ACL Configuration Guide
Communication between information points and communication between internal and external networks are essential business requirements in enterprise networks. To ensure the security of the internal network, it is necessary to use security policies to ensure that unauthorized users can only access specific network resources. An Access Control List (ACL) consists of a series of rules that form a packet processing policy. These rules typically consist of conditional statements describing packet matching conditions, such as source MAC, destination MAC, source IP, destination IP, source port number, destination port number, etc. Devices use these rules to filter packets. After configuring ACL rules, devices allow specific packets to pass through while blocking certain packets, achieving access control and traffic filtering. In short, ACL serves as a network technology means of controlling access, enhancing network security, and ensuring reliable network transmission.
ACL Table
Section titled “ACL Table”The ACL table is a collection of ACL rules that are bound to specific interfaces in the form of tables. The “stage” indicates the direction, which can be “ingress” or “egress,” corresponding to whether the ACL table is applied in the inbound or outbound direction.
Different directions have different available matches. The match fields in the ingress direction are not available in the egress direction. The available ACL Table types on the current device are as follows, representing filtering for different services:
- L3: Regular IPv4 business packets received/sent by service interfaces
- L3V6: Regular IPv6 business packets received/sent by service interfaces
ACL Table Priority
Section titled “ACL Table Priority”ACL tables have different priorities at the interface binding level. When binding ACL tables to an interface, the required field priority will be prompted. For an interface, the priority set for binding different tables must be different, with a configuration range of 1 to 65535. The higher the priority value, the higher the priority; For different interfaces, the priority of binding to the same table can be set differently.
ACL Rule
Section titled “ACL Rule”An ACL rule pertains to a table. Within a rule, you define the priority, matching conditions, and actions upon a match. An ACL rule can only be added to one table, but a table can contain multiple rules, creating a “many-to-one” relationship between rules and tables.
ACL Rule Priority
Section titled “ACL Rule Priority”Priority indicates the priority of a rule. The larger the numerical value, the higher the priority. The priority value must be less than 500. Priority is used when multiple rules can match; the rule with the highest priority is selected. The same table cannot have rules with the same priority. When rules are named non-numerically, the priority is determined based on the order of configuration. The rule configured later has a higher priority.
ACL Rule Actions
Section titled “ACL Rule Actions”Ingress Direction
Section titled “Ingress Direction”| Actions | Keywords | Description |
|---|---|---|
| Basic action | packet_action | permit: Allows forwarding of the packet. drop: Discards the packet. trap: Sends the packet to the CPU for processing without forwarding. no-nat: Not using the nat function. |
Egress Direction
Section titled “Egress Direction”| Actions | Keywords | Description |
|---|---|---|
| Basic action | packet_action | permit: Allows forwarding of the packet. drop: Discards the packet. trap: Sends the packet to the CPU for processing without forwarding. no-nat: Not using the nat function. |
ACL Rule Matching Filter
Section titled “ACL Rule Matching Filter”L3/L3v6 Matching Filter
Section titled “L3/L3v6 Matching Filter”| Keywords | Description |
|---|---|
| src-mac | Source MAC address, format nn:nn:nn:nn:nn:nn |
| ip-protocol | IP protocol type, can be configured using either the numeric value or protocol name |
| src-ip | Source IP address (with subnet mask), e.g., “10.1.1.1/24” |
| dst-ip | Destination IP address (with subnet mask), e.g., “10.1.1.1/24” |
| src-port | Protocol source port number |
| dst-port | Protocol destination port number |
Configuration Example
Section titled “Configuration Example”L3 IPv4 ACL configuration example
Section titled “L3 IPv4 ACL configuration example”Network requirements
A company interconnects all departments through Device, and the server Server stores the company’s confidential technical data, while backing up to the cloud.
To ensure information security, it is required to properly configure ACL rules to achieve:
- Block user group A from accessing resources on the server and the cloud.
- User group B is prohibited from accessing the server resources directly, but can access the information by accessing the cloud.
Procedure
1.Omit the VLAN configuration process
2.Configure the interface IP address
sonic(config)# interface ethernet 4sonic(config-if-4)# ip address 192.168.10.1/24sonic(config)# interface ethernet 5sonic(config-if-5)# ip address 192.168.20.1/24sonic(config)# interface vlan 10sonic(config-vlanif-10)# ip address 192.168.4.1/24sonic(config)# interface vlan 20sonic(config-vlanif-20)# ip address 192.168.5.1/243.Configure ACL rules
sonic(config)# access-list l3 TABLE_1 ingresssonic(config-l3-acl-table_1)# rule 1 src-ip 192.168.4.0/24 dst-ip 192.168.20.0/24 packet-action denysonic(config-l3-acl-table_1)# rule 2 src-ip 192.168.4.0/24 dst-ip 192.168.10.0/24 packet-action denysonic(config)# access-list l3 TABLE_2 ingresssonic(config-l3-acl-table_2)# rule 3 src-ip 192.168.5.0/24 dst-ip 192.168.20.0/24 packet-action deny4.Binding rules
sonic(config)# interface vlan 10sonic(config-vlanif-10)# acl TABLE_1 priority 10sonic(config)# interface vlan 20sonic(config-vlanif-20)# acl TABLE_2 priority 10Verify configuration
User A can access User B and other network resources normally, but cannot access the cloud and server resources.
User B can access User A, and the cloud resources normally, but not the server resources.