No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - IP Services 01

This is NE40E V800R010C10SPC500 Feature Description - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Matching Principles

ACL Matching Principles

What is "Matched"

Matched: the ACL exists, and there is a rule to which the packet conforms, no matter the rule is permit or deny.

Mismatched: the ACL does not exist, or there is no rule in the ACL, or the packet does not conform to any rules of the ACL.

ACL Matching Order

Firstly, the device checks whether the ACL exists (nonexistent ACLs can be applied to traffic classifiers, such as QoS and OSPF.).

Then, the device matches packets against rules in order according to the rule ID. When packets match one rule, the match operation is complete, and no more rules will be matched against.
NOTE:

A rule is identified by a rule ID, which is configured by a user or generated by the system according to the ACL step. All rules in an ACL are arranged in ascending order of rule IDs.

If the rule ID is automatically allocated, there is a certain space between two rule IDs. The size of the space depends on the ACL step. For example, if the ACL step is set to 5, the difference between two rule IDs are 5, such as 5, 10, 15, and the rest may be deduced by analogy. If the ACL step is 2, the rule IDs generated automatically by the system start from 2. In this manner, the user can add a rule before the first rule.

In configuration file, the rules are displayed in ascending order of rule IDs, not in the order of configuration.

Rule can be arranged in two modes: Configuration mode and Auto mode. The default mode is Configuration.
  • If the Configuration mode is used, users can set rule IDs or allow a device to automatically allocate rule IDs based on the step.

    If rule IDs are specified when rules are configured, the rules are inserted at places specified by the rule IDs. For example, three rules with IDs 5, 10, and 15 exist on a device. If a new rule with ID 3 is configured, the rules are displayed in ascending order, 3, 5, 10, and 15. This is the same as inserting a rule before ID 5. If users do not set rule IDs, the device automatically allocates rule IDs based on the step. For example, if the ACL step is set to 5, the difference or interval between two rule IDs is 5, such as 5, 10, 15, and the rest may be deduced by analogy.

    If the ACL step is set to 2, the device allocates rule IDs starting from 2. The step allows users to insert new rules, facilitating rule maintenance. For example, the ACL step is 5 by default. If a user does not configure a rule ID, the system automatically generates a rule ID 5 as the first rule. If the user intends to add a new rule before rule 5, the user only needs to input a rule ID smaller than 5. After the automatic realignment, the new rule becomes the first rule.

    In the Configuration mode, the system matches rules in ascending order of rule IDs. As a result, a latter configured rule may be matched earlier.

  • If the auto mode is used, the system automatically allocates rule IDs, and places the most precise rule in the front of the ACL based on the depth-first principle. This can be implemented by comparing the address wildcard. The smaller the wildcard, the narrower the specified range.

    For example, 129.102.1.1 0.0.0.0 specifies a host with the IP address 129.102.1.1, and 129.102.1.1 0.0.0.255 specifies a network segment with the network segment address ranging from 129.102.1.1 to 129.102.1.255. The former specifies a narrower host range and is placed before the latter.

    The detailed operations are as follows:

    • For basic ACL rules, the source address wildcards are compared. If the source address wildcards are the same, the system matches packets against the ACL rules based on the configuration order.
    • For advanced ACL rules, the protocol ranges and then the source address wildcards are compared. If both the protocol ranges and the source wildcards are the same, the destination address wildcards are then compared. If the destination address wildcards are also the same, the ranges of source port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of source port numbers are still the same, the ranges of destination port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of destination port numbers are still the same, the system matches packets against ACL rules based on the configuration order of rules.
    NOTE:

    For example, a wide range of packets are specified for packet filtering. Later, it is required that packets matching a specific feature in the range be allowed to pass. If the auto mode is configured in this case, the administrator only needs to define a specific rule and does not need to re-order the rules because a narrower range is allocated a higher precedence in the auto mode.

    Table 3-3 describes the depth-first principle for matching ACL rules.
    Table 3-3 Depth-first principle for matching ACL rules

    ACL Type

    Matching Rules

    Interface-based ACL

    Rules with any set are matched last, and other rules are matched in the order they are configured.

    Basic ACL

    1. Rules with VPN instance information are matched before those without VPN instance information.
    2. If multiple rules contain the same VPN instance information, the rule with the smaller source IP addresses range (more 1s in the masks) is matched first.
    3. If multiple rules contain the same VPN instance information and the same source IP address range, they are matched in the order they are configured.

    Advanced ACL

    1. Rules with VPN instance information are matched before those without VPN instance information.
    2. If multiple rules contain the same VPN instance information, the rule that contains the protocol type is matched first.
    3. If multiple rules contain the same VPN instance information and the same protocol type, the rule with the smaller source IP address range (more 1s in the masks) is matched first.
    4. If multiple rules contain the same VPN instance information, protocol type, and source IP address range, the rule with the smaller destination IP address range (more 1s in the masks) is matched first.
    5. If multiple rules contain the same VPN instance information, protocol type, source IP address range, and destination IP address range, the rule with the smaller Layer 4 port number range (TCP/UDP port numbers) is matched first.
    6. If multiple rules contain the same VPN instance information, protocol type, source and destination IP address ranges, and port number range, they are matched in the order they are configured.

    Layer 2 ACL

    1. Rules with smaller wildcards of Layer 2 protocol types (more 1s in the masks) are matched first.
    2. If multiple rules contain the same Layer 2 protocol type wildcard, the rule with the smaller source MAC address range (more 1s in the masks) is matched first.
    3. If multiple rules contain the same Layer 2 protocol type wildcard and the same source MAC address range, the rule with the smaller destination MAC address range (more 1s in the masks) is matched first.
    4. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, the rule with the smaller VLAN ID of the outer tag is matched first.
    5. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, and VLAN ID of the outer tag, the rule with the higher 802.1p priority of the outer tag is matched first.
    6. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, the rule with the smaller VLAN ID of the inner tag is matched first.
    7. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, and VLAN ID of the inner tag, the rule with the higher 802.1p priority of the inner tag is matched first.
    8. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, VLAN ID and 802.1p priority of the inner tag, they are matched in the order they are configured.

    MPLS-based ACL

    Rules can only be arranged in Configuration mode.

Matching Principle Summary

  • The rules of an ACL are matched against according to the ascending order of the rule IDs.
  • Checking continues until a match is found. And stop to check once a match is found. Therefore, different arrangement orders may have different results even all the rules in an ACL are the same.
  • Each rule has two actions: permit or deny.
  • An ACL has two matching result: matched or mismatched.
  • Mismatched result includes,
    • The ACL has rules, but no rule is matched.
    • There is no rule in the ACL.
    • The ACL does not exist.

    The performance for mismatched case depends on the ACL application. For detailed information, see Table 3-4.

    NOTE:
    Please attention that in Table 3-4,
    • The default "permit" in CPU defend policy indicates the device continues to match against the rest clauses. For example, if the packet mismatches the blacklist, the device continues to match the packet against the user-defined flow, rather than do the action of the blacklist.
    • The default "permit" in traffic policy just indicates the matching result of the if-match acl clause is permit. The performance of the policy depends on the matching result of other if-match acl clauses in the same Classifier, and the logical relationship between the if-match acl clauses. For detailed information, see ACLs Applied to a Traffic Policy.
    • The default "permit" and "deny" in route policy is just the matching result of the if-match acl clause. The performance of the policy node depends on the matching-results of all if-match acl clauses in the same node, and the node action ("permit" or "deny"). For detailed information, see ACLs Applied to a Route-Policy.
    Table 3-4 The default value of the application modules for mismatched case
    Application Module Mismatched All Rules No Rule In ACL ACL Does Not Exist
    Telnet deny permit permit
    SNMP deny permit permit
    FTP

    V600R003C00: permit

    Other versions: deny

    permit permit
    TFTP deny permit permit
    Traffic Policy permit permit permit
    CPU Defend Policy Whitelist permit permit permit
    Blacklist permit permit permit
    User-defined Flow permit permit permit
    Routing Protocol Route Policy deny deny permit
    Filter Policy deny deny permit
    Multicast Policy

    static-rp group-policy

    c-rp group-policy

    permit permit permit
    Multicast boundary policy deny permit permit
    Other multicast policies deny deny deny
    NAT deny deny deny
    BFD deny deny deny
    IPSec deny IPSec does not support this kind of ACL IPSec does not support this kind of ACL

Example

The following commands are configured one after another:

rule deny ip dscp 30 destination 1.1.0.0 0.0.255.255 
rule permit ip dscp 30 destination 1.1.1.0 0.0.0.255

If the config mode is used, the rules in the ACL are displayed as follows:

acl 3000
  rule 5 deny ip dscp 30 destination 1.1.0.0 0.0.255.255 
  rule 10 permit ip dscp 30 destination 1.1.1.0 0.0.0.255

If the auto mode is used, the rules in the ACL are displayed as follows:

acl 3000
 rule 1 permit ip dscp 30 destination 1.1.1.0 0.0.0.255
 rule 2 deny ip dscp 30 destination 1.1.0.0 0.0.255.255 

If the device receives a packet with DSCP value 30 and destination IP address 1.1.1.1, the packet is dropped when the config mode is used, but the packet is allowed to pass when the auto mode is used.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055041

Views: 11348

Downloads: 50

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next