ACL Configuration Guide

introduction introduction communication between information points and communication between internal and external networks are essential business requirements in enterprise networks to ensure the security of the internal network, it is necessary to use security policies to ensure that unauthorized users can only access specific network resources an access control list (acl) consists of a series of rules that form a packet processing policy these rules typically consist of conditional statements describing packet matching conditions, such as source mac, destination mac, source ip, destination ip, source port number, destination port number, etc devices use these rules to filter packets after configuring acl rules, devices allow specific packets to pass through while blocking certain packets, achieving access control and traffic filtering in short, acl serves as a network technology means of controlling access, enhancing network security, and ensuring reliable network transmission acl table acl table the acl table is a collection of acl rules that are bound to specific interfaces in the form of tables the "stage" indicates the direction, which can be "ingress" or "egress," corresponding to whether the acl table is applied in the inbound or outbound direction different directions have different available matches the match fields in the ingress direction are not available in the egress direction the available acl table types on the current device are as follows, representing filtering for different services l3 regular ipv4 business packets received/sent by service interfaces l3v6 regular ipv6 business packets received/sent by service interfaces acl rule acl rule an acl rule pertains to a table within a rule, you define the priority, matching conditions, and actions upon a match an acl rule can only be added to one table, but a table can contain multiple rules, creating a "many to one" relationship between rules and tables acl rule priority acl rule priority priority indicates the priority of a rule the larger the numerical value, the higher the priority the priority value must be less than 500 priority is used when multiple rules can match; the rule with the highest priority is selected the same table cannot have rules with the same priority when rules are named non numerically, the priority is determined based on the order of configuration the rule configured later has a higher priority acl rule actions acl rule actions ingress direction ingress direction actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding no nat not using the nat function egress direction egress direction actions keywords description basic action packet action permit allows forwarding of the packet drop discards the packet trap sends the packet to the cpu for processing without forwarding no nat not using the nat function acl rule matching filter acl rule matching filter l3/l3v6 matching filter l3/l3v6 matching filter keywords description src mac source mac address, format nn\ nn\ nn\ nn\ nn\ nn ip protocol ip protocol type, can be configured using either the numeric value or protocol name src ip source ip address (with subnet mask), e g , "10 1 1 1/24" dst ip destination ip address (with subnet mask), e g , "10 1 1 1/24" src port protocol source port number dst port protocol destination port number configuration example configuration example l3 ipv4 acl configuration example l3 ipv4 acl configuration example network requirements a company interconnects all departments through device, and the server server stores the company's confidential technical data, while backing up to the cloud to ensure information security, it is required to properly configure acl rules to achieve block user group a from accessing resources on the server and the cloud user group b is prohibited from accessing the server resources directly, but can access the information by accessing the cloud procedure 1 omit the vlan configuration process 2 configure the interface ip address sonic(config)# interface ethernet 4 sonic(config if 4)# ip address 192 168 10 1/24 sonic(config)# interface ethernet 5 sonic(config if 5)# ip address 192 168 20 1/24 sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 192 168 4 1/24 sonic(config)# interface vlan 20 sonic(config vlanif 20)# ip address 192 168 5 1/24 3 configure acl rules sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 src ip 192 168 4 0/24 dst ip 192 168 20 0/24 packet action deny sonic(config l3 acl table 1)# rule 2 src ip 192 168 4 0/24 dst ip 192 168 10 0/24 packet action deny sonic(config)# access list l3 table 2 ingress sonic(config l3 acl table 2)# rule 3 src ip 192 168 5 0/24 dst ip 192 168 20 0/24 packet action deny 4 binding rules sonic(config)# interface vlan 10 sonic(config vlanif 10)# acl table 1 sonic(config)# interface vlan 20 sonic(config vlanif 20)# acl table 2 verify configuration user a can access user b and other network resources normally, but cannot access the cloud and server resources user b can access user a, and the cloud resources normally, but not the server resources