ACL Configuration Guide

introduction introduction communication between information points and communication between internal and external networks are essential business requirements in enterprise networks to ensure the security of the internal network, it is necessary to use security policies to ensure that unauthorized users can only access specific network resources an access control list (acl) consists of a series of rules that form a packet processing policy these rules typically consist of conditional statements describing packet matching conditions, such as source mac, destination mac, source ip, destination ip, source port number, destination port number, etc devices use these rules to filter packets after configuring acl rules, devices allow specific packets to pass through while blocking certain packets, achieving access control and traffic filtering in short, acl serves as a network technology means of controlling access, enhancing network security, and ensuring reliable network transmission acl table acl table the acl table is a collection of acl rules that are bound to specific interfaces in the form of tables the "stage" indicates the direction, which can be "ingress" or "egress," corresponding to whether the acl table is applied in the inbound or outbound direction different directions have different available matches the match fields in the ingress direction are not available in the egress direction the available acl table types on the current device are as follows, representing filtering for different services l3 regular ipv4 business packets received/sent by service interfaces l3v6 regular ipv6 business packets received/sent by service interfaces acl acl table table priority priority acl tables have different priorities at the interface binding level when binding acl tables to an interface, the required field priority will be prompted for an interface, the priority set for binding different tables must be different, with a configuration range of 1 to 65535 the higher the priority value, the higher the priority; for different interfaces, the priority of binding to the same table can be set differently acl rule acl rule an acl rule pertains to a table within a rule, you define the priority, matching conditions, and actions upon a match an acl rule can only be added to one table, but a table can contain multiple rules, creating a "many to one" relationship between rules and tables acl rule priority acl rule priority priority indicates the priority of a rule the larger the numerical value, the higher the priority the priority value must be less than 500 priority is used when multiple rules can match; the rule with the highest priority is selected the same table cannot have rules with the same priority when rules are named non numerically, the priority is determined based on the order of configuration the rule configured later has a higher priority acl rule actions acl rule actions ingress direction ingress direction 119,123 28579340803194,418 71420659196804#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type egress direction egress direction 115,134 38095238095235,411 61904761904765#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type acl rule matching filter acl rule matching filter l3/l3v6 matching filter l3/l3v6 matching filter true 117,544#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type configuration example configuration example l3 ipv4 acl configuration example l3 ipv4 acl configuration example network requirements a company interconnects all departments through device, and the server server stores the company's confidential technical data, while backing up to the cloud to ensure information security, it is required to properly configure acl rules to achieve block user group a from accessing resources on the server and the cloud user group b is prohibited from accessing the server resources directly, but can access the information by accessing the cloud procedure 1 omit the vlan configuration process 2 configure the interface ip address sonic(config)# interface ethernet 4 sonic(config if 4)# ip address 192 168 10 1/24 sonic(config)# interface ethernet 5 sonic(config if 5)# ip address 192 168 20 1/24 sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 192 168 4 1/24 sonic(config)# interface vlan 20 sonic(config vlanif 20)# ip address 192 168 5 1/24 3 configure acl rules sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 src ip 192 168 4 0/24 dst ip 192 168 20 0/24 packet action deny sonic(config l3 acl table 1)# rule 2 src ip 192 168 4 0/24 dst ip 192 168 10 0/24 packet action deny sonic(config)# access list l3 table 2 ingress sonic(config l3 acl table 2)# rule 3 src ip 192 168 5 0/24 dst ip 192 168 20 0/24 packet action deny 4 binding rules sonic(config)# interface vlan 10 sonic(config vlanif 10)# acl table 1 priority 10 sonic(config)# interface vlan 20 sonic(config vlanif 20)# acl table 2 priority 10 verify configuration user a can access user b and other network resources normally, but cannot access the cloud and server resources user b can access user a, and the cloud resources normally, but not the server resources