ACL Configuration
12 min
\<font color="#1d50a2">introduction\</font> communication between information points and communication between internal and external networks are essential business requirements in enterprise networks to ensure the security of the internal network, it is necessary to use security policies to ensure that unauthorized users can only access specific network resources an access control list (acl) consists of a series of rules that form a packet processing policy these rules typically consist of conditional statements describing packet matching conditions, such as source mac, destination mac, source ip, destination ip, source port number, destination port number, etc switches use these rules to filter packets after configuring acl rules, switches allow specific packets to pass through while blocking certain packets, achieving access control and traffic filtering in short, acl serves as a network technology means of controlling access, enhancing network security, and ensuring reliable network transmission \<font color="#1d50a2">explanation of principles\</font> \<font color="#1d50a2">acl table\</font> the acl table is a collection of acl rules that are bound to specific interfaces in the form of tables the "stage" indicates the direction, which can be "ingress" or "egress," corresponding to whether the acl table is applied in the inbound or outbound direction for cx series products, different directions have different available matches the match fields in the ingress direction are not available in the egress direction the available acl table types on the current device are as follows, representing filtering for different services l3 regular ipv4 business packets received/sent by service interfaces l3v6 regular ipv6 business packets received/sent by service interfaces ctrlplane used to filter ssh management packets and snmp protocol packets for device login ctrlplanev6 used to filter ssh management packets and snmp protocol ipv6 type packets for device login nexthop group used when configuring policy based routing based on pbr to specify the next hop address group \<font color="#1d50a2">acl rule\</font> an acl rule pertains to a table within a rule, you define the priority, matching conditions, and actions upon a match an acl rule can only be added to one table, but a table can contain multiple rules, creating a "many to one" relationship between rules and tables \<font color="#1d50a2">acl rule priority\</font> priority indicates the priority of a rule the larger the numerical value, the higher the priority the priority value must be less than 500 priority is used when multiple rules can match; the rule with the highest priority is selected the same table cannot have rules with the same priority when rules are named non numerically, the priority is determined based on the order of configuration the rule configured first has a higher priority \<font color="#1d50a2">acl rule actions\</font> \<font color="#1d50a2">ingress direction\</font> actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding copy sends a copy of the packet to the cpu for processing while also forwarding the original packet redirect redirect action redirect to interface/next hop/next hop group qos marking traffic behavior implement port based traffic rate limiting based on acl and traffic behavior \<font color="#1d50a2">egress direction\</font> actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding copy sends a copy of the packet to the cpu for processing while also forwarding the original packet \<font color="#1d50a2">acl rule matching filter\</font> \<font color="#1d50a2">l3/l3v6 matching filter\</font> keywords description ethernet type 16 bit ethernet type value, hex<0 ffff>, e g , 0x0800 src mac source mac address, format nn\ nn\ nn\ nn\ nn\ nn outer vlan outer vlan id vlan pri vlan priority ip protocol ip protocol type, can be configured using either the numeric value or protocol name icmpv6 type icmpv6 message type, range 1 137 src ip source ip address (with subnet mask), e g , "10 1 1 1/24" dst ip destination ip address (with subnet mask), e g , "10 1 1 1/24" icmp type 8 bit icmp type value, range 0 16 src port protocol source port number dst port protocol destination port number ip type non ip for filtering non ip packets ipv4any for filtering ipv4 packets ipv6any for filtering ipv6 packets arp for filtering arp packets \<font color="#1d50a2">ctrlplane/ ctrlplanev6 matching filter\</font> keywords description src ip source ip address dst ip destination ip address \<font color="#1d50a2">configuration example\</font> \<font color="#1d50a2">l3 ipv4 acl configuration example\</font> \<font color="#1d50a2">network requirements\</font> a company interconnects all departments through switch, and the server server stores the company's confidential technical data, while backing up to the cloud to ensure information security, it is required to properly configure acl rules to achieve block user group a from accessing resources on the server and the cloud user group b is prohibited from accessing the server resources directly, but can access the information by accessing the cloud \<font color="#1d50a2">procedure\</font> omit the vlan configuration process configure the interface ip address sonic(config)# interface ethernet 49 sonic(config if 49)# ip address 192 168 10 1/24 sonic(config)# interface ethernet 50 sonic(config if 50)# ip address 192 168 20 1/24 sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 192 168 4 1/24 sonic(config)# interface vlan 20 sonic(config vlanif 20)# ip address 192 168 5 1/24 configure acl rules sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 src ip 192 168 4 0/24 dst ip 192 168 20 0/24 packet action deny sonic(config l3 acl table 1)# rule 2 src ip 192 168 4 0/24 dst ip 192 168 10 0/24 packet action deny sonic(config)# access list l3 table 2 ingress sonic(config l3 acl table 2)# rule 3 src ip 192 168 5 0/24 dst ip 192 168 20 0/24 packet action deny binding rules sonic(config)# interface vlan 10 sonic(config vlanif 10)# acl table 1 sonic(config)# interface vlan 20 sonic(config vlanif 20)# acl table 2 \<font color="#1d50a2">verify configuration\</font> user a can access user b and other network resources normally, but cannot access the cloud and server resources user b can access user a, and the cloud resources normally, but not the server resources \<font color="#1d50a2">ctrlplane acl configuration example\</font> \<font color="#1d50a2">network requirements\</font> the pc accesses the login device through the cloud and goes out to the network security consideration, all users need to jump through the springboard machine to login the device you need to configure acl filtering rules on the device to prohibit other ips other than the hopper ip from accessing the device \<font color="#1d50a2">procedure\</font> sonic(config)# access list ctrlplane ssh ingress srv ssh,snmp sonic(config ctrlplane acl ssh)# rule 100 src ip 192 168 0 0/20 sonic(config ctrlplane acl ssh)# rule 90 src ip 10 11 1 0/24 \<font color="#1d50a2">verify configuration\</font> pc can only log into the device normally through the springboard machine, other ways are unable to log in and the normal business functions of the device are not affected by the rule
