ACL matching order on Huawei device

The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.

ACL rules can be arranged in two modes: configuration and auto.

In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.

In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.

When can we use it?

For example, if we filter a wide range of packets and want to allow some packets (from this wide range) to pass, it is enough to define a specific rule, without rules reordering. This rule will be placed first, as it is more specific.

For basic ACL rules, the source address wildcards are compared. If they are the same, then the configuration order is taken into account.

For advanced ACL rules, more factors are compared, like wildcards of source and destination and protocol ranges of source and destination.

Let’s configure the same ACL with 2 modes:

[Huawei]acl number 3000  match-order auto
[Huawei-acl-adv-3000]rule perm ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
[Huawei-acl-adv-3000]rule deny ip sou 10.1.1.10 0.0.0.0 destination 172.16.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule den ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0.0.0.0

[Huawei-acl-adv-3000]dis this
#
acl number 3000  match-order auto
 rule 5 deny ip source 10.1.1.10 0 destination 172.16.1.0 0.0.0.255 
 rule 10 deny ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0 
 rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 
 rule 20 permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 

[Huawei]acl 3000 match-order config
[Huawei-acl-adv-3000]rule perm ip source 10.1.1.0 0.0.0.255 destination 172.16.1 .0 0.0.0.255
[Huawei-acl-adv-3000]rule permit ip source 150.20.0.0 0.0.0.255 destination 10.1 .0.0 0.0.0.255
[Huawei-acl-adv-3000]rule deny ip sou 10.1.1.10 0.0.0.0 destination 172.16.1.0.0.255
[Huawei-acl-adv-3000]rule den ip source 150.20.0.0 0.0.0.255 destination 10.1.0. 15 0.0.0.0

[Huawei-acl-adv-3000]dis this
#
acl number 3000  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 
 rule 10 permit ip source 150.20.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
 rule 15 deny ip source 10.1.1.10 0 destination 172.16.1.0 0.0.0.255 
 rule 20 deny ip source 150.20.0.0 0.0.0.255 destination 10.1.0.15 0

Look at the order of these 2 ACLs. Although the order of rules was the same in both cases, the final ACLs look different.

Download as PDF

Advertisements

7 thoughts on “ACL matching order on Huawei device

    1. nileshkahar

      Hi Labnario,
      I am using traffic policy where in i have to only allow traffic in acl for matching & do the action on basis of behaviour.
      So i don’t understand whether there will be any deny statement at all in ACL when we use it in traffic policy.
      These traffic policies i am using on Huawei s7700 switches. So please clarify my point on this.
      Thanks a ton in advance.
      Nilesh.

      Reply
  1. labnario Post author

    Of course you can use an ACL with deny statement when configure traffic policy. We cannot use it only with mirroring behaviour. I will try to explain ACLs in traffic policies soon on the blog. Thanks for suggesting a new blog topic. All suggestions are welcome.

    Reply
    1. labnario Post author

      I’ve just tested ACL in the LAN (2PCs connected to router in LAN). I wanted to block traffic from PC1 and permit from PC2. What is the result? This ACL blocks all traffic :) in LAN, in both directions. It doesn’t work correctly. It looks like ACLs are not implemented successfully.

      vlan batch 100
      #
      acl number 3000
      rule 5 deny ip source 10.0.0.2 0 destination 10.0.0.1 0
      rule 10 permit ip
      #
      traffic classifier labnario operator or
      if-match acl 3000
      #
      traffic behavior labnario
      deny
      statistic enable
      #
      traffic policy labnario
      classifier labnario behavior labnario
      #
      #
      interface Vlanif100
      ip address 10.0.0.1 255.255.255.0
      #
      interface Ethernet0/0/0
      port link-type access
      port default vlan 100
      traffic-policy labnario inbound

      [Huawei]ping 10.0.0.2
      PING 10.0.0.2: 56 data bytes, press CTRL_C to break
      Request time out
      Request time out
      Request time out
      Request time out
      Request time out

      — 10.0.0.2 ping statistics —
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss

      [Huawei]ping 10.0.0.3
      PING 10.0.0.3: 56 data bytes, press CTRL_C to break
      Request time out
      Request time out
      Request time out
      Request time out
      Request time out

      — 10.0.0.3 ping statistics —
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss

      PC1>ping 10.0.0.1

      Ping 10.0.0.1: 32 data bytes, Press Ctrl_C to break
      Request timeout!
      Request timeout!
      Request timeout!
      Request timeout!
      Request timeout!

      — 10.0.0.1 ping statistics —
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss

      PC2>ping 10.0.0.1

      Ping 10.0.0.1: 32 data bytes, Press Ctrl_C to break
      Request timeout!
      Request timeout!
      Request timeout!
      Request timeout!
      Request timeout!

      — 10.0.0.1 ping statistics —
      5 packet(s) transmitted
      0 packet(s) received
      100.00% packet loss

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s