Default ACL Actions and Mechanisms of Different Service Modules

Applying ACLs to Service Modules

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect.

In most cases, an ACL is applied to a traffic policy or simplified traffic policy. This enables the device to deliver ACL rules globally, in a VLAN, or on an interface to filter packets to be forwarded. An ACL can be applied to service modules such as Telnet, FTP, and routing.

Table 1 describes how the service modules process ACLs.

**Table 1** Applying ACLs to service modules
Service	Usage Scenario	Service Module
Filtering packets to be forwarded	The device filters received packets globally, on an interface, or in a VLAN, and then discards, modifies priorities of, or redirects the filtered packets. For example, you can apply ACLs to filter packets between different network segments, prohibit specified hosts from accessing the network during a specified time, or reduce the service level for bandwidth-consuming services (such as P2P downloading and online video). When network congestion occurs, these bandwidth-consuming service packets are discarded first.	Traffic policy and simplified traffic policy
Filtering packets to be sent to the CPU	If too many protocol packets are sent to the CPU, the CPU usage increases and CPU performance may be degraded. The device needs to restrict the packets to be sent to the CPU. For example, when a user sends a large number of ARP attack packets to the device, the CPU becomes busy and service is interrupted. You can apply an ACL to the local attack defense service, and add the user to the blacklist so that the CPU discards the packets from this user.	Blacklist
Login control	The device controls access permission of users. Only authorized users can log in to the device, and other users cannot log in without permission. This ensures network security. For example, only the administrator is allowed to log in to the device. You can apply an ACL to the Telnet service and specify the hosts that can log in to the device or the hosts that cannot log in.	Telnet, STelnet, FTP, SFTP, HTTP, SNMP
Route filtering	ACLs can be applied to various dynamic routing protocols to filter advertised and received routes and multicast groups. For example, you can apply an ACL to a routing policy to filter routing information and prevent the device from sending routes of a network segment to the neighboring router.	BGP, IS-IS, OSPF, OSPFv3, RIP, RIPng, multicast protocol

Default ACL Actions and Mechanisms

When an ACL is applied to service modules, the modules take different actions on the packets that are matched against ACL rules.

For example, an ACL with rules configured is applied to a traffic policy with the default action of permit. If a packet does not match any ACL rules, it is permitted. In contrast, an ACL with rules configured is applied to the Telnet module with the default action of deny. If a packet does not match any ACL rules, it is rejected.

The blacklist module processes ACL in a different way. After an ACL is applied to a blacklist, the packets matching any ACL rule are discarded no matter whether they match the permit or deny rule.

Table 2, Table 3, and Table 4 provide the default ACL actions and mechanisms taken by each service module.

**Table 2** Default ACL actions and mechanisms of different service modules
Default ACL Actions and Mechanisms	Telnet	STelnet	HTTP	FTP	TFTP
Default ACL Action	deny	deny	deny	deny	deny
Packets Match the permit Rule	permit (login allowed)	permit (login allowed)	permit (login allowed)	permit (login allowed)	permit (login allowed)
Packets Match the deny Rule	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)
Packets Do Not Match Any Rule in an ACL	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)	deny (login not allowed)
An ACL Does Not Contain Rules	permit (login allowed)	permit (login allowed)	permit (login allowed)	permit (allowed to log in)	permit (login allowed)
ACL Is Not Created	permit (login allowed)	permit (login allowed)	permit (login allowed)	permit (login allowed)	permit (login allowed)

**Table 3** Default ACL actions and mechanisms of different service modules
Default ACL Actions and Mechanisms	SFTP	SNMP	Traffic Policy	Simplified Traffic Policy	Local Attack Defense Policy (Blacklist)
Default ACL Action	deny	deny	permit	permit	permit
Packets Match the permit Rule	permit (login allowed)	permit (login allowed)	When the traffic behavior is permit, the packets are forwarded. When the traffic behavior is deny, the packets are discarded. When the traffic behavior is neither permit nor deny, the packets are forwarded (action in the traffic policy).	permit (The device takes the action defined in the simplified traffic policy.)	deny (discarded)
Packets Match the deny Rule	deny (login not allowed)	deny (login not allowed)	deny (discarded) NOTE: The switch takes the action defined in the traffic behavior only when the traffic behavior is traffic statistics collection, MAC address learning disabled, or traffic mirroring.	When the action in the simplified traffic policy is traffic-filter or traffic-secure: deny When the action in the simplified traffic policy is neither traffic-filter nor traffic-secure: permit	deny (discarded)
Packets Do Not Match Any Rule in an ACL	deny (login not allowed)	deny (login not allowed)	permit (The traffic policy does not take effect, and packets are forwarded without the restriction of the traffic policy.)	permit (The simplified traffic policy does not take effect, and packets are forwarded without the restriction of the simplified traffic policy.)	permit (blacklist does not take effect, and packets are forwarded)
An ACL Does Not Contain Rules	permit (login allowed)	permit (login allowed)	permit (The traffic policy does not take effect, and packets are forwarded without the restriction of the traffic policy.)	permit (The simplified traffic policy does not take effect, and packets are forwarded without the restriction of the simplified traffic policy.)	permit (blacklist does not take effect, and packets are forwarded)
ACL Is Not Created	permit (login allowed)	permit (login allowed)	permit (The traffic policy does not take effect, and packets are forwarded without the restriction of the traffic policy.)	permit (The simplified traffic policy does not take effect, and packets are forwarded without the restriction of the simplified traffic policy.)	permit (blacklist does not take effect, and packets are forwarded)

**Table 4** Default ACL actions and mechanisms of different service modules
Default ACL Actions and Mechanisms	Route Policy	Filter Policy	igmp-snooping ssm-policy	igmp-snooping group-policy
Default ACL Action	deny	deny	deny	deny
Packets Match the permit Rule	When the matching mode is permit: permit (routing policy is enforced) When the matching mode is deny: deny (routing policy is not enforced)	permit (route advertisement or reception is allowed)	permit (added to SSM group address range)	permit (added to multicast group)
Packets Match the deny Rule	deny (routing policy does not take effect)	deny (route advertisement or reception is not allowed)	deny (not added to SSM group address range)	deny (not added to multicast group)
Packets Do Not Match Any Rule in an ACL	deny (routing policy does not take effect)	deny (route advertisement or reception is not allowed)	deny (not added to SSM group address range)	deny (not added to multicast group)
An ACL Does Not Contain Rules	permit (routing policy takes effect on all routes)	deny (route advertisement or reception is not allowed)	deny (not added to SSM group address range, and no group is in the SSM group address range)	deny (not added to multicast group)
ACL Is Not Created	deny (routing policy does not take effect)	permit (route advertisement or reception is allowed)	deny (not added to SSM group address range, and only the temporary group addresses 232.0.0.0-232.255.255.255 are in the SSM group address range)	deny (not added to multicast group)