An Access Control List (ACL) is a mechanism that implements access control for a system resource by listing the entities based on specific parameters that are permitted to access the resource, as well as the mode of access that is granted. In general, an ACL can be understood as a means for filtering, and can be applied to control the flow of traffic as well as identify traffic to which special operations should be performed.
A common application involves a gateway that may have a forwarding destination to multiple networks, however may contain an ACL that manages which traffic can flow to which destination. In the example given, the network 192.168.1.0/24 is generally seen as capable of accessing the external network, in this case the Internet, whereas hosts that are represented by the 192.168.2.0/24 network are unable to forward traffic in the same manner, and therefore resulting in a transmission failure. In the case of Server A, the reverse applies with permission for access being granted by the gateway to network 192.168.2.0/24 but restricted for all hosts that are part of the 192.168.1.0/24 network.
Where filtering is performed based on interesting traffic, there is no general restriction made but instead additional operations are likely to be performed which affects the current data. The example demonstrates a scenario where inbound data is filtered based on certain criteria such as in this case, the source IP address, and where an access control list is found to apply to data, associated actions are taken. Common actions may involve the changing of parameters in routed IP traffic for protocols such as the route metrics in RIP and OSPF, and also in initiating encrypted network communications for the interesting traffic, as is often applied as part of technologies such as Virtual Private Networks (VPN).
There are three general ACL types that are defined as part of the ARG3 series, including basic, advanced and layer2 access control list types. A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges, and is defined by a value in the range of 2000-2999. An advanced ACL provides a greater means of accuracy in parameter association, and matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.
Advanced ACL are associated with a value range from 3000-3999. Lastly is the layer 2 ACL which matches packets based on packet based Layer 2 information, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. Traffic is filtered based on rules containing the parameters defined by each type of ACL.
Access Control Lists work on the principle of ordered rules. Each rule contains a permit or deny clause. These rules may overlap or conflict. One rule can contain another rule, but the two rules must be different. The AR2200 supports two types of matching order: configuration order and automatic order. The configuration order indicates that ACL rules are matched in ascending order of rule identifiers, while the automatic order follows the depth first principle that allows more accurate rules to be matched first. The configuration order is used by default and determines the priorities of the rules in an ACL based on a rule ID. Rule priorities are as such able to resolve any conflict between overlapping rules. For each rule ID the ACL will determine whether the rule applies. If the rule does not apply, the next rule will be considered. Once a rule match is found, the rule action will be implemented and the ACL process will cease. If no rule matches the packet, the system does not process the packet.
In the example, packets originating from two networks are subjected to an ACL within RTA. Packets from networks 172.16.0.0 and 172.17.0.0 will be assessed based on rule ID (configuration) order by default. Where the rule discovers a match for the network based on a wildcard mask, the rule will be applied. For network 172.16.0.0, rule 15 will match any packets with the address of 172.16.0.X where X may refer to any binary value in the octet. No specific rule matching the network 172.17.0.0 is found in the access control list and so will not be subjected to the ACL process, however in the interests of good ACL design practice, a catch all rule has been defined in rule 20 to ensure that all networks for which there is no specifically defined rule, are permitted to be forwarded.
The creation of a basic access control list requires that the administrator first identify the traffic source to which the ACL is to apply. In the example given, this refers to the source locations containing an IP address in the 192.168.1.0/24 range for which all packets containing a source IP address in this range will be discarded by the gateway. In the case of hosts that make up the 192.168.2.0/24 network range, traffic is permitted and no further action is taken for these packets. The basic ACL is applied to the interface Gigabit Ethernet 0/0/0 in the outbound direction, therefore only packets that meet both the interface and direction criteria will be subjected to ACL processing.
The validation of the configured basic ACL can be achieved through the display acl <acl-number> where the acl-number refers to the basic ACL number that has been assigned to the configured ACL. The resulting output confirms the rules that have been created to deny (drop) any IP packets with the source IP address in the range 192.168.1.0/24 and permit addressing in the range 192.168.2.0/24.
It should also be noted that each rule is automatically assigned a rule number as part of the access control list creation. The rule number defines the order in which the rules are processed and set in increments of 5 by default in Huawei ARG3 series routers. There is an ACL step between rule numbers. For example, if an ACL step is set to 5, rules are numbered 5, 10, 15, and so on. If an ACL step is set to 2 and rule numbers are configured to be automatically generated, the system automatically generates rule IDs starting from 2. The step makes it possible to add a new rule between existing rules. It is possible to configure the rule number as part of the basic ACL where required.
Advanced access control lists enable filtering based on multiple parameters to support a greater detailed route selection process. While a basic ACL provides filtering based on the source IP address, Advanced ACL are capable of filtering based on the source and destination IP, source and destination port numbers, protocols of both the network and transport layer and parameters found within each layer such as IP traffic classifiers and TCP flag values (SYN|ACK|FIN etc.). An advanced ACL is defined by an ACL value in the range of 3000-3999 as displayed in the example, for which rules are defined to specify restriction of TCP based packets that originate from all source addresses in the range of 192.168.1.1 through to 192.168.1.255 where the destination IP is 172.16.10.1 and the destination port is port 21. A similar rule follows to define restriction of all IP based packets originating from sources in the 192.168.2.0/24 range from reaching the single destination of 172.16.10.2. A catch all rule may generally be applied to ensure that all other traffic is processed by the ACL, generally through a permit or deny statement for all IP based packets.
The validation of the configured advanced ACL can be achieved through the display acl <acl-number> where the acl-number refers to the advanced ACL number that has been assigned to the configured ACL. The resulting output confirms that three rules have been created to deny any TCP packets with the source IP address in the range 192.168.1.0/24 destined for 172.16.10.1 from reaching port 21(ftp), and from any source IP address in the range of 192.168.2.0/24 from reaching the destination IP address of 172.16.10.2 , while permitting all other IP traffic.
ACL can also be applied to the Network Address Translation (NAT) operation to allow filtering of hosts based on IP addresses to determine which internal networks are translated via which specific external address pools should multiple pools exist. This may occur where an enterprise network is a customer to connections from multiple service providers for which various internal users that are considered part of different networks/sub-networks wish to be translated and forwarded based on a specific address group, potentially occurring over alternative router uplink interfaces to the different service provider networks.
In the example given, a simplified example of this is recreated where hosts within the internal network are to be filtered based on basic ACL rules for which a dynamic NAT solution is applied that allows translation to a given public address of a certain address group. In particular hosts originating from the 192.168.1.0/24 network will be translated using public addresses in the pool associated with address group 1, while hosts in the 192.168.2.0/24 network will be filtered based on the pool associated with address group 2. The nat outbound <acl-number> address-group <address-group number> command is implemented under the Gigabit Ethernet interface view to bind NAT in the outbound direction with the ACL, and the related IP address range is referenced by the specified address group
Advanced ACL are capable of filtering based on the source and destination IP, source and destination port numbers, protocols of both the network and transport layer and parameters found within each layer such as IP traffic classifiers and TCP flag values (SYN|ACK|FIN etc.).
Once a rule match is found in the access control list to a tested condition, the rule action will be implemented and the remaining ACL process will not continue.