IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories

Similar documents
HP High-End Firewalls

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

HP 3100 v2 Switch Series

HP 3600 v2 Switch Series

HP 5130 EI Switch Series

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5500-HI Switch Series

HP Switch Series

HP 5920 & 5900 Switch Series

H3C S5120-SI Switch Series

ACL Configuration FSOS

HP FlexFabric 5930 Switch Series

H3C S9800 Switch Series

HP Firewalls and UTM Devices

H3C S12500-X Switch Series

H3C SR6600 Routers. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5120-SI Series Ethernet Switches ACL and QoS Command Reference

H3C SR G Core Routers

Information about Network Security with ACLs

H3C S9500E Series Routing Switches

Chapter 6 Global CONFIG Commands

H3C S10500 Switch Series

H3C S5130-HI Switch Series

H3C MSR Series Routers

H3C S5120-HI Switch Series

H3C WA Series WLAN Access Points. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

ACL Rule Configuration on the WAP371

Object Groups for ACLs

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Extended ACL Configuration Mode Commands

Configuring IP ACLs. About ACLs

VLAN Access Control Lists

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Configuring IP ACLs. About ACLs

VLAN Access Control Lists

Access List Commands

Object Groups for ACLs

Configuring an IP ACL

H3C MSR Router Series

Access Control List Enhancements on the Cisco Series Router

Configuring Commonly Used IP ACLs

Implementing Access Lists and Prefix Lists

IP Access List Overview

H3C S9500 QoS Technology White Paper

H3C SR6600/SR6600-X Routers

Access List Commands

Configuring Firewall Filters (J-Web Procedure)

Access List Commands

Configuring IPv6 ACLs

H3C SecPath Series High-End Firewalls

HP Load Balancing Module

Object Groups for ACLs

QoS Configuration. Overview. Introduction to QoS. QoS Policy. Class. Traffic behavior

Quality of Service. Understanding Quality of Service

Sections Describing Standard Software Features

Log Management. Configuring Syslog

Chapter 4 Software-Based IP Access Control Lists (ACLs)

HP High-End Firewalls

Configuring Control Plane Policing

Configuring Network Security with ACLs

Configuring Preferences

Appendix B Policies and Filters

ASA Access Control. Section 3

L2 / L3 Switches. Access Control Lists (ACL) Configuration Guide

Access Control List Overview

Configuring Classification

Committed Access Rate

Firewall Stateful Inspection of ICMP

IP Named Access Control Lists

Cisco CCNA ACL Part II

Configuring Control Plane Policing

IP Access List Overview

Configuring Cache Services Using the Web Cache Communication Protocol

Object Groups for ACLs

ACL & QoS Configuration Commands

McGraw-Hill The McGraw-Hill Companies, Inc., 2000

Access Rules. Controlling Network Access

Quality of Service Setup Guide (NB14 Series)

ASA 8.X and later: Add or Modify an Access List through the ASDM GUI Configuration Example

Paper solution Subject: Computer Networks (TE Computer pattern) Marks : 30 Date: 5/2/2015

Configuring Traffic Policies

Choices for Using Wildcard Masks

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

Understanding Access Control Lists (ACLs) Semester 2 v3.1

Configuring Web Cache Services By Using WCCP

Configuring IP ACLs. Finding Feature Information

SecBlade Firewall Cards NAT Configuration Examples

ECE 358 Project 3 Encapsulation and Network Utilities

Computer Networking: A Top Down Approach Featuring the. Computer Networks with Internet Technology, William

Working with Contracts

Standard ACL Configuration Mode Commands

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Portal configuration commands

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

HP High-End Firewalls

Transcription:

Table of Contents ACL Configuration 1 ACL Overview 1 IPv4 ACL Classification 1 IPv4 ACL Rule Order 1 Rule Numbering Step with IPv4 ACLs 3 Effective Time Period of an IPv4 ACL 3 IP Fragments Filtering with IPv4 ACL 4 IPv4 ACL Acceleration 4 Configuring an ACL 4 Configuration Task List 4 Creating an ACL 5 Configuring a Basic ACL Rule 6 Configuring an Advance ACL Rule 7 Configuring an Ethernet Frame Header ACL Rule 9 Configuring ACL Acceleration 11 ACL Configuration Example 11 Configuration Guidelines 15 i

ACL Configuration NOTE: Currently, the Web interface supports only configuration of IPv4 ACLs. Therefore, this chapter covers only IPv4 ACLs and the term ACL refers to IPv4 ACL throughout this chapter. ACL Overview An access control list (ACL) is a set of rules (that is, a set of permit or deny statements) for identifying traffic based on matching criteria such as source address, destination address, and port number. The selected traffic will then be permitted or rejected by predefined security policies. ACLs are widely used in technologies where traffic identification is desired, such as packet filtering and QoS. IPv4 ACL Classification IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 to 2999 Source IP address Advanced IPv4 ACL 3000 to 3999 Ethernet frame header ACL 4000 to 4999 User-defined ACL 5000 to 5999 Source IP address, destination IP address, protocol carried over IP, and other Layer 3 or Layer 4 protocol header information Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type Customized information of protocol headers such as IP and MPLS headers NOTE: The web interface does not support configuration of user-defined ACLs. IPv4 ACL Rule Order An ACL may contain multiple rules, that is, match criteria. As these criteria may overlap or conflict, and the comparison of a packet against ACL rules stops immediately after a match is found (the packet is then processed as per the rule), the rule order is important in determining which match criteria will apply. Two rule orders are available for IPv4 ACLs: config: ACL rules are sorted in ascending order of rule ID. That is, a rule with a smaller ID number has a higher priority. 1

auto: ACL rules are sorted in depth-first order. The depth-first order differs with ACL types. Depth-first for a basic IPv4 ACL The following table shows how the device sorts the rules of a basic IPv4 ACL to determine the depth-first order of the rules. If a sorting criterion cannot determine the order of some rules, the next criterion is applied, and the sorting ends till the order of all rules are determined: Step Sort by Precedence Remarks 1 VPN instance A rule configured with a VPN instance takes precedence. 2 Source IP address wildcard mask A rule with more 0s in the source IP address wildcard mask takes precedence. More 0s means a narrower IP address range. 3 Rule ID A rule with a smaller ID number takes precedence. NOTE: A wildcard mask is in dotted decimal notation. The 0s of its binary value mean "match" and the 1s mean "do not care", which contrast with the meanings of the values in a subnet mask. For example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. In addition, it is not required that the 0s or 1s in the wildcard mask be contiguous. For example, 0.255.0.255 is a valid wildcard mask. This makes it flexible to configure match criteria. Depth-first for an advanced IPv4 ACL The following table shows how the device sorts the rules of an advanced IPv4 ACL to determine the depth-first order of the rules. If a sorting criterion cannot determine the order of some rules, the next criterion is applied, and the sorting ends till the order of all rules are determined: Step Sort by Precedence Remarks 1 VPN instance A rule configured with a VPN instance takes precedence. 2 Protocol range A rule configured with a specific protocol is prior to a rule with the protocol type set to IP. IP means any protocol carried over IP. 3 Source IP address wildcard mask A rule with more 0s in the source IP address wildcard mask takes precedence. More 0s means a narrower IP address range. 4 Destination IP address wildcard mask A rule with more 0s in the destination IP address wildcard mask takes precedence. More 0s means a narrower IP address range. 5 Layer 4 service port number range A rule with a narrower port number range takes precedence. Layer 4 service port number refers to the TCP/UDP port number. 6 Rule ID A rule with a smaller ID number takes precedence. 2

Depth-first for an Ethernet frame header ACL The following table shows how the device sorts the rules of an Ethernet frame header ACL to determine the depth-first order of the rules. If a sorting criterion cannot determine the order of some rules, the next criterion is applied, and the sorting ends till the order of all rules are determined: Step Sort by Precedence Remarks 1 Source MAC address mask A rule with more 1s in the source MAC address mask takes precedence. More 1s means a narrower MAC address range. 2 Destination MAC address mask A rule with more 1s in the destination MAC address mask takes precedence. More 1s means a narrower MAC address range. 3 Rule ID A rule with a smaller ID number takes precedence. Rule Numbering Step with IPv4 ACLs NOTE: The web interface does not support ACL step configuration. By default, the numbering step is 5. Meaning of the rule numbering step The concept of ACL rule numbering step is introduced to allow new rules to be inserted in an ACL that already contains ACL rules. It defines the increment by which the system numbers rules automatically. By default, the rule numbering step is 5, and rules are automatically numbered 0, 5, 10, 15, and so on. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 will cause the rules to be renumbered 0, 2, 4, 6 and 8. Likewise, when the default step is restored, ACL rules are renumbered in the default step. Assume that there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the rules are renumbered 0, 5, 15, and 15. Benefits of using the rule numbering step A bigger step means more numbering flexibility. This is helpful when the config rule order is adopted, with which ACL rules are sorted in ascending order of rule ID. If no ID is specified for a rule when the rule is created, the system automatically assigns it the smallest multiple of the step that is bigger than the current biggest rule ID, starting with 0. For example, given the step of 5, if the present biggest rule ID is 28, the newly defined rule will be numbered 30. If the ACL does not contain any rule, the first defined rule will be numbered 0. Effective Time Period of an IPv4 ACL You can control when an ACL rule takes effect for packet filtering by referencing a time range in the rule. A referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and becomes active. For information about time ranges, see Time Range Resource Configuration. 3

IP Fragments Filtering with IPv4 ACL Traditional packet filtering performs match operation on only the first fragments. All subsequent non-first fragments are allowed to pass through. As attackers may fabricate non-first fragments to attack your network, this results in security risks: IP-based filtering on all fragments. Standard match and exact match of ACLs containing advanced information such as TCP/UDP port number and ICMP type. The default is standard match. NOTE: Standard match considers only Layer 3 attributes. Exact match considers all ACL rule criteria. These two ACL rule matching approaches are available only on firewalls. IPv4 ACL Acceleration Session-based service processing usually performs policy matching for the first packets and processes the subsequent packets based on the additional session information maintained. This accelerates the processing speed of subsequent packets but cannot improve the matching speed of the first packets. When a large number of users try to connect to the device at the same time, ACL rule search is performed before each connection is established. If the ACL contains large amounts of rules, the search process may take a very long period of time. As a result, user connections may not be established in a very long period of time. The ACL acceleration feature can speed the matching process of an ACL that contains a large number of rules, improving the forwarding performance and connection setup performance of the device: Without ACL acceleration: The system performs a linear search on all rules for packet matching. If the ACL has a large number of rules and one of the last ones is matched, the matching performance will be very low. With ACL acceleration: The system reorganizes and saves the rules using four levels of hash tables, which is called a quick lookup database. This mechanism can improve the matching speed dramatically. As a quick lookup database uses the system memory, you are recommended to enable ACL acceleration only when there are a large number of ACL rules (for example, when there are more than 1000 rules). If the amount of ACL rules is not big, enabling ACL acceleration helps little in improving matching speed, but will consume a great deal of memory. Configuring an ACL Configuration Task List Perform the tasks in Table 2 to configure an ACL. 4

Table 2 ACL configuration task list Task Creating an ACL Configuring a Basic ACL Rule Configuring an Advance ACL Rule Configuring an Ethernet Frame Header ACL Rule Configuring ACL Acceleration Remarks Required The category of the created ACL depends on the ACL number that you specify. Required Complete one of the three tasks according to the ACL category. Optional Necessary only when the ACL contains a large number of ACL rules. IMPORTANT: Only basic IPv4 ACLs and advanced IPv4 ACLs support ACL acceleration. Creating an ACL After you select Firewall > ACL from the navigation tree, all existing ACLs will be displayed in the right pane, as shown in Figure 1. Click Add to enter the ACL configuration page, as shown in Figure 2. Figure 1 ACL list Figure 2 ACL configuration page Table 3 describes the configuration items for creating an ACL. 5

Table 3 ACL configuration items Item ACL Number Match Order Description Type a number for the ACL. Select a match order for the ACL. Available values are: Config: ACL rules are sorted in ascending order of rule ID. That is, a rule with a smaller ID number has a higher priority. Auto: ACL rules are sorted in depth-first order. Return to ACL configuration task list. Configuring a Basic ACL Rule Select Firewall > ACL from the navigation tree. Then, select the basic ACL for which you want to configure ACL rules from the ACL list in the right pane and click the corresponding icon in the Operation column to display all existing rules of the ACL, as shown in Figure 3. Click Add to enter the basic ACL rule configuration page, as shown in Table 4. Figure 3 List of basic ACL rules Figure 4 Basic ACL rule configuration page Table 4 describes the configuration items for creating a basic ACL rule. 6

Table 4 Basic ACL rule configuration items Item Rule ID Operation Time Range Non-first Fragments Only Logging Source IP Address Source Wildcard VPN Instance Description Select the Rule ID check box and type a number for the rule. If you do not specify the rule number, the system will assign one automatically. Select the operation to be performed for packets matching the rule. Permit: Allows matched packets to pass. Deny: Drops matched packets. Select a time range for the rule. If you select None, the rule will be always effective. The time range to be referenced must have been configured by selecting Resource > Time Range from the navigation tree. Select this check box to apply the rule to only non-first fragments. If you do no select this check box, the rule applies to all fragments and non-fragments. Select this check box to keep a log of matched packets. A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets. Select the Source IP Address check box and type a source IP address and source wildcard, in dotted decimal notation. Specify the VPN instance. If you select None, the rule is effective for only non-vpn packets. Return to ACL configuration task list. Configuring an Advance ACL Rule Select Firewall > ACL from the navigation tree. Then, select the advanced ACL for which you want to configure ACL rules from the ACL list in the right pane and click the corresponding icon in the Operation column to list all existing rules of the ACL, as shown in Figure 5. Click Add to enter the advanced ACL rule configuration page, as shown in Figure 6. Figure 5 List of advanced ACL rules 7

Figure 6 Advanced ACL rule configuration page Table 5 describes the configuration items for creating an advanced ACL rule. Table 5 Advanced ACL rule configuration items Item Rule ID Operation Description Select the Rule ID check box and type a number for the rule. If you do not specify the rule number, the system will assign one automatically. Select the operation to be performed for packets matching the rule. Permit: Allows matched packets to pass. Deny: Drops matched packets. Select a time range for the rule. Time Range Non-first Fragments Only If you select None, the rule will be always effective. Define the time ranges to be referenced by selecting Resource > Time Range from the navigation tree. Select this check box to apply the rule to only non-first fragments. If you do no select this check box, the rule applies to all fragments and non-fragments. Select this check box to keep a log of matched IPv4 packets. Logging Source IP Address Source Wildcard A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets. Select the Source IP Address check box and type a source IP address and source wildcard, in dotted decimal notation. 8

Item Destination IP Address Destination Wildcard VPN Instance Protocol ICMP Message ICMP Type ICMP Code TCP Connection Established Description Select the Destination IP Address check box and type a destination IP address and destination wildcard, in dotted decimal notation. Specify the VPN instance. If you select None, the rule is effective for only non-vpn packets. Select the protocol to be carried by IP. If you select 1 ICMP, you can configure the ICMP message type and code; if you select 6 TCP or 17 UDP, you can configure the TCP or UDP specific items. Specify the ICMP message type and code. These items are available only when you select 1 ICMP from the Protocol drop-down box. If you select Others from the ICMP Message drop-down box, you need to type values in the ICMP Type and ICMP Code fields. Otherwise, the two fields will take the default values, which cannot be changed. If you select this check box, the rule matches packets used for establishing and maintaining TCP connections. This item is available only when you select 6 TCP from the Protocol drop-down box. On a firewall, a rule with this item configured matches TCP connection packets with the ACK or RST flag. Source Destination Operator Port Operator Port Select the operators and type the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol drop-down box. Different operators have different configuration requirements for the port number fields: None: The following port number fields cannot be configured. inclusive range: The following port number fields must be configured to define a port range. Other values: The first port number field must be configured and the second must not. ToS Precedence DSCP Specify the ToS preference. Specify the IP precedence. Specify the DSCP priority. IMPORTANT: If you configure the IP precedence or ToS precedence in addition to the DSCP priority, the DSCP priority takes effect. Return to ACL configuration task list. Configuring an Ethernet Frame Header ACL Rule Select Firewall > ACL from the navigation tree. Then, select the Ethernet frame header ACL for which you want to configure ACL rules from the ACL list in the right pane and click the corresponding icon in the Operation column to list all existing rules of the ACL, as shown in Figure 7. Click Add to enter the configuration page for Ethernet frame header ACL rules, as shown in Figure 8. 9

Figure 7 List of Ethernet frame header ACL rules Figure 8 Ethernet frame header ACL rule configuration page Table 6 describes the configuration items for creating an Ethernet frame header ACL rule. Table 6 Ethernet frame header ACL rule configuration items Item Rule ID Operation Time Range Source MAC Address Source Wildcard Destination MAC Address Description Select the Rule ID check box and type a number for the rule. If you do not specify the rule number, the system will assign one automatically. Select the operation to be performed for packets matching the rule. Permit: Allows matched packets to pass. Deny: Drops matched packets. Select a time range for the rule. If you select None, the rule will be always effective. Define the time ranges to be referenced by selecting Resource > Time Range from the navigation tree. Select the Source MAC Address check box and specify the source MAC address and wildcard. Select the Destination MAC Address check box and specify the destination 10

Item Destination Wildcard LSAP Type LSAP Wildcard Protocol Type Protocol Wildcard Description MAC address and wildcard. Select the LSAP Type check box and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following two items: LSAP Type: Indicates the frame encapsulation format. LSAP Wildcard: Indicates the LSAP wildcard. Select the Protocol Type check box and specify the link layer protocol by configuring the following two items: Protocol Type: Indicates the frame type. It corresponds to the type-code field in Ethernet_II and Ethernet_SNAP frames. Protocol Wildcard: Indicates the wildcard. Return to ACL configuration task list. Configuring ACL Acceleration Select Firewall > ACL from the navigation tree to enter the page shown in Figure 1. All existing ACLs will be displayed in the right pane. You can enable or disable ACL acceleration for an ACL through the ACL Acceleration column: indicates that the ACL is not accelerated. You can click the Start Accelerating link to enable ACL acceleration. indicates that the ACL is accelerated. You can click the Stop Accelerating link to disable ACL acceleration. indicates that the ACL has been modified after it was configured with ACL acceleration. You can click the Start Accelerating link to enable ACL acceleration again, making changes to the ACL take effect. Return to ACL configuration task list. ACL Configuration Example Network requirements As shown in Figure 9, Host A connects to Device through GigabitEthernet 0/1. Configure an ACL to: Allow Host A to access Device using HTTP. Allow hosts on other segments to access Device using HTTP on only working days. 11

Figure 9 Network diagram for ACL configuration Configuration procedure Step1 Create a time range # Create a periodic time range of Saturday and Sunday. Select Resource > Time Range from the navigation tree and then click Add. Create a time range as shown in Figure 10. Figure 10 Create a time range Type time in the Name text box. Select the Periodic Time Range check box. Select the Sun. and Sat. check boxes. Click Apply. Step2 Define an ACL # Create a basic ACL. Select Firewall > ACL from the navigation tree, and then click Add. Create ACL 2000 as shown in Figure 11. 12

Figure 11 Create an ACL Type the ACL number 2000. Select the match order Config. Click Apply. # Create a rule to allow Host A to access Device. From the ACL list, select ACL 2000 and click the corresponding icon in the Operation column. Then, on the page click Add to enter the ACL rule configuration page. Create an ACL rule as shown in Figure 12. Figure 12 Configure a rule to allow Host A to access Device Select Permit from the Operation drop-down box. Select the Source IP Address check box and type 192.168.1.2 and 0.0.0.0 respectively in the following text boxes. Click Apply. # Create a rule to deny access of other hosts to Device on Saturday and Sunday. On the page displaying the rules of ACL 2000, click Add. Create an ACL rule as shown in Figure 13. 13

Figure 13 Configure an ACL rule to deny access of other hosts to Device on Saturday and Sunday Select Deny as the operation. Select time as the time range. Select Source IP Address check box and type 192.168.1.0 and 0.0.0.255 in the following text boxes. Click Apply. # Configure an ACL rule to allow other hosts to access Device. On the page displaying rules of ACL 2000, click Add. Create an ACL rule as shown in Figure 14. Figure 14 Configure an ACL rule to allow other hosts to access Device Select Permit. Click Apply. NOTE: The three ACL rules must be configured in the shown order. Step3 Configure service management # Associate HTTP service with ACL 2000. Select Device Management > Service Management from the navigation tree. Associate HTTP service with ACL 2000 as shown in Figure 15. 14

Figure 15 Associate HTTP service with ACL 2000 Click the + sign before HTTP to expand the configuration area. Type 2000 in the ACL text box. Click Apply. Configuration Guidelines When configuring an ACL, note that: 1. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. 2. You can only modify the existing rules of an ACL that uses the rule order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. 3. If you enable ACL acceleration for an ACL and then modify the ACL, the ACL acceleration feature still matches packets based on the original configurations. Therefore, it is not recommended to modify an ACL after enabling ACL acceleration for it. 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback