(Exam focus)
1. Access control list
It is an important means to manage data traffic in the network and implement data filtering. It can be implemented on routers, Layer 3 switching, Layer 2 switching and firewalls.
Hidden rules: If none of the previous rules match, Huawei will allow it by default and Cisco will deny it by default.
| Classification | Rule description | Number range |
| Basic ACL | Only use the source IP address, fragmentation information and effective time period information in the packet to define rules | 2000~2999 |
| Advanced ACL | Define rules using source IP address, destination IP address, protocol type, and TCP/UDP source/destination port numbers. | 3000~3999 |
| Layer 2 ACL | Defined according to the Ethernet frame header in the IP packet, such as source/destination MAC, Ethernet frame protocol type, etc. | 4000~4999 |
| User advanced ACL | To achieve more complex and specific definitions | 5000~5999 |
ACLs are configured in system view and need to be applied to specific interfaces to take effect.
(There are more basic/advanced ACL case tests in the afternoon)
Basic ACL configuration (Huawei)
1、acl [number] acl-number(2000~2999) [match-order] {auto|config}
2. rule [ rule-id ] permit|deny source IP address reverse subnet mask
Among them: any represents any network segment; represents the host: 192.168.10.1 0
example:
Configured as follows
rule permit source 192.168.1.0 0.0.0.255
rule deny source 192.168.1.1 0.0.0.0
If config is configured, 192.168.1.1 data will be forwarded. If auto is configured, it will not be forwarded.
illustrate:
match-order: optional parameter, indicating the matching order.
auto (depth first) means automatic sorting, config means matching the security configuration order (default)
Note: If auto is a basic ACL, first compare the source IP address range. If the source IP addresses of the two rules are consistent, they will be matched according to the configuration order (just understand it).
rule : matching rule, rule-id optional parameter, specifies the number of the rule
permit|deny : matching operation, allow|deny
The default ACL step size is 5 , which can be adjusted through step step in the ACL view .
//Enable the host packets with the source IP of 172.16.10.3 to pass through, deny the passage of other packets with the source IP in the 172.16.10.0/24 network segment, and configure the description information to permit only 172.16.10.3 through
[HUAWEI]acl 2020
[HUAWEI-acl-basic-2020]rule permit 172.16.10.3 0.0.0.0
[HUAWEI-acl-basic-2020]rule deny 172.16.10.0 0.0.0.255
[HUAWEI-acl-basic-2020]description permit only 172.16.10.3 through
//Description
Finally, apply this ACL to an interface of the router.
[Interface view] traffic-filter outbound acl 2020
2. Application of ACL on interfaces
Access control list in the direction of interface application
Outbound: Data packets that have been processed by the router and are leaving the router interface: outbound
Inbound: Data packets that have arrived at the router interface will be processed by the router: inbound
Note: Traffic generated by the device itself will not detect ACLs
3. Advanced ACL configuration (Huawei)
1、acl [number] acl-number(3000~3999) [match-order] {auto|config}
//Set the access control list number
2. rule [rule-id] permit|deny { protocol } source source IP address anti-mask destination destination IP address anti-mask destination-port eq port number
illustrate:
protocol: Develop corresponding protocols such as TCP, UDP, ICMP, IP, etc.
destination-port: destination port, if it is source port source-port
eq is equal to gt, is greater than lt, is less than neg, is not equal to range, specifies the range
Port number: You can directly write the keyword corresponding to the port or protocol, such as telnet/WWW/dns
example:
Configure to allow ICMP packets from the source IP address 172.16.10.3 to the destination IP address 172.16.20.0/24 to pass through.
[HUAWEI]acl 3000
[HUAWEI-acl-adv-3000]rule permit icmp source 172.16.10.3 0.0.0.0 destination 172.16.20.0 0.0.0.255
Apply this ACL on the router interface
[Interface view] traffic-filter inbound acl 3000
4. Time-based ACL
example:
[HUAWEI]time-range mytime 09:00 to 12:00 working-day
[HUAWEI]time-range mytime 14:00 to 17:00 workting-day
[HUAWEI]acl 2000
[HUAWEI-acl-basic-2000]rule permit source 192.168.10.0 0.0.0.255
[HUAWEI-acl-basic-2000]rule permit source 192.168.20.1 0 time-range mytime
[HUAWEI-acl-basic-2000]rule deny source any
[HUAWEI-acl-basic-2000]quit
[HUAWEI]interface g0/0/2
[HUAWEI-Gigabitethernet 0/0/2]traffic-filter outbound acl 2000
5. Named ACL
Named access control lists allow the use of names instead of labels in standard and extended access control lists
1. Basic naming ACL:
acl name acl-name {basic acl-numble} [match-order{auto|config}]
For example:
acl name csai 2000
2. Advanced command ACL:
acl name acl-name {advance acl-numble} [match-order{auto|config}]
For example:
acl name csai advance
6. ACL deployment location (test site)
- Advanced ACLs should be placed as close to the source of the data flow as possible;
- Basic ACLs should be placed as close to the destination of the data flow as possible to avoid errors.
7. Traffic classification, traffic behavior, and traffic strategy (tested once)
ACLs on some Huawei Layer 3 switches (S series) cannot be directly applied to interfaces.
- Configure ACL
[HUAWEI]acl 3000
[HUAWEI-acl-adv-3000]rule deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
- ACL-based traffic classification
[HUAWEI]traffic classifilter c_xs//name
[HUAWEI-classifilter-c_xs]if-match acl 3000
- Configure the traffic behavior, and the action is to deny the packets to pass.
[HUAWEI]traffic behavior b_xs
[HUAWEI-behavior-b_xs]deny
- Configure a traffic policy to associate traffic classification with traffic behavior
[HUAWEI]traffic policy p_xs
[HUAWEI-trafficpolicy-p_xs]classifilter c_xs behavior b_xs
- Apply flow policies to implement corresponding access control
[HUAWEI]interface e0/0/1
[Interface view] traffice-policy p_xs inbound
8. Reflexive ACL (tested in the Cisco era)
Concept: The device automatically creates an ACL in the opposite direction based on the ACL in one direction. Reflexivity can only be performed based on advanced ACLs, and ACL rules can only be generated based on TCP/UDP/ICMP messages.
Features:
For traffic initiated by the intranet, the device will generate a temporary reverse ACL based on the Layer 3 and Layer 4 information of the traffic, and maintain it for a period of time. In this temporary ACL, the protocol type remains unchanged, and the source IP The destination IP, source port, and destination port are swapped with the initial ACL, and the aging period can be set. If no corresponding traffic returns during the aging period, the reflexive ACL will be deleted, increasing the security of aging.
(That is, after a reflexive ACL is configured, the server can return traffic to the host only after the host sends traffic to the server, and traffic actively initiated by the server will be discarded by the ACL.)
Configuration:
- Create advanced ACL3000 and configure ACL rules to allow UDP packets to pass
[HUWEI]acl 3000
[HUAWIE-acl-adv-3000]rule permit udp
[HUAWIE-acl-adv-3000]quit
- Since the packets from the Internet enter the router through interface g2/0/1, you can configure the reflexive ACL function in the outbound direction of interface g2/0/1 to reflect UDP packets.
[HUWEI]interface gigabitethernet 2/0/1
[Interface view] traffic-reflect outbound acl 3000
//Reflexive ACL is applied in the outbound direction of the interface
9. Extension-ACL application on firewall (Huawei)
- Huawei firewall is divided into 3 security zones by default
Trust area (85): The network in this area is highly trusted and is usually used to define the intranet.
DMZ zone (50): The network trust level in this area is medium, and it is usually used to define the area where public servers are located.
untrust zone (5): This zone represents an untrusted network and is usually used to define the external network.
The local zone priority of the firewall itself is 100
- Data flow between security domains is directional, including inbound and outbound.
Inbound direction: data is transmitted from a low-priority area to a high-priority area
Outbound direction: data is transmitted from a high-priority area to a low-priority area
- The configuration commands for the security zone are mainly:
[FW]firewall zone name test //Create security zone TEST
[FW-zone-test]set priority 10 //The security level is set to 10
[FW-zone-test]add interface g0/0/1 //Add interface g0/0/1 to the security zone
Configuration example:
It is required that in the direction from the security zone to the non-security zone, host packets with the source address 192.168.0.100 are rejected, and packets from the source network segment 192.168.0.0/24 to the network segment 172.16.0.0/24 are allowed to pass.
[FW]acl 3000
[FW-acl-adv-3000]rule deny ip source 192.168.0.100 0
[FW-acl-adv-3000]rule permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
[FW-acl-adv-3000]quit
[FW]firewall interzone trust untrust
[FW-interzone-trust-untrust]packet-filter 3000 outbound
10. NAT address translation technology
- Static NAT: fixed one-to-one IP address mapping
[R1]interface e0/0/1
[Interface view]ip address 192.1.1.1 30
[Interface view] nat static global 192.1.1.2 inside 10.1.1.2
- Dynamic NAT: basic NAT (also the first pair to do the conversion)
[R1]nat address-group 1 192.1.1.2 192.1.1.4 //Define the public network address pool
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 10.1.1.0 0.0.0.255
//This ACL does not filter datagrams, but marks which addresses require NAT conversion.
[R1-acl-basic-2000]quit
[R1]interface e0/0/1
[Interface view] nat outbound 2000 address-group 1 no-pat
//Realize that the IP defined in ACL2000 can be converted one-to-one with the address in the address pool
- Dynamic NAT-PT (Huawei)
PAT port-based address translation
[R1]nat address-group 1 192.1.1.2 192.1.1.4
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 10.1.1.0 0.0.0.255
[R1-acl-basic-2000]quit
[R1]interface e0/0/1
[Interface view]nat outbound 2000 address-group 1
//Do PAT on the outgoing interface