Huawei switches support ACLs for filtering IPv4 packets, ACL6s for filtering IPv6 packets, and Layer 2 ACLs and user-defined ACLs that can filter both IPv4 and IPv6 packets. Table 1 lists detailed ACLs supported by switches.
Category |
IP Version |
Rule Definition Description |
Number Range |
|---|---|---|---|
Basic ACL |
IPv4 |
Defines rules based on source IP addresses, fragmentation information, and time ranges. |
2000-2999 |
Advanced ACL |
IPv4 |
Defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges. |
3000-3999 |
Layer 2 ACL |
IPv4&IPv6 |
Defines rules based on information in Ethernet frame headers of packets, such as the source MAC addresses, destination MAC addresses, and Layer 2 protocol types. |
4000-4999 |
User-defined ACL |
IPv4&IPv6 |
Defines rules based on packet headers, offsets, character string masks, and user-defined character strings. The ACL performs an AND operation on the packet bytes from a certain position behind the packet header and the character string mask. Then, the ACL compares the extracted character string against the user-defined character string. |
5000-5999 |
User ACL |
IPv4 |
Defines rules based on source IPv4 addresses or user control list (UCL) groups/destination IPv4 addresses or destination UCL groups, IPv4 protocol types, ICMP types, TCP source/destination port numbers, and UDP source/destination port numbers. |
6000-9999 |
Basic ACL6 |
IPv6 |
Defines rules based on source IPv6 addresses, fragmentation information, and time ranges. |
2000-2999 |
Advanced ACL6 |
IPv6 |
Defines rules based on source IPv6 addresses, destination IPv6 address, IPv6 protocol types, ICMPv6 types, TCP source/destination port numbers, UDP source/destination ports, and time ranges. |
3000-3999 |
User ACL6 |
IPv6 |
Defines rules based on source IPv6 addresses or UCL groups/destination IPv6 addresses, IPv6 protocol types, ICMPv6 types, TCP source/destination port numbers, and UDP source/destination port numbers. |
6000-9999 |
Huawei switches support various ACL matching conditions. The following describes the commonly used conditions.
Time range
ACLs support packet filtering based on time ranges (using the time-range time-name command). For details about time ranges, see Time Range.
Protocol type carried by IP
Format: protocol-number | icmp | tcp | udp | gre | igmp | ip | ipinip | ospf
This matching condition is supported only by advanced ACLs. An advanced ACL can filter packets based on protocol types, which are listed in the following table.
Protocol Type |
Protocol Number |
|---|---|
ICMP |
1 |
TCP |
6 |
UDP |
17 |
GRE |
47 |
IGMP |
2 |
IPinIP |
4 |
OSPF |
89 |
The value ip indicates any IP layer protocol. The protocol number ranges from 1 to 255.
rule deny ip //Reject IP packets.
Source/Destination IP addresses and wildcard masks
Format of the source IP address and wildcard mask: source { source-address source-wildcard | any }
Format of destination IP address and wildcard mask: destination { destination-address destination-wildcard | any }
Basic ACLs can filter packets based on source IP addresses, and advanced ACLs can filter packets based on both source and destination IP addresses.
When the source or destination IP address is specified as a matching condition, a wildcard mask must be specified to exactly determine an address range.
The format of an IP address wildcard mask is the same as that of an inverse subnet mask (32-bit numeric string). A wildcard mask specifies the digits in an IP address to be checked. Among the bits in a mask, the bit 0 indicates "check", and the bit 1 indicates "not check." An IP address subnet mask must have continuous 0s and 1s, whereas a wildcard mask can have discontinuous 0s and 1s.
The wildcard mask can be set to 255.255.255.255 or 0 (equivalent to 0.0.0.0). The value 255.255.255.255 indicates any IP address, which is equivalent to the keyword any. The value 0 indicates that the source/destination address is a host address.
For example, in the following rule, the specified IP address wildcard mask indicates that all IP packets from the network segment 192.168.1.0/24 are permitted:
rule 5 permit ip source 192.168.1.0 0.0.0.255
In this rule, the wildcard mask 0.0.0.255 indicates that only the bits of the binary bytes in the first three groups of an IP address are checked. Packets are permitted only if the first 24 bits in the source IP address are the same as the first 24 bits in the specified IP address, which are 192.168.1 in this example. That is, only the packets sent from the IP address segment 192.168.1.0/24 are permitted. Table 3 illustrates how the wild mask is used to determine an address range.
Item |
Decimal |
Binary |
|---|---|---|
Specified IP address |
192.168.1.0 |
11000000.10101000.00000001.00000000 |
Wildcard mask |
0.0.0.255 |
00000000.00000000.00000000.11111111 |
Determined address range |
192.168.1.* * indicates an integer between 0 and 255. |
11000000.10101000.00000001.xxxxxxxx x can be 0 or 1. |
Table 4 gives more examples of determining an address range by IP address and wildcard mask.
IP Address |
Wildcard Mask |
Determined Address Range |
|---|---|---|
0.0.0.0 |
255.255.255.255 |
Any IP address |
172.18.0.0 |
0.0.255.255 |
IP addresses on the network segment 172.18.0.0/16 |
172.18.5.2 |
0.0.0.0 |
Only host address 172.18.5.2 |
172.18.8.0 |
0.0.0.7 |
IP addresses on the network segment 172.18.8.0/29 |
172.18.8.8 |
0.0.0.7 |
IP addresses on the network segment 172.18.8.8/29 |
10.1.2.0 |
0.0.254.255 (discontinuous 1s and 0s in wildcard mask) |
IP addresses that are in the range of 10.1.0.0/24 and 10.1.254.0/24 and have an even number in the third byte, for example, 10.1.0.0/24, 10.1.2.0/24, 10.1.4.0/24, and 10.1.6.0/24 |
Source/Destination MAC addresses and wildcard masks
Format of the source MAC address and wildcard mask: source-mac source-mac-address [ source-mac-mask ]
Format of the destination MAC address and wildcard mask: destination-mac dest-mac-address [ dest-mac-mask ]
Only Layer 2 ACLs can filter packets based on source and destination MAC addresses.
When the source or destination MAC address is specified as a matching condition, a wildcard mask can be specified to exactly determine an address range.
The format of a MAC address wildcard mask is the same as that of a MAC address (hexadecimal). A MAC address wildcard mask consists of 6 bytes (48 bits) to indicate the digits in a MAC address to be checked. Different from those in an IP address wildcard mask, the value 1 in a MAC address wildcard mask indicates "check" and the value 0 indicates "not check." If no wildcard mask is specified, the default mask ffff-ffff-ffff is used, indicating that every digit in a MAC address is to be checked.
Table 5 illustrates how a MAC address and a wildcard mask determine an address range.
VLAN ID and mask
Format of the outer VLAN ID and mask: vlan-id vlan-id [ vlan-id-mask ]
Format of the inner VLAN ID and mask: cvlan-id cvlan-id [ cvlan-id-mask ]
Layer 2 ACLs can filter packets based on outer and inner VLAN IDs.
When a VLAN ID is specified as a matching condition, a VLAN mask can be specified to exactly determine a VLAN range.
A VLAN mask is in hexadecimal format, ranging from 0x0 to 0xFFF. If no VLAN mask is specified, the default mask 0xFFF is used, indicating that every digit in the VLAN ID is checked.
Table 6 illustrates how a VLAN ID and a mask determine a VLAN range.
TCP/UDP port number
Format of the source port number: source-port { eq port | gt port | lt port | range port-start port-end }
Format of the destination port number: destination-port { eq port | gt port | lt port | range port-start port-end }
When the protocol type of an advanced ACL is specified as TCP or UDP, the device can match packets against the TCP or UDP source/destination port number.
TCP or /UDP port numbers can be represented by numeric or character strings (aliases). For example, rule deny tcp destination-port eq 80 can be represented by rule deny tcp destination-port eq www. For commonly used TCP or UDP port numbers and their character strings, see the mappings between TCP or UDP source or destination port numbers and values in rule.
Format: tcp-flag { ack | established | fin | psh | rst | syn | urg }*
When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag.
A TCP packet header contains 6 flag bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), and urg (urgent).
The established field in a TCP flag indicates that the flag bit is ack or rst.
ACL rules with the keyword tcp-flag specified can implement unidirectional access control. For example, it is required that users on the network segment 192.168.1.0/24 can access the network segment 192.168.2.0/24, but access in the opposite direction be prohibited. To meet this requirement, you can apply an ACL rule to the inbound direction of the interface connecting to the network segment 192.168.2.0/24.
Only the ack and rst values of TCP packets are 1. Therefore, configure ACL rules to permit the only acknowledgement and reset TCP packets and DENY other TCP packets. In this way, the TCP connection requests from the network segment 192.168.2.0/24 are blocked.
Rule 1: Configure ACL rules with the keywords ack and rst specified.
rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack //Permit the TCP packets with the ACK value of 1. rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst //Permit the TCP packets with the RST value of 1. rule 15 deny tcp source 192.168.2.0 0.0.0.255 //Deny other TCP packets.
Rule 2: Configure ACL rules with the keyword established specified.
rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established //established indicates that the ack or rst value is 1. Therefore, acknowledgement or reset TCP packets are permitted. rule deny tcp source 192.168.2.0 0.0.0.255 //Reject other TCP packets.
IP fragmentation
Format: fragment
Basic and advanced ACLs can filter packets based on IP fragmentation information.
The fragments of an IP packet include the initial fragment and non-initial fragments. Only the initial fragment contains Layer 4 information, such as TCP or UDP port number. A network device checks whether a received fragment is the last fragment. If the fragment is not the last, the device allocates memory space for it, and reassembles the fragments after the last fragment is received. The device does not release memory until the last fragment is received and all fragments are reassembled. An exploit exists whereby an attacker may send fragments to a device without sending the last fragment.
To prevent fragment packet attacks, you can specify the keyword fragment in an ACL rule to block non-initial fragments.
Table 7 describes how ACLs process non-fragment packets, initial fragments, and non-initial fragments.
Matching Conditions in a Rule |
Non-fragment Packet |
Initial Fragment |
Non-initial Fragment |
|---|---|---|---|
Layer 3 information (such as source or destination IP address) |
If Layer 3 information is matched, the result (permit or deny) is returned; otherwise, the packet is matched against the next rule. |
If Layer 3 information is matched, the result (permit or deny) is returned; otherwise, the packet is matched against the next rule. |
If Layer 3 information is matched, the result (permit or deny) is returned; otherwise, the packet is matched against the next rule. |
Layer 3 information and Layer 4 information (such as TCP or UDP port number) |
If both Layer 3 and Layer 4 information is matched, the result (permit or deny) is returned; otherwise, the packet is matched against the next rule. |
If both Layer 3 and Layer 4 information is matched, the result (permit or deny) is returned; otherwise, the fragment is matched against the next rule. |
The non-initial fragment is not matched against this rule, and then the next rule works. |
Layer 3 information and fragment |
The non-fragment packet is not matched against this rule, and then the next rule works. |
The initial fragment is not matched against this rule, and then the next rule works. |
If Layer 3 information is matched, the result (permit or deny) is returned; otherwise, the fragment is matched against the next rule. |
For example, ACL 3012 contains the following rules:
# acl number 3012 rule 5 deny tcp destination 192.168.2.2 0 fragment rule 10 permit tcp destination 192.168.2.2 0 destination-port eq www rule 15 deny ip #
For a non-fragment packet or initial fragment: If the destination port number is 80 (www), the packet is permitted by rule 10. If the destination port number of the packet is not 80, the packet is denied by rule 15.
For a non-initial fragment: The packet is denied by rule 5.