411
1.
Depth-first match for IPv4 ACLs
IPv4 ACL cate
or
De
th-first match
rocedure
Basic IPv4 ACL
1. Sort rules by source IP address wildcard mask and compare
packets against the rule configured with more zeros in the source
IP address wildcard mask.
2. In case of a tie, compare packets against the rule configured first.
Advanced IPv4 ACL
3. Sort rules by the protocol carried over IP. A rule with no limit to the
protocol type (that is, configured with the ip keyword) has the
lowest precedence. Rules each of which has a single specified
protocol type are of the same precedence level.
4. If the protocol types have the same precedence, look at the source
IP address wildcard mask. Then, compare packets against the rule
configured with more zeros in the source IP address wildcard
mask.
5. If the numbers of zeros in the source IP address wildcard masks
are the same, look at their destination IP address wildcard masks.
Then, compare packets against the rule configured with more
zeros in the destination IP address wildcard mask.
6. If the numbers of zeros in the destination IP address wildcard
masks are the same, look at the Layer 4 port number ranges,
namely the TCP/UDP port number ranges. Then compare packets
against the rule configured with the smaller port number range.
7. If the port number ranges are the same, compare packets against
the rule configured first.
Ethernet frame header ACL
8. Sort rules by source MAC address mask first and compare packets
against the rule configured with more ones in the source MAC
address mask.
9. If two rules are present with the same number of ones in their
source MAC address masks, look at the destination MAC address
masks. Then, compare packets against the rule configured with
more ones in the destination MAC address mask.
10. If the numbers of ones in the destination MAC address masks are
the same, compare packets against the one configured first.
Fragments filtering with IPv4 ACLs
Traditional packet filtering performs match operation on only the first fragments. All subsequent non-first
fragments are handled in the way the first fragments are handled. This results in security risks, because
attackers may exploit this vulnerability to fabricate non-first fragments to attack your network.
As for the configuration of a rule of an IPv4 ACL, you can specify that the rule applies to non-first fragment
packets only, and does not apply to non-fragment packets or the first fragment packets. ACL rules that do not
contain this keyword are applicable to both non-fragment packets and fragment packets.
Effective period of an ACL
You can control when a rule can take effect by referencing a time range in the rule.
A referenced time range can be one that has not been created yet. The rule, however, can take effect only
after the time range is defined and becomes active.
To Next Page
Loading...
Need help?
General
