An ACL includes a series of ordinal rule groups. A rule contains the source address, destination address, and port number of a packet. An ACL classifies packets by using rules. When the rules are applied to a router, the router determines the packets to be received and rejected.
For example, ACLs can be configured to reject all Telnet access to the local server to allow emails to be sent to the local server using Simple Mail Transfer Protocol (SMTP).
Multiple rules can be defined in each ACL. Based on rule functions, ACLs are classified into interface ACLs, basic ACLs, advanced ACLs. An ACL is a set of matching options. You can select and configure an ACL based on services.
ACLs can be classified from different perspectives. See the following table.
ACL Classification Basis |
ACL Type |
|---|---|
Whether to support IPv4 or IPv6 |
|
Functions of ACL rules |
|
The following table lists the filter options supported by the four ACL types classified based on ACL functions.
ACL Type |
Supported Filter Option |
|---|---|
Interface ACLs |
Interface name: indicates the interface through which a packet is received. The word "any" indicates all interfaces. Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured. |
Basic ACLs |
Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass. Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured. |
Advanced ACLs |
Protocol type: indicates the type of a protocol represented by a name or digits. The value ranges from 1 to 255. When the protocol is represented by a name, the value can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. Different parameters can be set for different protocols. Source and destination port numbers can be set only for TCP and UDP. Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass. Destination IP address: indicates the destination address in an ACL. If no destination address is configured, packets with any destination addresses are allowed to pass. Source and destination ports: specifies the source and destination port numbers of UDP or TCP packets. They are effective only for TCP or UDP. If no source or destination port number is configured, TCP or UDP packets with any source or destination addresses are allowed to pass. Differentiated services code point (DSCP): It refers to the most significant six bits of the type of service (ToS) field in IP headers. The value ranges from 0 to 63. Fragment packet type: indicates whether an ACL is effective only for fragment packets except the first fragment packets. When this parameter is available, the ACL is effective only for fragment packets except the first fragment packets. Priority: indicates that packets can be filtered based on the priority field (most significant three bits of the ToS field in IP headers). The value is a keyword or number. When the value is a number, the value is an integer ranging from 0 to 7. TCP flag: indicates the value of the TCP flag. The value ranges from 0 to 63. ToS: indicates that packets can be filtered based on the ToS field. Internet Control Message Protocol (ICMP): ICMP packets can be filtered based on the name, type, and code of the ICMP packets. The option is effective only for ICMP. If the option is not configured, all ICMP packets are allowed to pass. Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured. |
MPLS ACL |
Exp: indicates the Exp value of MPLS packets. If the Exp value is not configured, MPLS packets with all Exp values are allowed to pass. Label: indicates the label value of MPLS packets. If the Label value is not configured, MPLS packets with all Label values are allowed to pass. Time to live (TTL): indicates the TTL value of MPLS packets. If the TTL value is not configured, MPLS packets with all TTL values are allowed to pass. |
The URPF works in strict mode or loose mode. A URPF-capable router queries forwarding information bases (FIBs) when Layer 3 IP packets arrive at the NP. If these packets take a local route, the router performs the URPF check before sending the packets to the control processor (CP). During the URPF check, whether the source IP addresses of packets are valid is checked based on the routing table.
The URPF can be set to work in strict mode or loose mode and supports matching of default routes:
Matching of default routes must work with strict URPF. When a packet matches a specific route or the default route and the inbound interface of the packet is the same as the outbound interface of the matched route, the packet is allowed to pass. Otherwise, the packet is discarded. Loose URPF and strict URPF are mutually exclusive.
NetEngine 8000 Fs provide complete ACL capabilities. Based on ACLs, the routers implement CP-CAR control and stream customization.
The CP-CAR classifies packets destined for the CPU and applies rate limiting rules to each type of packet. You can set the average rate, committed burst size (CBS), and priority of packets using the CP-CAR. Under the control of different CAR rules, packets of different protocols have smaller impact on each other, which helps protect the CPU. The CAR technology also allows you to set a threshold for the total packet rate. When the total rate exceeds the threshold value, packets to the CPU are discarded to avoid CPU overload.
Stream customization indicates that you can customize ACL rules for attack defense. Stream customization applies when unknown attacks are detected on a network. You can flexibly specify data characteristics of attack streams so that the data streams are not sent.
To prevent the router from being controlled by unauthorized users or being attacked by flooded management packets, deploy the control plane management function. Subsequently, only the specified interface can receive management packets, whereas the other interfaces directly discard received management packets. Therefore, resources are saved. You can also specify the management packets that can be received by a specified interface so that the interface discards the other protocol packets. This prevents the router from being attacked by unnecessary protocol packets.