< Home

ACL Configuration Guidelines

When configuring ACL rules, follow these guidelines:

  1. The rules in an ACL may overlap. If packets match the rules with loose conditions, the subsequent other ACL rules do not take effect. In this case, packets may fail to be checked against the rules with strict conditions. Therefore, the rules with strict conditions must be arranged in front lines and those with loose conditions must be arranged towards the end.

  2. The ACL configuration guidelines vary according to the default ACL actions taken by the service modules (for details, see Default ACL Actions and Mechanisms of Different Service Modules). For example, if a service module with the default action of permit must deny the packets from some IP addresses, you can configure deny rules only for these IP addresses, and a permit rule for any IP address is not required as the last rule. The converse is true for a service module whose default action is deny. Table 1 describes the ACL configuration guidelines.

    The following rules are for reference only. The command line syntax shall prevail when you configure ACL rules.

    rule permit/deny a/rule permit/deny b: permits or denies the specified packets based on the conditions a and b. The parameter b indicates a larger range than the parameter a, that is, b includes a.

    Table 1 ACL configuration guidelines

    Default ACL Action

    Permit All Packets

    Deny All Packets

    Permit a Few Packets and Deny Most Packets

    Deny a Few Packets and Permit Most Packets

    permit

    No ACL is required.

    Configure rule deny.

    Configure rule permit a first, and then rule deny b or rule deny.

    NOTE:

    This guideline applies to packet filtering. When an ACL is applied to traffic policing or traffic statistics collection in a traffic policy, configure rule permit a if you only need to count rate or collect statistics on the specified packets.

    Only rule deny a is required, and rule permit b or rule permit is not required.

    NOTE:

    If rule permit is configured and ACL is applied to a traffic policy in which the behavior is deny, all packets are rejected and all services are interrupted.

    deny
    • Routing and multicast module: Configure rule permit.
    • Other modules: ACL is not required.
    • Routing and multicast modules: ACL is not required.
    • Other modules: Configure rule deny.

    Only rule permit a is required, and rule deny b or rule deny is not required.

    Configure rule deny a first, and then rule permit b or rule permit.

    The following examples describe simple use cases:

    • Example 1: Apply an ACL to a traffic policy to filter packets from network segment 192.168.1.0/24. Reject the packets from hosts 192.168.1.2 and 192.168.1.3, and allow the packets from other hosts on network segment 192.168.1.0/24 to pass.

      The default ACL action of the traffic policy module is permit, and a few packets are denied and most packets are permitted. Therefore, you only need to configure rule deny a.

      #
acl number 2000
 rule 5 deny source 192.168.1.2 0
 rule 10 deny source 192.168.1.3 0
#

    • Example 2: Apply an ACL to a traffic policy to filter packets from network segment 192.168.1.0/24. Allow the packets from hosts 192.168.1.2 and 192.168.1.3 to pass, and reject the packets from other hosts on network segment 192.168.1.0/24.

      The default ACL action of the traffic policy module is permit, and a few packets are permitted and most packets are denied. Therefore, you need to configure rule permit a first, and then rule deny b.

      #
acl number 2000
 rule 5 permit source 192.168.1.2 0
 rule 10 permit source 192.168.1.3 0
 rule 15 deny source 192.168.1.0 0.0.0.255
#

    • Example 3: Apply an ACL to Telnet, to allow only the administrator's host (172.16.105.2) to Telnet to the device and reject other users.

      The default ACL action of the Telnet module is deny, and a few packets are permitted and most packets are denied. Therefore, you only need to configure rule permit a.

      #
acl number 2000
 rule 5 permit source 172.16.105.2 0
#

    • Example 4: Apply an ACL to Telnet, to forbid two hosts (172.16.105.3 and 172.16.105.4) to Telnet to the device and allow other user hosts to Telnet to the device.

      The default ACL action of the Telnet module is deny, and a few packets are denied and most packets are permitted. Therefore, you need to configure rule deny a first, and then rule permit.

      #
acl number 2000
 rule 5 deny source 172.16.105.3 0
 rule 10 deny source 172.16.105.4 0
 rule 15 permit
#

    • Example 5: Apply an ACL to FTP to prevent users from accessing the FTP server from 00:00-08:00 every Saturday.

      The default ACL action of the FTP module is deny, and a few packets are denied and most packets are permitted. Therefore, you need to configure rule deny a first, and then rule permit b.

      #
time-range t1 00:00 to 08:00 Sat
time-range t2 00:00 to 23:59 daily
# 
acl number 2000  
 rule 5 deny time-range t1
 rule 10 permit time-range t2
#
Parent Topic: Understanding ACLs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >