Configuring an ACL

Context

An ACL is a set of sequential filter rules. In an ACL rule, you can specify packet information, such as the inbound interface name, source or destination IP address, protocol type, source or destination port number, and permit or deny mode. Then, a device matches received packets against the rules and determines whether to accept or discard the packets.

An ACL consisting of a set of rules is used only to sort packets based on the defined rules. To filter packets, the ACL must be used together with a routing policy.

ACLs can be configured for both IPv4 routes and IPv6 routes, and are classified as interface-based ACLs, basic ACLs, or advanced ACLs based on the usage. You can specify an IP address and a subnet range in an ACL to match the source IP address, destination network segment address, or the next-hop address of each route.

ACLs can be configured on network devices, such as access and core devices, to improve network security and stability. ACLs can be used to provide the following functions:

Protect devices against IP, TCP, and Internet Control Message Protocol (ICMP) packet attacks.
Control network access. For example, ACLs can be used to control enterprise network users' access to external networks, the specific network resources that users can access, and the period during which users can access networks.
Limit network traffic and improve network performance. For example, ACLs can be used to limit bandwidth for upstream and downstream traffic and to apply charging rules to user requested bandwidth, ensuring efficient utilization of network resources.

Procedure

Run system-view
The system view is displayed.
Run route-policy route-policy-name { permit | deny } node node
A route-policy node is created, and the route-policy view is displayed.
Run if-match acl { acl-number | acl-name }
An ACL-based matching rule is defined.
Run quit
Return to the system view.
Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Run rule [ rule-id ] [ name rule-name ] { deny | permit }
A rule is configured for the ACL.

When the rule command is used to configure a filtering rule for a named ACL, only the configurations specified by source and time-range take effect.
When a filter-policy of a routing protocol is used to filter routes:
- If the action specified in an ACL rule is permit, a route matching the rule will be accepted or advertised by the system.
- If the action specified in an ACL rule is deny, a route matching the rule will not be accepted or advertised by the system.
- If the network segment of a route is not within the range specified in an ACL rule, the route will not be accepted or advertised by the system.
- If an ACL does not contain any rules, none of the routes matched against the filter-policy that uses this ACL will be accepted or advertised by the system.
- Routes can be filtered using a blacklist or whitelist:
  
  If ACL rules are used for matching in configuration order, the system matches the rules in ascending order of their IDs.
  
  Filtering using a blacklist: Configure a rule with a smaller ID and specify the action deny in this rule to filter out the unwanted routes. Then, configure another rule with a larger ID in the same ACL and specify the action permit in this rule to accept or advertise the other routes.
  
  Filtering using a whitelist: Configure a rule with a smaller ID and specify the action permit in this rule to permit the routes to be accepted or advertised. Then, configure another rule with a larger ID in the same ACL and specify the action deny in this rule to filter out the unwanted routes.
Run commit
The configuration is committed.

Verifying the Configuration

Run the display acl command to check the rules of the configured ACL.