Overview of ACLs

An ACL is a set of sequential packet filtering rules. After an ACL is configured on a router, the router permits or denies packets based on the matched rules defined in the ACL. ACLs can be applied to various services, such as routing policies, traffic management, and QoS.

Introduction

As the name indicates, an Access Control List (ACL) is a list. The list contains matching clauses, which are actually matching rules and used to tell the device to perform action on the packet or not.

ACLs are used to ensure reliable data transmission between devices on a network by performing the following:
  • Defend the network against various attacks, such as attacks by using IP, Transmission Control Protocol (TCP), or Internet Control Message Protocol (ICMP) packets.
  • Control network access. For example, ACLs can be used to control enterprise network user access to external networks, to specify the specific network resources accessible to users, and to define the time ranges in which users can access networks.
  • Limit network traffic and improve network performance. For example, ACLs can be used to limit the bandwidth for upstream and downstream traffic and to apply charging rules to user requested bandwidth, therefore achieving efficient utilization of network resources.
ACL rules are used to classify packets. After ACL rules are applied to a router, the router permits or denies packets based on them. The use of ACL rules therefore greatly improves network security.

An ACL is a set of rules. It identifies a type of packet but does not filter packets. Other ACL-associated functions are used to filter identified packets.

ACL Classification

The following table outlines ACL4 classification based on functions.
Table 1 ACL types

ACL Type

Function

ACL Number

Interface-based ACL

Defines rules based on packets' inbound interfaces.

1000 to 1999

Basic ACL

Defines rules based on packets' source addresses.

2000 to 2999

Advanced ACL

Rules in an advanced ACL are defined based on packets' source or destination addresses, source or destination port numbers, and protocol types.

3000 to 3999

Layer 2 ACL

Defines rules based on the Layer 2 information, such as the source MAC address, destination MAC address, or protocol type of Ethernet frames.

4000 to 4999

User ACL (UCL)

Defines rules based on the source/destination IP address, source/destination service group, source/destination user group, source/destination port number, and protocol type.

6000 to 9999

MPLS-based ACL

Defines rules based on MPLS packets' EXP values, labels, or TTL values.

10000 to 10999

Validity Period of ACL Rules

To control a type of traffic in a specified period of time, users can configure the validity period of an ACL rule to determine the time during which that traffic type is allowed to pass through. For example, to ensure reliable transmission of video services in prime time in the evening, restrict the traffic volume of common online users. The validity period can be an absolute or cyclic time range.
  • An absolute time range start from yyyy-mm-dd to yyyy-mm-dd. This time range is effective once and does not repeat.
  • A cyclic time range is cyclic, with a one week cycle. For example, an ACL rule takes effect from 8:00 to 12:00 every Sunday.

Matching Order of ACL Rules

First, the device checks whether the ACL exists.

Then, the device matches packets against rules in order according to the rule ID. When packets match one rule, the match operation is complete, and no more rules will be matched against.

A rule is identified by a rule ID, which is configured by a user or generated by the system according to the ACL increment. All rules in an ACL are arranged in ascending order of rule IDs.

If the rule ID is automatically allocated, there is a certain space between two rule IDs. The size of the space depends on the ACL increment. For example, if the ACL increment is set to 5, the difference between two rule IDs are 5, such as 5, 10, 15, and the rest may be deduced by analogy. If the ACL increment is 2, the rule IDs generated automatically by the system start from 2. In this manner, the user can add a rule before the first rule.

In configuration file, the rules are displayed in ascending order of rule IDs, not in the order of configuration.

Rule can be arranged in two modes: Configuration mode and Auto mode. The default mode is Configuration.

  • If the Configuration mode is used, users can set rule IDs or allow a device to automatically allocate rule IDs based on the increment.

    If rule IDs are specified when rules are configured, the rules are inserted at places specified by the rule IDs. For example, three rules with IDs 5, 10, and 15 exist on a device. If a new rule with ID 3 is configured, the rules are displayed in ascending order, 3, 5, 10, and 15. This is the same as inserting a rule before ID 5. If users do not set rule IDs, the device automatically allocates rule IDs based on the increment. For example, if the ACL increment is set to 5, the difference or interval between two rule IDs is 5, such as 5, 10, 15, and the rest may be deduced by analogy.

    If the ACL increment is set to 2, the device allocates rule IDs starting from 2. The increment allows users to insert new rules, facilitating rule maintenance. For example, the ACL increment is 5 by default. If a user does not configure a rule ID, the system automatically generates a rule ID 5 as the first rule. If the user intends to add a new rule before rule 5, the user only needs to input a rule ID smaller than 5. After the automatic realignment, the new rule becomes the first rule.

    In the Configuration mode, the system matches rules in ascending order of rule IDs. As a result, a latter configured rule may be matched earlier.

  • If the auto mode is used, the system automatically allocates rule IDs, and places the most precise rule in the front of the ACL based on the depth-first principle. This can be implemented by comparing the address wildcard. The smaller the wildcard, the narrower the specified range.

    For example, 172.16.1.1 0.0.0.0 specifies a host with the IP address 172.16.1.1, and 172.16.1.1 0.0.0.255 specifies a network segment with the network segment address ranging from 172.16.1.1 to 172.16.1.255. The former specifies a narrower host range and is placed before the latter.

    The detailed operations are as follows:

    • For basic ACL rules, the source address wildcards are compared. If the source address wildcards are the same, the system matches packets against the ACL rules based on the configuration order.
    • For advanced ACL rules, the protocol ranges and then the source address wildcards are compared. If both the protocol ranges and the source wildcards are the same, the destination address wildcards are then compared. If the destination address wildcards are also the same, the ranges of source port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of source port numbers are still the same, the ranges of destination port numbers are compared with the smaller range being allocated a higher precedence. If the ranges of destination port numbers are still the same, the system matches packets against ACL rules based on the configuration order of rules.

    For example, a wide range of packets are specified for packet filtering. Later, it is required that packets matching a specific feature in the range be allowed to pass. If the auto mode is configured in this case, the administrator only needs to define a specific rule and does not need to re-order the rules because a narrower range is allocated a higher precedence in the auto mode.

    Table 2 describes the depth-first principle for matching ACL rules.
    Table 2 Depth-first principle for matching ACL rules

    ACL Type

    Matching Rules

    Interface-based ACL

    Rules with any set are matched last, and other rules are matched in the order they are configured.

    Basic ACL
    1. Rules with VPN instance information are matched before those without VPN instance information.
    2. If multiple rules contain the same VPN instance information, the rule with the smaller source IP addresses range (more 1s in the masks) is matched first.
    3. If multiple rules contain the same VPN instance information and the same source IP address range, they are matched in the order they are configured.

    Advanced ACL
    1. Rules with VPN instance information are matched before those without VPN instance information.
    2. If multiple rules contain the same VPN instance information, the rule that contains the protocol type is matched first.
    3. If multiple rules contain the same VPN instance information and the same protocol type, the rule with the smaller source IP address range (more 1s in the masks) is matched first.
    4. If multiple rules contain the same VPN instance information, protocol type, and source IP address range, the rule with the smaller destination IP address range (more 1s in the masks) is matched first.
    5. If multiple rules contain the same VPN instance information, protocol type, source IP address range, and destination IP address range, the rule with the smaller Layer 4 port number range (TCP/UDP port numbers) is matched first.
    6. If multiple rules contain the same VPN instance information, protocol type, source and destination IP address ranges, and port number range, they are matched in the order they are configured.

    Layer 2 ACL
    1. Rules with smaller wildcards of Layer 2 protocol types (more 1s in the masks) are matched first.
    2. If multiple rules contain the same Layer 2 protocol type wildcard, the rule with the smaller source MAC address range (more 1s in the masks) is matched first.
    3. If multiple rules contain the same Layer 2 protocol type wildcard and the same source MAC address range, the rule with the smaller destination MAC address range (more 1s in the masks) is matched first.
    4. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, the rule with the smaller VLAN ID of the outer tag is matched first.
    5. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, and VLAN ID of the outer tag, the rule with the higher 802.1p priority of the outer tag is matched first.
    6. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, the rule with the smaller VLAN ID of the inner tag is matched first.
    7. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, and VLAN ID of the inner tag, the rule with the higher 802.1p priority of the inner tag is matched first.
    8. If multiple rules contain the same Layer 2 protocol type wildcard, source and destination MAC address ranges, VLAN ID and 802.1p priority of the outer tag, VLAN ID and 802.1p priority of the inner tag, they are matched in the order they are configured.

    User ACL (UCL)
    1. The rule that contains the protocol type is matched first.
    2. If multiple rules contain the same VPN instance information and the same protocol type, the rule with the smaller source IP address range (more 1s in the masks) is matched first.
    3. If multiple rules contain the same VPN instance information, protocol type, and source IP address range, the rule with the smaller destination IP address range (more 1s in the masks) is matched first.
    4. If multiple rules contain the same VPN instance information, protocol type, source IP address range, and destination IP address range, the rule with the smaller Layer 4 port number range (TCP/UDP port numbers) is matched first.
    5. If multiple rules contain the same VPN instance information, protocol type, source and destination IP address ranges, and port number range, they are matched in the order they are configured.

    MPLS-based ACL

    Rules can only be arranged in Configuration mode.

ACL Step

An ACL increment is the difference between two adjacent ACL rule numbers that are automatically allocated. For example, if the ACL increment is set to 5, the rule numbers are multiples of 5, such as 5, 10, 15, and 20.
  • If an ACL increment is changed, rules in the ACL are automatically renumbered. For example, if the ACL increment is changed from 5 to 2, the original rule numbers 5, 10, 15, and 20 will be renumbered as 2, 4, and 6.
  • If the default increment 5 is restored for an ACL, the system immediately renumbers the rules in the ACL based on the default increment. For example, if the increment of ACL 3001 is 2, rules in ACL 3001 are numbered 0, 2, 4, and 6. If the default increment 5 is restored, the rules will be renumbered as 5, 10, 15, and 20.
Parent Topic: ACL Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >