What Is an ACL?
An ACL is a collection of one or more rules. A rule refers to a judgment statement that describes a packet matching condition, which may be a source address, destination address, or port number.
An ACL is essentially a rule-based packet filter. Packets matching an ACL are processed based on the policy defined in the ACL.
Why Is an ACL Used?
As a filter, an ACL can be used by a device to deny and permit specific incoming and outgoing traffic. If no ACL is used, all traffic is transmitted freely, making the network vulnerable to attacks.
As shown in the following figure, to ensure its financial data security, the enterprise applies an ACL on the router to prevent hosts of the R&D department from accessing the financial server and allow hosts of the president's office to access the financial server. An ACL configured on the router can also block the ports commonly used by network viruses, preventing malicious traffic intrusion from the Internet and protecting the intranet.
What can an ACL do?
An ACL implements the following functions:
- Provides secure access. If an enterprise's important server resources can be accessed without permission, the enterprise's confidential information is prone to disclosure, causing security risks. You can use an ACL to specify the servers, networks, and services that users can access, preventing unauthorized access.
- Prevents network attacks. Internet viruses invade enterprise intranets, jeopardizing their security. An ACL can be used to block high-risk ports to block external traffic.
- Improves network bandwidth utilization. Network bandwidth is randomly occupied by various services, and the bandwidth of voice and video services that have the highest requirements on service quality cannot be guaranteed, resulting in poor user experience. An ACL can be used to accurately identify and control network traffic and restrict some network traffic to ensure the quality of major services.
ACL Composition
Each ACL rule permits or denies specific traffic. Before defining a proper ACL rule, you need to understand the basic composition of an ACL.
- ACL ID: indicates a number or name used for identifying an ACL.
- Using a number to identify an ACL: Different types of ACLs are identified by different numbers. For details, see ACL Classification.
- Using a name to identify an ACL: A string of characters can be used to identify an ACL, which is easy to remember, like using a domain name to replace an IP address.
- Rule: indicates a judgment statement that describes a matching condition.
- Rule number: identifies an ACL rule. All rules are arranged in ascending order of numbers.
- Action: The value can be permit or deny, indicating that the device accepts or discards the matched packets.
- Matching condition: An ACL supports various matching conditions, including the effective time range, IP protocol (such as ICMP, TCP, and UDP), source/destination IP address, and corresponding port number (such as 21, 23, and 80). For details, see ACL Matching Conditions.
ACL Classification
The development of ACL technology enriches the types of ACLs. Based on different rules and application scenarios, ACLs can be classified into the following types:
Basic ACL
Basic ACL rules contain only source IP addresses and consume less CPU resources. As such, basic ACL rules can be used for simple deployment but cannot provide powerful security protection due to limited application scenarios.
Advance ACL
Compared with a basic ACL, an advanced ACL provides higher scalability and can match traffic in a more refined manner. By configuring an advanced ACL, you can block the source or destination of a specific host or the entire network segment. In addition, you can use protocol information (IP, ICMP, TCP, and UDP) to filter traffic.
Layer 2 ACL
To control the access permission of specific terminals on an enterprise's intranet, a Layer 2 ACL is required. A Layer 2 ACL can be used to control traffic based on Layer 2 information such as the source MAC address, destination MAC address, 802.1p priority, and Layer 2 protocol type.
User ACL
The terminals of employees in the same department of an enterprise are located on different network segments and are difficult to manage. To facilitate their access permission management, you need to add them to a user group. In this case, a user ACL is required. Compared with an advanced ACL, a user ACL adds the user group configuration item to implement traffic management and control for different user groups.
The following table lists the composition of different types of ACLs.
Basic ACL |
Advance ACL |
Layer 2 ACL |
User ACL |
|||
---|---|---|---|---|---|---|
ACL ID |
ACL number |
2000 to 2999 |
3000 to 3999 |
4000 to 4999 |
6000 to 6031 |
|
ACL name |
Y |
Y |
Y |
Y |
||
Rule |
Rule number |
- |
Y |
Y |
Y |
Y |
Action |
permit/deny |
Y |
Y |
Y |
Y |
|
Matching condition |
Effective time range |
Y |
Y |
Y |
Y |
|
IP protocol type |
- |
Y |
Y |
Y |
||
IPv4 |
Y |
Y |
- |
Y |
||
Y |
Y |
- |
Y |
|||
Source IP address |
Y |
Y |
- |
Y |
||
Source MAC address |
- |
- |
Y |
- |
||
Source port number |
- |
Y |
Y |
Y |
||
Destination IP address |
- |
Y |
- |
Y |
||
Destination MAC address |
- |
- |
Y |
- |
||
Destination port number |
- |
Y |
Y |
Y |
||
User group |
- |
- |
- |
Y |
How Is an ACL Used?
Procedure
To use an ACL, perform the following steps:
- Configure ACL rules.
When configuring ACL rules, you need to know the incoming traffic and outgoing traffic. As shown in the following figure, the incoming traffic refers to the traffic that enters the interface of a device (for example, a router), regardless of whether the traffic comes from the Internet or intranet. Similarly, the outgoing traffic refers to the traffic that goes out of the interface of a device.
Incoming traffic and outgoing trafficWhen users on the Internet access the intranet, the source IP address of the incoming traffic passing through interface 2 of the router is a public IP address from the Internet. When users on the intranet access the Internet, the source IP address of the incoming traffic passing through interface 1 of the router is an IP address on the intranet.
- Apply the ACL rules to the specified directions (inbound/outbound) of the corresponding device interfaces.
After the ACL rules are configured, you need to apply the ACL rules to the interfaces of the device for them to take effect. Because all ACL-based routing and forwarding decisions are made by device hardware, ACL statements can be executed more quickly.
Matching Mechanism
The following figure shows the ACL matching mechanism used by the device.
ACL matching mechanism
The device stops matching a packet against ACL rules as long as the packet matches one rule. The device then determines whether to permit or deny the packet according to the matched rule. If a packet does not match an ACL rule, the next rule in the ACL is used to match the packet until the end of the ACL. Generally, there is an implicit deny statement at the end of the ACL. Therefore, if a packet does not match any rule, the device discards the packet.
ACL Application Scenarios
Applying an ACL in NAT
Applying an ACL in NAT
As shown in the preceding figure, when the traffic from hosts on the Internet to hosts on the intranet passes through the NAT device, the NAT device uses the ACL to filter the traffic. According to the configured ACL rules, the access from PC4 to PC2 is denied and the access from PC3 to PC1 is permitted.
Applying an ACL on a Firewall
Firewalls are deployed at the edge of the intranet and external network to prevent attacks from the external network to the intranet and protect large-scale servers and important resources (such as data) on the intranet. ACLs are configured on the forwarding hardware of a device. Therefore, configuring ACLs on firewalls does not affect the server performance while protecting the network security.
Applying an ACL on a firewall
As shown in the preceding figure, an ACL is configured on the firewall to allow only PC A to access the data center on the intranet and prohibit other external hosts from accessing the data center.
Using an ACL in QoS to Restrict Communication Between Users
Unrestricted communication between different network segments brings security risks. To restrict users' access to network segments on which they do not reside, you can apply an ACL in a QoS traffic policy.
Using an ACL to restrict communication between users on different network segments
As shown in the preceding figure, an enterprise allocates the IP addresses on two network segments to the financial and marketing departments respectively. Information leak may occur if the two departments have unrestricted access to each other. Therefore, to restrict communication between the two departments, an ACL-based traffic policy is applied in the inbound direction of the router's interfaces connecting the two departments.
- Author: Ding Heng
- Updated on: 2024-04-15
- Views: 15932
- Average rating: