Wednesday , September 20 2017
Home / Security / ACL matching order on Huawei device

ACL matching order on Huawei device

The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.

ACL rules can be arranged in two modes: configuration and auto.

In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.

In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.

When can we use it?

For example, if we filter a wide range of packets and want to allow some packets (from this wide range) to pass, it is enough to define a specific rule, without rules reordering. This rule will be placed first, as it is more specific.

For basic ACL rules, the source address wildcards are compared. If they are the same, then the configuration order is taken into account.

For advanced ACL rules, more factors are compared, like wildcards of source and destination and protocol ranges of source and destination.

Let’s configure the same ACL with 2 modes:

[Huawei]acl number 3000  match-order auto
[Huawei-acl-adv-3000]rule perm ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
[Huawei-acl-adv-3000]rule deny ip sou 10.1.1.10 0.0.0.0 destination 172.16.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule den ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0.0.0.0

[Huawei-acl-adv-3000]dis this
#
acl number 3000  match-order auto
 rule 5 deny ip source 10.1.1.10 0 destination 172.16.1.0 0.0.0.255 
 rule 10 deny ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0 
 rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 
 rule 20 permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 

[Huawei]acl 3000 match-order config
[Huawei-acl-adv-3000]rule perm ip source 10.1.1.0 0.0.0.255 destination 172.16.1 .0 0.0.0.255
[Huawei-acl-adv-3000]rule permit ip source 150.20.0.0 0.0.0.255 destination 10.1 .0.0 0.0.0.255
[Huawei-acl-adv-3000]rule deny ip sou 10.1.1.10 0.0.0.0 destination 172.16.1.0.0.255
[Huawei-acl-adv-3000]rule den ip source 150.20.0.0 0.0.0.255 destination 10.1.0. 15 0.0.0.0

[Huawei-acl-adv-3000]dis this
#
acl number 3000  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 
 rule 10 permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
 rule 15 deny ip source 10.1.1.10 0 destination 172.16.1.0 0.0.0.255 
 rule 20 deny ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0

Look at the order of these 2 ACLs. Although the order of rules was the same in both cases, the final ACLs look different.

Leave a Reply

Your email address will not be published. Required fields are marked *