Overview of ACL6s
An access control list (ACL) is a set of sequential packet filtering rules. After an ACL is configured on a router, the router permits or denies packets based on the matched rules defined in the ACL. ACL6s are the ACLs that support IPv6, and can be applied to various services, such as routing policies, traffic management, and QoS.
Introduction
As the name indicates, an Access Control List (ACL) is a list. The list contains matching clauses, which are actually matching rules and used to tell the device to perform action on the packet or not. ACL6s are the ACLs that support IPv6, and can be applied to various services, such as routing policies, traffic management, and QoS.
Device communication networks need to provide reliable data transmission. To this end, ACL6s can be used on access or core devices to achieve network security and stability.
- Defend against various network attacks, such as attacks by using IPv6, TCP, and ICMPv6 packets.
- Control network access. For example, ACL6s can be used to control enterprise network user access to external networks, to specify the network resources accessible to users, and to define the time ranges in which users can access networks.
- Limit network traffic and improve network performance. For example, ACL6s can be used to limit bandwidth for upstream and downstream traffic and to apply charging rules to user requested bandwidth, therefore achieving efficient utilization of network resources.
An ACL6 classifies packets based only on its predefined rules. ACL6s can be used to filter packets only after they are applied to a specific service during device management, policy-based routing, unicast packet filtering, routing policies, traffic management, or multicast packet filtering.
ACL6 Classification
ACL6 Type |
Function |
ACL6 Number |
|---|---|---|
Interface-based ACL6 |
Defines rules based on packets' inbound interfaces. |
1000 to 1999 |
Basic ACL6 |
Defines rules based on packets' source addresses. |
2000 to 2999 |
Advanced ACL6 |
Defines rules based on packets' source or destination addresses, source or destination port numbers, and protocol types. |
3000 to 3999 |
User ACL6 (UCL6) |
Defines rules based on the source/destination IP address, source/destination service group, source/destination user group, source/destination port number, and protocol type. |
6000 to 9999 |
Validity Period of ACL6 Rules
- An absolute time range start from yyyy-mm-dd to yyyy-mm-dd. This time range is effective once and does not repeat.
- A cyclic time range is cyclic, with a one week cycle. For example, an ACL rule takes effect from 8:00 to 12:00 every Sunday.
ACL6 Description
Configuring the description for a created ACL6 helps you learn the ACL6 quickly.
ACL6 Rules
ACL6 rules are configured for each ACL6 and used to classify packets in different scenarios. Table 2 lists ACL6 rules and their functions.
ACL6 Rule |
ACL6 Type |
Function |
|---|---|---|
Validity period |
Interface-based ACL6, basic ACL6, advanced ACL6, user ACL6 |
Sets a validity period in which ACL6 rules take effect. This rule is used for:
|
Inbound interface |
Interface-based ACL6 |
Classifies packets based on their inbound interfaces. This rule is used for:
|
Non-first fragment |
Basic ACL6, advanced ACL6, user ACL6 |
Classifies packets based on whether a packet is the first packet fragment. This rule is used for:
|
Source IPv6 address |
Basic ACL6, advanced ACL6, user ACL6 |
Classifies packets based on their source IPv6 addresses. This rule is used for:
|
VPN instance |
Basic ACL6 and advanced ACL6 |
Classifies packets based on the VPN instances to which the packets belong. This rule is used for:
|
Destination IPv6 address |
Advanced ACL6, user ACL6 |
Classifies packets based on their destination IPv6 addresses. This rule is used for:
|
Protocol type |
Advanced ACL6, user ACL6 |
Classifies packets based on their protocol types. |
Source port number |
Advanced ACL6, user ACL6 |
Classifies packets based on source TCP or UDP port numbers. This rule is used for:
|
Destination port number |
Advanced ACL6, user ACL6 |
Classifies packets based on destination TCP or UDP port numbers. This rule is used for:
|
IPv6 DSCP value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on their DSCP values. This rule is used for route filtering. |
IPv6 precedence value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on the IPv6 precedence. This rule is used for flow control. |
IPv6 ToS value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on their ToS values. This rule is used for flow control. |
Source/destination service group, or source/destination user group |
User ACL6 |
Classifies IPv6 packets based on source/destination service group, or source/destination user group. This rule is used for flow control. |
Matching Order of ACL6 Rules
A device configured with ACL6s matches the received packets against ACL6 rules according to the matching order of rules.
The rule sequence in an ACL6 depends on ACL6 rule-matching orders and ACL6 rule numbers.
Rule matching orders include the configuration order and the automatic order.
Automatic order: The system sequences rules automatically and places the most precise rule in the front of the ACL6 based on the depth-first principle.
- ACL6 rules are sequenced based on rule precision. For an ACL6 rule (where a protocol type, a source IPv6 address range, or a destination IPv6 address range is specified), the stricter the rule, the more precise it is. For example, an ACL6 rule can be configured based on the wildcard of an IPv6 address. The smaller the wildcard, the smaller the specified network segment and the stricter the ACL6 rule.
- If rules have the same precision, they are matched based on the configuration order.
Configuration order: The system sequences ACL6 rules based on the rules' configuration order.
The mechanism in which ACL6 rules are matched based on their configuration order applies only when rule numbers are not specified. If rule numbers are specified, the ACL6 rules are matched based on their numbers in ascending order.