Configuration Guide Configuring ACL
11.3 Features
Basic Concepts
ACL
ACLs include basic ACLs and dynamic ACLs.
You can select basic or dynamic ACLs as required. Generally, basic ACLs can meet the security requirements. However,
experienced hackers may use certain software to access the network by means of IP address spoofing. If dynamic ACLs are
used, users are requested to pass identify authentication before accessing the network, which prevents hackers from
intruding the network. Therefore, you can use dynamic ACLs in some sensitive areas to guarantee network security.
IP address spoofing is an inherent problem of all ACLs, including dynamic ACLs. Hackers may use forged IP addresses
to access the network during the validity period of authenticated user identities. Two methods are available to resolve
this problem. One is to set the idle time of user access to a smaller value, which increases the difficulty in intruding
networks. The other is to encrypt network data using the IPSec protocol, which ensures that all data is encrypted when
arriving at a device.
ACLs are generally configured on the following network devices:
Devices between the internal network and the external network (such as the Internet)
Devices on the border of two network segments
Devices connected to controlled ports
ACL statements must be executed in strict compliance with their sequence in the ACL. Comparison starts from the first
statement. Once the header of a data packet matches a statement in the ACL, the subsequent statements are ignored and
no longer checked.
Input/Output ACLs, Filtering Field Template, and Rules
When receiving a packet on an interface, the device checks whether the packet matches any access control entry (ACE) in
the input ACL of this interface. Before sending a packet through a interface, the device checks whether the packet matches
any ACE in the output ACL of this interface.
When different filtering rules are defined, all or only some rules may be applied simultaneously. If a packet matches an ACE,
this packet is processed according to the action policy (permit or deny) defined in this ACE. ACEs in an ACL identify Ethernet
packets based on the following fields in the Ethernet packets:
Layer 2 (L2) fields:
48-bit source MAC address (containing all 48 bits)
48-bit destination MAC address (containing all 48 bits)
16-bit L2 type field
Layer 3 (L3) fields:
To Next Page
Loading...
Need help?
General
