You may not know the network engineering technology—ACL access control technology. Just read this article.

ACL access control technology

Access Control Lists (ACL) are a collection of one or more instructions. The instructions can include the source address, destination address, protocol type, port number, etc. of the message. The device determines which data is based on these instructions. Receive, which data needs to be rejected. It is similar to a packet filter. This allows you to control network access behavior, limit network traffic, improve network performance, prevent network attacks, etc.

As shown in the figure: You can configure ACL to restrict Host A and Host B from accessing the Internet, and restrict Host C and Host D from accessing the server.

ACL structure

ACL is an ordered list of rules consisting of a series of permit or deny statements. It cannot be used alone and needs to be applied in a business module to take effect, such as calling in NAT and policy deployment in firewalls. Called in, called in routing policies and used to pass traffic filtering.

The ACL composition is shown in the figure above:

1. Access control list number: When configuring an ACL, each ACL will be assigned a number, and different numbers represent different ACLs;

2. Rules: An ACL usually consists of one or more "permit/deny" statements, and one statement is a rule;

3. Rule number: Each rule has a corresponding number, which is used to identify the ACL rule and can be specified by the user;

4. Action: permit represents permission, deny represents rejection, and is used to set corresponding actions for rules;

5. Matching item: It can be source MAC address, destination MAC, destination address, protocol type, etc.

For example: rule 10 permit source 1.1.1.0 0.0.0.255

Representative: Rule 10 allows packets with the source address of the 1.1.1.0/24 network segment to pass through.

 

ACL classification

• Basic ACL (2000-2999): Use the source IP address of the packet, fragmentation time, and effective time period to define rules.

• Advanced ACL (3000-3999): Can match source IP, destination IP, source port, destination port and other Layer 3 and Layer 4 fields.

• Layer 2 ACL (4000-4999): Develop rules based on Layer 2 information such as source MAC address, destination MAC address, 802.1p priority, Layer 2 protocol type, etc. of the data packet.

• User-defined ACL (5000-5999): Use packet header, offset position, string mask, and user-defined string to define rules.

• User ACL (6000-6999): Rules can be defined by the source/destination IP address, IP protocol type, ICMP type, and port of IP packets;

ACL application principles

ACL matching position: inbound and outbound

Basic ACLs should be used as close to the destination as possible

Advanced ACLs should be used as close to the source as possible (to protect bandwidth and other resources)

ACL matching mechanism

The ACL matching mechanism is summarized as follows: 

1. After a device configured with an ACL receives a packet, it will match the packet with the rules in the ACL one by one. If it cannot match, it will continue to try to match the next rule. 

2. Once matched, the device will perform the processing action defined in this rule on the packet and will no longer try to match subsequent rules.

3. When there are multiple rules, the ACL will access the rule with the lowest priority number.

 

ACL experimental configuration

Experimental topology:

1. Data filtering using basic ACLs

Purpose:

• Deploy basic ACL to implement data filtering

• Realize that PC1 cannot access PC3

The topology is shown in the figure:

(1) Configure as follows on AR1:

<Huawei>sys

[Huawei]sysname AR1

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 192.168.1.254 24 //Configure port IP

[AR1-GigabitEthernet0/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 192.168.3.1 24

[AR1]rip //Use dynamic routing protocol RIP

[AR1-rip-1]version 2 //RIP version is RIPv2

[AR1-rip-1]network 192.168.1.0 //Announce the 192.168.1.0 network segment

[AR1-rip-1]network 192.168.3.0 //Announce the 192.168.3.0 network segment

(2) Configure as follows on AR2:

<Huawei>sys

[Huawei]un in en

[Huawei]sysname AR2

[AR2]int g0/0/1

[AR2-GigabitEthernet0/0/1]ip add 192.168.3.2 24

[AR2-GigabitEthernet0/0/1]int g0/0/2

[AR2-GigabitEthernet0/0/2]ip add 192.168.4.2 24

[AR2-GigabitEthernet0/0/1]int g0/0/0 

[AR2-GigabitEthernet0/0/0]ip add 192.168.2.254 24

[AR2]rip

[AR2-rip-1]version 2

[AR2-rip-1]net 192.168.2.0

[AR2-rip-1]net 192.168.3.0

[AR2-rip-1]net 192.168.4.0

(3) Configure as follows on AR3:

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip add 192.168.4.3 24

[Huawei-GigabitEthernet0/0/0]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add 192.168.5.254 24

[Huawei]rip 

[Huawei-rip-1]version 2

[Huawei-rip-1]net 192.168.4.0

[Huawei-rip-1]net 192.168.5.0

(4) Configure relevant IP addresses and gateways on each PC

(5) Test the connectivity between PC1 and PC3

(6) Configure ACL on AR3

[Huawei]acl 2000 //Create a basic ACL numbered 2001

[Huawei-acl-basic-2000]rule deny source 192.168.1.1 0

//Rule (default 5) denies access to the 192.168.1.1 IP address

[Huawei-acl-basic-2000]int g0/0/1

[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2000

//Apply ACL2000 on port g0/0/1 and set it in the outbound direction

 

(7) After configuring the ACL, test the connectivity between PC1 and PC3