ACL function:
Define a series of different rules to classify data packets, and perform different processing for different packets to control network access behavior, limit network traffic, improve network performance, and prevent network attacks.
As shown in the figure above, the gateway RTA allows the hosts in the 1.0 network segment to access the Internet; while the hosts in the 2.0 network segment are prohibited from accessing the Internet. The effect of allowing network segment 2.0 to access server A and prohibiting network segment 1.0 from accessing service A.
ACL rules:
- An ACL can consist of multiple "deny"|"permit" statements, each statement describes a rule
- Match ACL rules one by one, execute the rule if it matches, match the next one if it does not match, and do nothing if there is no match.
- The rules defined in the ACL may have overlaps or contradictions. The matching order of the rules determines the priority of the rules. The ACL handles the repetition or contradiction between the rules by setting the priority of the rules.
- ARG3 series routers support two matching orders: configuration order and automatic order
- The configuration sequence is matched in ascending order of ACL rule IDs (rule-id). The device automatically assigns a number to each rule during the process of creating an ACL. The rule number determines the order in which the rules are matched. By setting the step size, a certain space is left between the rules, and a new rule can be inserted between two rules. By default, the router adopts the configuration sequence when matching rules, and the default rule number step of ARG3 series routers is 5. (If the step size is 5, the rule number will be matched according to the rules of 5/10/15; if the step size is set to 2, the rule number will be automatically assigned according to the rule of 2/4/6/8).
- Automatic sorting uses the "depth first" principle for matching, that is, sorting according to the accuracy of the rules.
- If the above ACL2000 rule 15 matches, then the network from 172.16 is rejected, and 172.16 is allowed to forward the message normally without any processing.
Basic ACL configuration:
copy[Huawei]acl 2000 //Create an ACL and enter the ACL view [Huawei-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255 //deny is used to specify the denial of data packets with symbolic conditions, and source is used to specify the source address information of ACL rules matching packets [Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 2000 //Configure ACL-based packet filtering on the interface [Huawei]dis acl 2000 //Verify the configured base ACL Basic ACL 2000, 1 rule Acl's step is 5 rule 5 deny source 192.168.1.0 0.0.0.255 [Huawei]dis traffic-filter applied-record //View all the application information of ACL-based packet filtering on the device ----------------------------------------------------------- Interface Direction AppliedRecord ----------------------------------------------------------- GigabitEthernet0/0/0 outbound acl 2000 -----------------------------------------------------------
Advanced ACL configuration:
copy[Huawei]acl 3000 [Huawei-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0.0.0.0 destination-port eq 21 [Huawei-acl-adv-3000]rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0 [Huawei-acl-adv-3000]rule permit ip [Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 3000 [Huawei]dis acl 3000 Advanced ACL 3000, 3 rules Acl's step is 5 rule 5 deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0 destinat ion-port eq ftp rule 10 deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0 rule 15 permit ip [Huawei]dis traffic-filter applied-record ----------------------------------------------------------- Interface Direction AppliedRecord ----------------------------------------------------------- GigabitEthernet0/0/0 outbound acl 3000 -----------------------------------------------------------
[em]ACL can filter packets based on various parameters (SYN|ACK|FIN, etc.) [/em]
Rule 1: Limit all TCP packets with source address range 1.0, destination IP address 10.1, and destination port number 21; Rule 2: limit all TCP packets with source address range 2.0 and destination 10.2; Rule 3: rule permit ip is used to match all IP packets and perform permission actions on the packets.
ACL application-NAT:
[em] In the case of multiple address pools, determine which internal network addresses are converted through which specific external network address pools. In this example, the hosts of 1.0 are required to use the public network addresses in address pool 1 for NAT, and the hosts of 2.0 are required to use the public network addresses of address pool 2 for NAT. [/em]
copy[RTA]nat address-group 1 202.110.10.8 202.110.10.15 [RTA]nat address-group 2 202.115.60.1 202.115.60.30 [RTA]acl 2000 [RTA-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 [RTA-acl-basic-2000]acl 2001 [RTA-acl-basic-2001]rule permit source 192.168.2.0 0.0.0.255 [RTA-acl-basic-2001]int G0/0/0 [RTA-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 //Bind NAT to ACL [RTA-GigabitEthernet0/0/1]nat outbound 2001 address-group 2
Achieve the effect: hosts in network segment 1.0 use the public address in address pool 1 for translation, hosts in network segment 2.0 use the public address in address pool 2 for translation
What conditions can an advanced ACL define rules based on? Advanced ACL can define rules based on source/destination IP address, source/destination port number, protocol type, IP traffic classification and TCP mark value (SYN|ACK|FIN, etc.) parameters.