ACL in traffic policy on Huawei device

We have to remember that traffic policy consists of 3 parts:

  • Classifier
  • Behavior
  • Traffic-policy

In brief, to configure a traffic policy:

  • define traffic class
  • define action to be applied to the traffic class
  • associate traffic classifiers and behaviors
  • apply the traffic policy to an interface.

Let’s start from ACL.

We have possibility to configure many rules in an ACL. If the ACL is specified in if-match clause, then a packet is matched against multiple rules. If the packet matches a rule in the ACL, then it stops checking against the next rules.

  • In a case of DENY action in the ACL, the matched packet is denied, regardless of what traffic behavior defines.
  • When PERMIT action is defined in the ACL, then traffic behavior is applied to the matched packet.

Let’s focus on if-match clauses now and matching order between them.

We have 2 possibilities to configure a traffic classifier:

  • With logic OR relationship between multiple matching rules
  • With logic AND relationship between multiple matching rules.

In the flowchart you can see traffic policy implementation with logic OR:

traffic policy implementation with logic OR HuaweiNotice that traffic behavior is applied for the packets that match any one of the if-match clauses. In this situation, packet is matched against If-match clauses, in the order of the If-match clauses configuration. This kind of traffic classifier is commonly used.

In logic AND implementation, the device combines all if-match clauses and then processes the combination of if-match clauses according to the procedure of logic OR. If one of the if-match clauses is applied with ACL, each rule of the ACL is combined with all of the other if-match clauses. In this situation, the order of if-match clauses does not impact on the final matching result.

As you know, one or more classifiers and behaviors can be configured in a traffic policy. A packet is matched against traffic classifiers in the order, in which those classifiers have been configured. If the packet matches a traffic classifier, no further match operation is performed. If not, the packet is matched against the following traffic classifiers one by one. If the packet does not match traffic classifiers at all, the packet is forwarded with no traffic policy executed.

Anyway, the order of traffic classifier can be changed by the following command:

classifier classifier-name behavior behavior-name precedence precedence

Let’s try to configure a traffic policy as follows:

  • packets coming from source IP address 10.1.1.0/24, with DSCP 18, are then remarked as AF31
  • packets coming from source IP address 172.16.1.0/24, with DSCP 18, are discarded
  • other packets are forwarded directly.
#
acl number 3000  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 dscp af21 
 rule 10 deny ip source 172.16.1.0 0.0.0.255 dscp af21 
#
traffic classifier labnario operator or
 if-match acl 3000
#
traffic behavior labnario
 remark dscp af31
#
traffic policy labnario
 classifier labnario behavior labnario
#
interface GigabitEthernet0/0/0
 traffic-policy labnario inbound

I have a home task for you. Try to configure the same policy but using logic AND. Your traffic policy must do the same like the one configured.

Unfortunately, awards are not provided ;)

I will publish the solution soon on Facebook.

All comments (solutions) are welcome.

Download as PDF

Advertisements

3 thoughts on “ACL in traffic policy on Huawei device

  1. nileshkahar

    Hi Labnario,
    This is excellent, can’t find this type of explanation on internet or huawei site.
    One doubt, please clear the same. Please explain below mentioned statement.
    “In a case of DENY action in the ACL, the matched packet is denied, regardless of what traffic behavior defines.”
    My understanding -> Packet will only be denied to pass through traffic policy otherwise packet will be forwarded as per routing table entry.
    Thanks in advance.
    Nilesh.

    Reply
    1. labnario Post author

      Hi,
      permit means that the packet matches the rule and traffic behavior will be used for this packet,
      deny means that the packet matches the rule and this packet will be dropped
      packets that do not match any rule in ACL will be forwarded as per routing table entry.

      In deny statement packets will be dropped completely, not denied to pass traffic policy.

      Just do a simple test using eNSP
      1. Connect 3 PCs to AR router (LAN) – you can use hub
      2. Connect 1 PC to AR router (WAN)
      3. Configure IP addresses of interface Vlan (LAN), and interface GE (WAN)
      4. Configure IP addresses of PCs
      5. Configure ACL on the router that permits IP address of PC1, deny IP address of PC2.
      6. Configure traffic policy with default behavior “permit”.

      #
      acl number 3000
      rule 5 permit ip source 10.1.1.1 0
      rule 10 deny ip source 10.1.1.2 0
      #
      traffic classifier labnario operator or
      if-match acl 3000
      #
      traffic behavior labnario
      #
      traffic policy labnario
      classifier labnario behavior labnario
      #
      interface Vlanif100
      ip address 10.1.1.10 255.255.255.0
      traffic-policy labnario inbound

      Now you can ping from LAN (3 PCs) to PC simulating WAN.
      Results should be:
      PC1 permit
      PC2 dropped
      PC3 forwarded as per routing table.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s