Technical Support Go To Carrier Announcements
  • 中文
  • English
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection
Home Search Center Intelligent Model Selection IP Encyclopedia
Login
IP Encyclopedia > ACL

What Is an ACL?

An ACL is a collection of one or more rules. A rule refers to a judgment statement that describes a packet matching condition, which may be a source address, destination address, or port number.
An ACL is essentially a rule-based packet filter. Packets matching an ACL are processed based on the policy defined in the ACL.

Contents

Why Is an ACL Used?

As a filter, an ACL can be used by a device to deny and permit specific incoming and outgoing traffic. If no ACL is used, all traffic is transmitted freely, making the network vulnerable to attacks.

As shown in the following figure, to ensure its financial data security, the enterprise applies an ACL on the router to prevent hosts of the R&D department from accessing the financial server and allow hosts of the president's office to access the financial server. An ACL configured on the router can also block the ports commonly used by network viruses, preventing malicious traffic intrusion from the Internet and protecting the intranet.

What can an ACL do?
What can an ACL do?

An ACL implements the following functions:

  • Provides secure access. If an enterprise's important server resources can be accessed without permission, the enterprise's confidential information is prone to disclosure, causing security risks. You can use an ACL to specify the servers, networks, and services that users can access, preventing unauthorized access.
  • Prevents network attacks. Internet viruses invade enterprise intranets, jeopardizing their security. An ACL can be used to block high-risk ports to block external traffic.
  • Improves network bandwidth utilization. Network bandwidth is randomly occupied by various services, and the bandwidth of voice and video services that have the highest requirements on service quality cannot be guaranteed, resulting in poor user experience. An ACL can be used to accurately identify and control network traffic and restrict some network traffic to ensure the quality of major services.

ACL Composition

Each ACL rule permits or denies specific traffic. Before defining a proper ACL rule, you need to understand the basic composition of an ACL.

  • ACL ID: indicates a number or name used for identifying an ACL.
    • Using a number to identify an ACL: Different types of ACLs are identified by different numbers. For details, see ACL Classification.
    • Using a name to identify an ACL: A string of characters can be used to identify an ACL, which is easy to remember, like using a domain name to replace an IP address.
  • Rule: indicates a judgment statement that describes a matching condition.
    • Rule number: identifies an ACL rule. All rules are arranged in ascending order of numbers.
    • Action: The value can be permit or deny, indicating that the device accepts or discards the matched packets.
    • Matching condition: An ACL supports various matching conditions, including the effective time range, IP protocol (such as ICMP, TCP, and UDP), source/destination IP address, and corresponding port number (such as 21, 23, and 80). For details, see ACL Matching Conditions.

ACL Classification

The development of ACL technology enriches the types of ACLs. Based on different rules and application scenarios, ACLs can be classified into the following types:

Basic ACL

Basic ACL rules contain only source IP addresses and consume less CPU resources. As such, basic ACL rules can be used for simple deployment but cannot provide powerful security protection due to limited application scenarios.

Advance ACL

Compared with a basic ACL, an advanced ACL provides higher scalability and can match traffic in a more refined manner. By configuring an advanced ACL, you can block the source or destination of a specific host or the entire network segment. In addition, you can use protocol information (IP, ICMP, TCP, and UDP) to filter traffic.

Layer 2 ACL

To control the access permission of specific terminals on an enterprise's intranet, a Layer 2 ACL is required. A Layer 2 ACL can be used to control traffic based on Layer 2 information such as the source MAC address, destination MAC address, 802.1p priority, and Layer 2 protocol type.

User ACL

The terminals of employees in the same department of an enterprise are located on different network segments and are difficult to manage. To facilitate their access permission management, you need to add them to a user group. In this case, a user ACL is required. Compared with an advanced ACL, a user ACL adds the user group configuration item to implement traffic management and control for different user groups.

The following table lists the composition of different types of ACLs.

Table 1-1 ACL classification
        

Basic ACL

Advance ACL

Layer 2 ACL

User ACL

ACL ID

   

ACL number

2000 to 2999

3000 to 3999

4000 to 4999

6000 to 6031
  

ACL name

Y

Y

Y

Y

Rule

Rule number

-

Y

Y

Y

Y

Action

permit/deny

Y

Y

Y

Y

Matching condition

Effective time range

Y

Y

Y

Y

IP protocol type

-

Y

Y

Y

IPv4

Y

Y

-

Y

IPv6

Y

Y

-

Y

Source IP address

Y

Y

-

Y

Source MAC address

-

-

Y

-

Source port number

-

Y

Y

Y

Destination IP address

-

Y

-

Y

Destination MAC address

-

-

Y

-

Destination port number

-

Y

Y

Y

User group

-

-

-

Y

How Is an ACL Used?

Procedure

To use an ACL, perform the following steps:

  1. Configure ACL rules.

    When configuring ACL rules, you need to know the incoming traffic and outgoing traffic. As shown in the following figure, the incoming traffic refers to the traffic that enters the interface of a device (for example, a router), regardless of whether the traffic comes from the Internet or intranet. Similarly, the outgoing traffic refers to the traffic that goes out of the interface of a device.

    Incoming traffic and outgoing traffic
    Incoming traffic and outgoing traffic

    When users on the Internet access the intranet, the source IP address of the incoming traffic passing through interface 2 of the router is a public IP address from the Internet. When users on the intranet access the Internet, the source IP address of the incoming traffic passing through interface 1 of the router is an IP address on the intranet.

  2. Apply the ACL rules to the specified directions (inbound/outbound) of the corresponding device interfaces.

    After the ACL rules are configured, you need to apply the ACL rules to the interfaces of the device for them to take effect. Because all ACL-based routing and forwarding decisions are made by device hardware, ACL statements can be executed more quickly.

Matching Mechanism

The following figure shows the ACL matching mechanism used by the device.

ACL matching mechanism
ACL matching mechanism

The device stops matching a packet against ACL rules as long as the packet matches one rule. The device then determines whether to permit or deny the packet according to the matched rule. If a packet does not match an ACL rule, the next rule in the ACL is used to match the packet until the end of the ACL. Generally, there is an implicit deny statement at the end of the ACL. Therefore, if a packet does not match any rule, the device discards the packet.

ACL Application Scenarios

Applying an ACL in NAT

Through network address translation (NAT), external users can access the intranet. To ensure intranet security, you can configure ACL rules and apply them to the enterprise router so that only specific external users can access the intranet.
Applying an ACL in NAT
Applying an ACL in NAT

As shown in the preceding figure, when the traffic from hosts on the Internet to hosts on the intranet passes through the NAT device, the NAT device uses the ACL to filter the traffic. According to the configured ACL rules, the access from PC4 to PC2 is denied and the access from PC3 to PC1 is permitted.

Applying an ACL on a Firewall

Firewalls are deployed at the edge of the intranet and external network to prevent attacks from the external network to the intranet and protect large-scale servers and important resources (such as data) on the intranet. ACLs are configured on the forwarding hardware of a device. Therefore, configuring ACLs on firewalls does not affect the server performance while protecting the network security.

Applying an ACL on a firewall
Applying an ACL on a firewall

As shown in the preceding figure, an ACL is configured on the firewall to allow only PC A to access the data center on the intranet and prohibit other external hosts from accessing the data center.

Using an ACL in QoS to Restrict Communication Between Users

Unrestricted communication between different network segments brings security risks. To restrict users' access to network segments on which they do not reside, you can apply an ACL in a QoS traffic policy.

Using an ACL to restrict communication between users on different network segments
Using an ACL to restrict communication between users on different network segments

As shown in the preceding figure, an enterprise allocates the IP addresses on two network segments to the financial and marketing departments respectively. Information leak may occur if the two departments have unrestricted access to each other. Therefore, to restrict communication between the two departments, an ACL-based traffic policy is applied in the inbound direction of the router's interfaces connecting the two departments.

References
1ACL Configuration Guide (NetEngine AR Series Routers)
2ACL Configuration (CloudEngine S Series Switches)
3ACL Configuration Guide (CloudEngine 16800 Switch)
Related Topics
About This Topic
  • Author: Ding Heng
  • Updated on: 2021-10-11
  • Views: 10449
  • Average rating:
Contents
Share link to

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.