Support User Manuals

Cabletron Systems 9032578-05 Network Router User Manual

Open as PDF

of 398

Chapter 19: Access Control List Configuration Guide

262 SmartSwitch Router User Reference Manual

How ACL Rules are Evaluated

For an ACL with multiple rules, the ordering of the rules is important. When the SSR

checks a packet against an ACL, it goes through each rule in the ACL sequentially. If a

packet matches a rule, it is forwarded or dropped based on the permit or deny keyword in

the rule. All subsequent rules are ignored. That is, a first-match algorithm is used. There is

no hidden or implied ordering of ACL rules, nor is there precedence attached to each

field. The SSR simply goes down the list, one rule at a time, until there is a match.

Consequently, rules that are more specific (that is, with more selection criteria) should

always be listed ahead of rules that are less specific. For example, the following ACL

permits all TCP traffic except those from subnet 10.2.0.0/16:

When a TCP packet comes from subnet 10.2.0.0/16, it finds a match with the first rule.

This causes the packet to be dropped. A TCP packet coming from other subnets does not

match the first rule. Instead, it matches the second rule, which allows the packet to go

through.

If you were to reverse the order of the two rules:

all TCP packets would be allowed to go through, including traffic from subnet 10.2.0.0/16.

This is because TCP traffic coming from 10.2.0.0/16 would match the first rule and be

allowed to go through. The second rule would not be looked at since the first match

determines the action taken on the packet.

Implicit Deny Rule

At the end of each ACL, the system automatically appends an implicit deny rule. This

implicit deny rule denies all traffic. For a packet that doesn’t match any of the user-

specified rules, the implicit deny rule acts as a catch-all rule. All packets match this rule.

This is done for security reasons. If an ACL is misconfigured, and a packet that should be

allowed to go through is blocked because of the implicit deny rule, the worst that could

happen is inconvenience. On the other hand, if a packet that should not be allowed to go

through is instead sent through, there is now a security breach. Thus, the implicit deny

rule serves as a line of defense against accidental misconfiguration of ACLs.

To illustrate how the implicit deny rule is used, consider the following ACL:

acl 101 deny tcp 10.2.0.0/16 any any any

acl 101 permit tcp any any any any

acl 101 permit tcp any any any any

acl 101 deny tcp 10.2.0.0/16 any any any

acl 101 permit ip 1.2.3.4/24

acl 101 permit ip 4.3.2.1/24 any nntp

previous next