Chapter 1 ACL Overview
An access control list (ACL) is used
primarily to identify traffic flows. In order to filter data packets, a series
of match rules must be configured on the network device to identify the packets
to be filtered. After the specific packets are identified, and based on the
predefined policy, the network device can permit/prohibit the corresponding
packets to pass.
ACLs classify packets based on a series of
match conditions, which can be the source addresses, destination addresses and
port numbers carried in the packets.
The packet match rules defined by ACLs can
be referenced by other functions that need to differentiate traffic flows, such
as the definition of traffic classification rules in QoS.
In this manual,
IPv4 ACL refers to ACL used for filtering IPv4 packets, and IPv6 ACL refers to
ACL used for filtering IPv6 packets.
1.2 Time-Based
ACL
A time range-based ACL enables you to
implement ACL control over packets by differentiating the time ranges.
A time range can be specified in each rule
in an ACL. If the time range specified in a rule is not configured, the system
will give a prompt message and allow such a rule to be successfully created.
However, the rule does not take effect immediately. It takes effect only when
the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes
invalid the next time the ACL rule timer refreshes.
1.3 IPv4 ACL
This section covers these topics:
l
IPv4 ACL Classification
l
IPv4 ACL Match Order
l
IP Fragments Filtering with
IPv4 ACL
1.3.1 IPv4 ACL Classification
IPv4 ACLs, identified by ACL numbers, fall
into the following four categories:
l
Basic IPv4 ACL, based on source IP address.
Basic ACLs are numbered 2000 through 2999.
l
Advanced IPv4 ACL, based on source IP address,
destination IP address, protocol carried on IP, and other Layer 3 or Layer 4
protocol header information. Advanced ACLs are numbered 3000 through 3999.
l
Ethernet frame header ACL, based on Layer 2
protocol header fields such as source MAC address, destination MAC address,
802.1p priority, and link layer protocol type. Ethernet frame header ACLs are
numbered 4000 through 4999.
1.3.2
IPv4 ACL Match Order
Each ACL is a sequential collection of
rules defined with different matching criteria. The order in which a packet is
matched against the rules may thus affect how the packet is handled.
At present, the following two match orders
are available:
l
config: where
rules are compared against in the order in which they are configured.
l
auto: where
depth-first match is performed.
I. Depth-first match for a basic IPv4
ACL
The following shows how your device
performs depth-first match in a basic IPv4 ACL:
1)
Sort rules by source IP address wildcard first
and compare packets against the rule configured with more zeros in the source
IP address wildcard prior to other rules.
2)
If two rules are present with the same number of
zeros in their source IP address wildcards, compare packets against the rule
configured first prior to the others.
For example, the rule with the source IP
address wildcard 0.0.0.255 is compared prior to the rule with the source IP
address wildcard 0.0.255.255.
II. Depth-first match for an
advanced IPv4 ACL
The following shows how your device
performs depth-first match in an advanced IPv4 ACL:
1)
Sort rules by source IP address wildcard first
and compare packets against the rule configured with more zeros in the source
IP address wildcard prior to other rules.
2)
If two rules are present with the same number of
zeros in their source IP address wildcards, look at the destination IP address
wildcards in the rules in addition. Then, compare packets against the rule
configured with more zeros in the destination IP address wildcard prior to the
other.
3)
If the numbers of zeros in the destination IP
address wildcards are the same, compare packets against the rule configured
first prior to the other.
For example, the rule with the source IP
address wildcard 0.0.0.255 is compared prior to the rule with the source IP
address wildcard 0.0.255.255.
III. Depth-first match for an
Ethernet frame header IPv4 ACL
The following shows how your device
performs depth-first match in an Ethernet frame header ACL:
1)
Sort rules by source MAC address mask first and
compare packets against the rule configured with more ones in the source MAC
address mask prior to other rules.
2)
If two rules are present with the same number of
ones in their source MAC address masks, look at the destination MAC address
masks. Then, compare packets against the rule configured with more ones in the
destination MAC address mask prior to the other.
3)
If the numbers of ones in the destination MAC
address masks are the same, the one configured first is compared prior to the
other.
For example, the rule with source MAC
address mask FFFF-FFFF-0000 is compared prior to the rule with source MAC
address mask FFFF-0000-0000.
The comparison of a packet against an ACL
stops once a match is found. The packet is then processed as per the rule.
1.3.3 IP Fragments Filtering with IPv4 ACL
Traditionally, ACL does not check all IP
fragments but first ones. All non-first fragments are handled the way the first
fragments are handled. This causes security risk as attackers may fabricate
non-first fragments to attack your network.
As for the configuration of a rule of an
IPv4 ACL, the fragment keyword specifies that the rule applies to
non-first fragment packets only, and does not apply to non-fragment packets or
the first fragment packets. ACL rules that do not contain this keyword is
applicable to both non-fragment packets and fragment packets.
1.3.4 IPv4 ACL
Creation
An IPv4 ACL consists of a set of rules.
Before you can configure ACL rules, you must first create an IPv4 ACL.
When creating an IPv4 ACL:
l
You must specify an ACL number (numeric type),
and
l
You can optionally specify the match order of
the IPv4 ACL.
After an IPv4 ACL is created, the IPv4 ACL
view is displayed.
This section covers these topics:
l
IPv6 ACL Classification
l
IPv6 ACL Match Order
1.4.1 IPv6 ACL Classification
IPv6 ACLs, identified by ACL numbers, fall
into the following three categories:
l
Basic IPv6 ACL, based on source IPv6 address.
Basic IPv6 ACLs are numbered 2000 through 2999.
l
Advanced IPv6 ACL, based on source IPv6 address,
destination IPv6 address, protocol carried on IP, and other Layer 3 or Layer 4
protocol header fields. Advanced ACLs are numbered 3000 through 3999.
1.4.2
IPv6 ACL Match Order
Similar to IPv4 ACLs, IPv6 ACLs are sequential
collections of rules defined with different matching parameters. The order in
which a packet is matched against the rules in an IPv6 ACL may affect how the
packet is handled.
Like IPv4 ACLs, the following two match
orders are available IPv6 ACLs:
l
config: where
rules are compared against in the order in which they are configured.
l
auto: where
depth-first match is performed.
The depth-first mechanism performed by IPv6
ACLs is to match packets against the rule that specifies a narrower address
range first. This is done by comparing prefix lengths: the smaller the prefix
length, the narrower the address range.
Consider two IPv6 addresses, 2050:6070::/96
and 2050:6070::/64. In the auto match approach, packets are matched
against the rule with the address of 2050:6070::/96 first, because that address
specifies a narrower address range compared with 2050:6070::/64. In case two
rules with the same prefix length are defined in an IPv6 ACL, the one
configured first is compared prior to the other one.
The comparison of a packet against an ACL
stops once a match is found. The packet is then processed as per the rule.
An IPv6 ACL consists of a set of rules.
Before you can configure IPv6 ACL rules, you must first create an IPv6 ACL.
When creating an IPv6 ACL:
l
You must specify an IPv6 ACL number (numeric
type), and
l
You can optionally specify the match order of
the IPv6 ACL.
After an IPv6 ACL is created, the IPv6 ACL
view is displayed.
Chapter 2 IPv4 ACL Configuration
This chapter covers these topics:
l
Creating a Time Range
l
Configuring a Basic IPv4
ACL
l
Configuring an Advanced
IPv4 ACL
l
Configuring an Ethernet
Frame Header ACL
l
Displaying and Maintaining
IPv4 ACLs
l
IPv4 ACL Configuration Example
2.1 Creating a Time Range
Three types of time ranges are available:
l
Periodic time range, which recurs periodically
on the day or days of the week.
l
Absolute time range, which takes effect only in
a period of time and does not recur.
l
Compound time range, which recurs on the day or
days of the week within a period.
Caution:
On the S5500-SI
Series Ethernet Switches, the start time of an absolute time range cannot be
earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot
be later than 2100/12/31 24:00.
Follow these steps to create a time range:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Create a time range
|
time-range
time-name { start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] | from time1
date1 [ to time2 date2 ] | to time2 date2 }
|
Required
|
Note that:
l
Periodic time range created using the time-range
time-name start-time to end-time days command.
A time range thus created recurs periodically on the day or days of the week.
l
Absolute time range created using the time-range
time-name { from time1 date1 [ to time2 date2
] | to time2 date2 } command. Unlike a periodic time range, a
time range thus created does not recur. For example, to create an absolute time
range that is active between January 1, 2004 00:00 and December 31, 2004 23:59,
you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004
command.
l
Compound time range created using the time-range
time-name start-time to end-time days { from
time1 date1 [ to time2 date2 ] | to time2 date2 }
command. A time range thus created recurs on the day or days of the week only
within the specified period. For example, to create a time range that is active
from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December
31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday
from 00:00 01/01/2004 to 23:59 12/31/2004 command.
l
You may create individual time ranges identified
with the same name. They are regarded as one time range whose active period is
the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and
absolute ones.
l
If the start time is not specified, the time
range starts on the earliest time available from the system and ends on the end
date. If the end date is note specified, the time range is from the date of
configuration till the largest date available from the system.
l
Up to 256 time ranges can be defined.
# Create a periodic time range that spans
from 8:00 to 18:00 every working day.
<Sysname> system-view
[Sysname] time-range test 8:00 to
18:00 working-day
[Sysname] display time-range test
Current time is 13:27:32 4/16/2005
Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
# Create an absolute time range that spans
from 15:00 2000/1/28 to 15:00 2004/1/28.
<Sysname> system-view
[Sysname] time-range test from 15:00
2000/1/28 to 15:00 2004/1/28
[Sysname] display time-range test
Current time is 13:27:32 4/16/2005
Saturday
Time-range : test ( Inactive )
from 15:00 1/28/2000 to 15:00
1/28/2004
2.2 Configuring a Basic IPv4 ACL
Basic IPv4 ACLs filter packets based on
source IP address. They are numbered in the range 2000 to 2999.
If you want to reference a time range to a
rule, define it with the time-range command first.
Follow these steps to configure a basic IPv4
ACL:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Create and enter a basic IPv4 ACL view
|
acl number
acl-number [ match-order { config | auto } ]
|
Required
The default match order is config.
|
|
Create or modify a rule
|
rule [ rule-id
] { permit | deny } [ rule-string ]
|
Required
To create multiple rules, repeat this step.
|
|
Set a rule numbering step
|
step step-value
|
Optional
The default step is 5.
|
|
Create an ACL description
|
description text
|
Optional
|
|
Create a rule description
|
rule rule-id
comment text
|
Optional
|
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Caution:
l
You can modify the match order of an ACL with
the acl number acl-number match-order { auto | config
} command but only when it does not contain any rules.
l
You can use the rule comment command only
for existing ACL rules.
# Create IPv4 ACL 2000 to deny the packets
with the source address 1.1.1.1 to pass.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source
1.1.1.1 0
# Verify the configuration.
[Sysname-acl-basic-2000] display acl
2000
Basic ACL 2000, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0 (0
times matched)
2.3 Configuring an Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on
source IP address, destination IP address, upper protocol carried on IP, and
other protocol header fields, such as the TCP/UDP source port, TCP/UDP
destination port, ICMP message type, and ICMP message code.
In addition, advanced ACLs allow you to
filter packets based on three priority criteria: type of service (ToS), IP
precedence, and differentiated services codepoint (DSCP) priority.
Advanced ACLs are numbered in the range
3000 to 3999. Compared to basic ACLs, they allow of more flexible and accurate
filtering.
l
When you configure both IP priority and ToS
priority for a rule, both priorities are valid.
l
When you configure both IP/ToS priority and DSCP
for a rule, only DSCP is valid.
If you want to reference a time range to a
rule, define it with the time-range command first.
Follow these steps to configure an advanced
IPv4 ACL:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Create and enter an advanced IPv4 ACL
view
|
acl number
acl-number [ match-order { config | auto } ]
|
Required
The default match order is config.
|
|
Create or modify a rule
|
rule [ rule-id
] { permit | deny } protocol [ rule-string ]
|
Required
To create multiple rules, repeat this
step.
|
|
Set a rule numbering step
|
step step-value
|
Optional
The default step is 5.
|
|
Create an ACL description
|
description text
|
Optional
|
|
Create a rule description
|
rule rule-id
comment text
|
Optional
|
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Caution:
l
You can modify the match order of an ACL with
the acl number acl-number match-order { auto | config
} command but only when it does not contain any rules.
l
You can use the rule comment command only
for existing ACL rules.
# Create IPv4 ACL 3000 to permit TCP
packets with port number 80 sent from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp
source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255
destination-port eq 80
# Verify the configuration.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit tcp source 129.9.0.0
0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (0 times
matched)
2.4 Configuring an Ethernet Frame Header
ACL
Ethernet frame header ACLs filter packets
based on Layer 2 protocol header fields such as source MAC address, destination
MAC address, 802.1p priority, and link layer protocol type. They are numbered
in the range 4000 to 4999.
If you want to reference a time range to a
rule, define it with the time-range command first.
Follow these steps to configure an Ethernet
frame header ACL:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Create and enter an Ethernet frame header
ACL view
|
acl number
acl-number [ match-order { config | auto } ]
|
Required
The default match order is config.
|
|
Create or modify a rule
|
rule [ rule-id
] { permit | deny } [ rule-string ]
|
Required
To create multiple rules, repeat this
step.
|
|
Set a rule numbering step
|
step step-value
|
Optional
The default step is 5.
|
|
Create an ACL description
|
description text
|
Optional
|
|
Create a rule description
|
rule rule-id
comment text
|
Optional
|
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Caution:
l
You can modify the match order of an ACL with
the acl number acl-number match-order { auto | config
} command but only when it does not contain any rules.
l
You can use the rul
