Scribd Logo
Upload

Welcome to Scribd!

  • 25.security Basics - ACL Principles

    Uploaded by

    Faisal Ilyas
    19 views21 pages
    - The document describes how to configure access control lists (ACLs) to control network access. - Basic ACLs match traffic based on the source IP address, while advanced ACLs can match additional criteria like destination IP, port numbers, and protocol. - ACL rules are configured with a permit or deny action and matching criteria like source/destination IP addresses. Rules are processed sequentially. - Examples demonstrate using basic and advanced ACLs to allow or prohibit access between subnets and servers based on source IP. Wildcards are used to specify address matching.

    Original Description:

    Huawei Security Basics Training

    Original Title

    25.Security Basics - ACL Principles

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    - The document describes how to configure access control lists (ACLs) to control network access. - Basic ACLs match traffic based on the source IP address, while advanced ACLs can match additional criteria like destination IP, port numbers, and protocol. - ACL rules are configured with a permit or deny action and matching criteria like source/destination IP addresses. Rules are processed sequentially. - Examples demonstrate using basic and advanced ACLs to allow or prohibit access between subnets and servers based on source IP. Wildcards are used to specify address matching.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    19 views21 pages

    25.security Basics - ACL Principles

    Uploaded by

    Faisal Ilyas
    - The document describes how to configure access control lists (ACLs) to control network access. - Basic ACLs match traffic based on the source IP address, while advanced ACLs can match additional criteria like destination IP, port numbers, and protocol. - ACL rules are configured with a permit or deny action and matching criteria like source/destination IP addresses. Rules are processed sequentially. - Examples demonstrate using basic and advanced ACLs to allow or prohibit access between subnets and servers based on source IP. Wildcards are used to specify address matching.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 21

    ACL Basics

    Course Objectives

    • To understand basic concepts of ACL.


    • To know how to configure a basic ACL and an advanced ACL.
    Technical Background

    To allow PCs in subnet 1 to access the server and


    prohibit PCs in subnet 2 to access the server, a tool is
    required to match traffic.

    Subnet1
    192.168.1.0/24

    GW
    Subnet2
    192.168.2.0/24
    ACL Overview

    • ACL, which is short for access control list, is a sequential collection of permit and deny
    conditions that apply to an IP packet.
    • ACL can only match and distinguish packets instead of filtering packets. A special
    mechanism is required to filter packets matching ACL rules. For example, you can run the
    traffic-filter command on a switch interface to invoke ACL to filter traffic. ACL itself is just
    a matching tool.
    • ACL can match not only packets but also routes.
    • ACL is widely used and can be invoked in various applications and commands.
    ACL Applications

    • Matching IP traffic (against elements such as the source and destination IP


    addresses, source and destination port numbers, and protocol type)
    • Invoked in traffic-filter
    • Invoked in NAT
    • Invoked in routing policies
    • Invoked in IPsec VPN
    • Invoked in firewall policy deployment
    • Invoked in QoS
    • Others…
    What Is ACL

    • ACL can match traffic against elements in an IP data packet, such as the source and
    destination IP addresses, source and destination port numbers, and protocol type.
    ACL can also match against the number of routes.

    Source IP Source port


    Destination number
    IP Destination
    Protocol type port number

    IP Header TCP/UDP Header Payload


    How to Identify ACLs

    • By number
    • By name

    ACL Type Value Range

    Basic ACL 2000-2999

    Advanced ACL 3000-3999


    ACL Classification

    • Basic ACL
    A basic ACL matches traffic against only the source IP address in the IP header.

    Source IP

    IP Header TCP/UDP Header Payload


    ACL Classification

    • Advanced ACL
    An advanced ACL matches traffic against elements such as the source and
    destination IP addresses, source and destination port numbers, and protocol type.

    Source IP
    Source port
    Destination
    number
    IP
    Destination
    Protocol
    port number
    type

    IP Header TCP/UDP Header Payload


    ACL Matching Order

    acl xxx
    Rule 5 (permit/deny) matching criteria

    Rule 10 (permit/deny) matching criteria

    Rule N (permit/deny) matching criteria


    ACL Configuration: Basic ACL

    192.168.1.1/24
    acl 2000
    192.168.1.2/24
    rule 1 permit source 192.168.1.1 0.0.0.0 192.168.1.1/24
    192.168.1.3/24
    rule 2 permit source 192.168.1.2 0.0.0.0 192.168.1.2/24
    192.168.1.4/24
    rule 3 permit source 192.168.1.3 0.0.0.0 192.168.1.3/24
    192.168.1.5/24
    rule 4 deny 0.0.0.0 255.255.255.255
    ……

    Objects to be matched Basic ACL IP addresses matched


    ACL Configuration: Basic ACL

    • Create a basic ACL by number and access the ACL view.


    [Huawei] acl num
    [Huawei-acl-basic-num]
    The range of the basic ACL numbers is 2000 to 2999.
    • Create a rule.
    [Huawei-acl-basic-num] rule 5 {permit/deny} source src-address wildcard

    One or more rules can be created for an ACL. This is where


    the list comes from. Each rule has an ID which can be
    either automatically allocated by the system or manually
    allocated. The rules are displayed by ID in ascending order.
    Wildcard

    • 0: Matching is required.
    • 1: Matching is not required.

    192.168.1.0 1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0

    0.0.0.255 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1

    Matching required Matching not required


    Special Wildcard

    192.168.1.1 0.0.0.0 = 192.168.1.1 0

    Precision matching of 192.168.1.1

    0.0.0.0 255.255.255.255 = any

    Matching all IP addresses


    Wildcard Example

    In this example, the IP address of the last octet in the subnet 192.168.1.0/24 needs to
    be matched, such as 192.168.1.1, 192.168.1.3, 192.168.1.5, and the like.

    Strict matching Matching not required Strict matching

    192.168.1 1
    192.168.1 0 0 0 0 0 0 0 1

    192.168.1 3
    192.168.1 0 0 0 0 0 0 1 1

    192.168.1 5
    192.168.1 0 0 0 0 0 1 0 1

    ……

    Rule: 192.168.1.1 0.0.0. 1 1 1 1 1 1 1 0


    Basic ACL Configuration Example

    PC1
    192.168.1.1/24
    Gateway 1.254 GE0/0/0 GE0/0/1 Server
    192.168.1.254 10.1.1.254 10.1.1.1/24
    Gateway 1.254
    PC2 GW
    192.168.1.2/24
    Gateway 1.254

    Requirements:
    • Initially, both PC1 and PC2 can access the server.
    • Apply ACL on the gateway interface so that PC2 cannot access the server while other
    users on the same network segment can access the server.
    Basic ACL Configuration Example

    • Gateway configuration:
    [GW] acl 2000
    [GW-acl-basic-2000] rule 5 deny source 192.168.1.2 0
    #The preceding command equals to rule deny source 192.168.1.2 0.0.0.0.
    [GW-acl-basic-2000] rule 10 permit
    [GW-acl-basic-2000] quit
    [GW] interface GigabitEthernet0/0/0
    [GW-GigabitEthernet0/0/0] traffic-filter inbound acl 2000

    Rule permit indicates "permit any". In actual situations, when ACL is invoked by the
    interface-based command traffic filter, the traffic that is not matched against the
    ACL rule is permitted by default. Therefore, rule permit is an optional configuration
    in this example. However, after this rule is configured, the display acl command
    output shows the number of packets that are permitted by the ACL rule.
    Advanced ACL Configuration Example

    Server1
    PC1 10.1.1.1
    192.168.1.1/24 Gateway 1.254
    Gateway 1.254 GE0/0/0 GE0/0/1
    192.168.1.254 10.1.1.254

    Server2
    PC2 GW
    10.1.1.2
    192.168.1.2/24
    Gateway 1.254
    Gateway 1.254

    Requirements:
    Initially, both PC1 and PC2 can access Server1 and Server2.
    Apply ACL on the gateway interface to prohibit PC2 from accessing Server2.
    Advanced ACL Configuration Example

    • Gateway configuration:
    [GW] acl 3000
    [GW-acl-adv-3000] rule deny ip source 192.168.1.2 0 destination 10.1.1.2 0
    [GW-acl-adv-3000] rule permit ip
    [GW-acl-adv-3000] quit
    [GW] interface GigabitEthernet0/0/0
    [GW-GigabitEthernet0/0/0] traffic-filter inbound acl 3000
    ACL Configuration: Meanings of Operators

    Operator and Syntax Description

    equal portnumber Equal to the port number.

    greater-than portnumber Greater than the port number.

    less-than portnumber Less than the port number.

    not-equal portnumber Not equal to the port number.

    range portnumber1 portnumber2 Between port number 1 and port number 2.


    ACL Configuration: Creating an ACL by Name

    • Create a basic ACL by name.


    [GW] acl name xxx basic
    • Create an advanced ACL by name.
    [GW] acl name xxx advance

    You might also like