ACL Configuration

introduction introduction communication between information points and communication between internal and external networks are essential business requirements in enterprise networks to ensure the security of the internal network, it is necessary to use security policies to ensure that unauthorized users can only access specific network resources an access control list (acl) consists of a series of rules that form a packet processing policy these rules typically consist of conditional statements describing packet matching conditions, such as source mac, destination mac, source ip, destination ip, source port number, destination port number, etc switches use these rules to filter packets after configuring acl rules, switches allow specific packets to pass through while blocking certain packets, achieving access control and traffic filtering in short, acl serves as a network technology means of controlling access, enhancing network security, and ensuring reliable network transmission explanation of principles explanation of principles acl table acl table the acl table is a collection of acl rules that are bound to specific interfaces in the form of tables the "stage" indicates the direction, which can be "ingress" or "egress," corresponding to whether the acl table is applied in the inbound or outbound direction for cx series products, different directions have different available matches the match fields in the ingress direction are not available in the egress direction the available acl table types on the current device are as follows, representing filtering for different services l3 regular ipv4 business packets received/sent by service interfaces l3v6 regular ipv6 business packets received/sent by service interfaces ctrlplane used to filter ssh management packets and snmp protocol packets for device login ctrlplanev6 used to filter ssh management packets and snmp protocol ipv6 type packets for device login nexthop group used when configuring policy based routing based on pbr to specify the next hop address group acl rule acl rule an acl rule pertains to a table within a rule, you define the priority, matching conditions, and actions upon a match an acl rule can only be added to one table, but a table can contain multiple rules, creating a "many to one" relationship between rules and tables acl rule priority acl rule priority priority indicates the priority of a rule the larger the numerical value, the higher the priority the priority value must be less than 500 priority is used when multiple rules can match; the rule with the highest priority is selected the same table cannot have rules with the same priority when rules are named non numerically, the priority is determined based on the order of configuration the rule configured first has a higher priority acl rule actions acl rule actions ingress direction ingress direction actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding copy sends a copy of the packet to the cpu for processing while also forwarding the original packet redirect redirect action redirect to interface/next hop/next hop group qos marking traffic behavior implement port based traffic rate limiting based on acl and traffic behavior egress direction egress direction actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding copy sends a copy of the packet to the cpu for processing while also forwarding the original packet acl rule matching filter acl rule matching filter l3/l3v6 matching filter l3/l3v6 matching filter keywords description ethernet type 16 bit ethernet type value, hex<0 ffff>, e g , 0x0800 src mac source mac address, format nn\ nn\ nn\ nn\ nn\ nn outer vlan outer vlan id vlan pri vlan priority ip protocol ip protocol type, can be configured using either the numeric value or protocol name icmpv6 type icmpv6 message type, range 1 137 src ip source ip address (with subnet mask), e g , "10 1 1 1/24" dst ip destination ip address (with subnet mask), e g , "10 1 1 1/24" icmp type 8 bit icmp type value, range 0 16 src port protocol source port number dst port protocol destination port number ip type non ip for filtering non ip packets ipv4any for filtering ipv4 packets ipv6any for filtering ipv6 packets arp for filtering arp packets ctrlplane/ ctrlplanev6 matching filter ctrlplane/ ctrlplanev6 matching filter keywords description src ip source ip address dst ip destination ip address configuration example configuration example l3 ipv4 acl configuration example l3 ipv4 acl configuration example network requirements network requirements a company interconnects all departments through switch, and the server server stores the company's confidential technical data, while backing up to the cloud to ensure information security, it is required to properly configure acl rules to achieve block user group a from accessing resources on the server and the cloud user group b is prohibited from accessing the server resources directly, but can access the information by accessing the cloud procedure procedure omit the vlan configuration process configure the interface ip address sonic(config)# interface ethernet 49 sonic(config if 49)# ip address 192 168 10 1/24 sonic(config)# interface ethernet 50 sonic(config if 50)# ip address 192 168 20 1/24 sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 192 168 4 1/24 sonic(config)# interface vlan 20 sonic(config vlanif 20)# ip address 192 168 5 1/24 configure acl rules sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 src ip 192 168 4 0/24 dst ip 192 168 20 0/24 packet action deny sonic(config l3 acl table 1)# rule 2 src ip 192 168 4 0/24 dst ip 192 168 10 0/24 packet action deny sonic(config)# access list l3 table 2 ingress sonic(config l3 acl table 2)# rule 3 src ip 192 168 5 0/24 dst ip 192 168 20 0/24 packet action deny binding rules sonic(config)# interface vlan 10 sonic(config vlanif 10)# acl table 1 sonic(config)# interface vlan 20 sonic(config vlanif 20)# acl table 2 verify configuration verify configuration user a can access user b and other network resources normally, but cannot access the cloud and server resources user b can access user a, and the cloud resources normally, but not the server resources ctrlplane acl configuration example ctrlplane acl configuration example network requirements network requirements the pc accesses the login device through the cloud and goes out to the network security consideration, all users need to jump through the springboard machine to login the device you need to configure acl filtering rules on the device to prohibit other ips other than the hopper ip from accessing the device procedure procedure sonic(config)# access list ctrlplane ssh ingress srv ssh,snmp sonic(config ctrlplane acl ssh)# rule 100 src ip 192 168 0 0/20 sonic(config ctrlplane acl ssh)# rule 90 src ip 10 11 1 0/24 verify configuration verify configuration pc can only log into the device normally through the springboard machine, other ways are unable to log in and the normal business functions of the device are not affected by the rule