallest destination IP address range is processed. The wildcard mask with the most 0 bits identifies the smallest destination IP address range.
  5. If the protocol types, source IP address ranges, and destination IP address ranges are the same, the rule that defines the smallest Layer 4 port number (TCP/UDP port number) range is processed.
  6. If the preceding ranges are all the same, the rule with the smallest ID is processed.

Layer 2 ACL

  1. The rule with the largest L2 protocol type wildcard (with the most 1 bits in the wildcard mask) is processed first.
  2. The rule that defines the smallest source MAC address range is processed. The wildcard mask with the most 1 bits identifies the smallest source MAC address range.
  3. If the source MAC address ranges are the same, the rule that defines the smallest destination MAC address range is processed. The wildcard mask with the most 1 bits identifies the smallest destination MAC address range.
  4. If the source and destination MAC address ranges are the same, the rule with the smallest ID is processed.

User ACL

  1. The rule that defines a protocol type is processed first.
  2. If the protocol types are the same, the source IP address ranges are compared. If all source IP addresses are IP network segments, the rule with a smaller source IP address (with more 0 bits in wildcard mask) is processed.
  3. If the protocol types and source IP address ranges are the same, the destination IP address ranges are compared. If all destination IP addresses are IP network segments, the rule with a smaller destination IP address (with more 0 bits in wildcard mask) is processed.
  4. If the protocol types, source IP address ranges, and destination IP address ranges are the same, the rule that defines the smallest Layer 4 port number (TCP/UDP port number) range is processed.
  5. If the preceding ranges are all the same, the rule with the smallest ID is processed.

If you add a rule to an ACL in auto mode, the system automatically identifies the rule priority and assigns an ID to the rule.

For example, two rules are added to advanced ACL 3001 in auto mode:

rule deny ip destination 10.1.0.0 0.0.255.255   //Reject the packets destined for network segment 10.1.0.0/16.
rule permit ip destination 10.1.1.0 0.0.0.255   //Permit the packets destined for network segment 10.1.1.0/24, which has a smaller range than 10.1.0.0/16.

The two rules do not specify VPN instances, and specify identical protocol range and source IP address range. According to the auto matching principle in Table 5-2, the system compares the destination IP address ranges in the rules. The destination IP address range specified in the permit rule is smaller than that specified in the deny rule, so the permit rule has a higher precision. The system allocates a smaller ID to the permit rule. Therefore, the system arranges the two rules in ACL 3001 in the following order:

#                                                                               
acl number 3001 match-order auto                                                
 rule 5 permit ip destination 10.1.1.0 0.0.0.255                                
 rule 10 deny ip destination 10.1.0.0 0.0.255.255                                
#   

A rule rule deny ip destination 10.1.1.1 0 is added to ACL 3001 (with a higher priority than the previous two rules because the destination IP address is a host address). The system reassigns IDs to the rules according to the rule priorities. The new order is as follows:

#                                                                               
acl number 3001 match-order auto                                                
 rule 5 deny ip destination 10.1.1.1 0                                           
 rule 10 permit ip destination 10.1.1.0 0.0.0.255                                
 rule 15 deny ip destination 10.1.0.0 0.0.255.255                                
#   

Compared with the config mode, auto mode is more complex; however, it offers advantages in some scenarios. For example, in the initial network deployment stage, the administrator has configured an ACL in auto mode to discard all IP packets in untrusted network segments to ensure network security. When more services are deployed on the network, some IP packets on these network segments need to be allowed. The administrator needs to add new rules to the ACL, but does not need to rearrange the rules to avoid incorrect packet discarding.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 111827

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next