Understanding Access Control Lists (ACLs)

Zyxel_Kay · May 31

In the realm of network management and security, Access Control Lists (ACLs) play a crucial role. This article aims to provide a comprehensive understanding of what ACLs are, how they function, and their significance in network security and traffic management.

What is an ACL?

An Access Control List (ACL) is a set of rules that are used to control network traffic and increase security. An ACL is a combination of a Classifier and a Policy Rule, which together set up filters to control which packets are permitted or denied in or out of a network.

Components of an ACL

Classifier: A classifier groups traffic into data flows based on specific criteria such as source address, destination address, source port number, destination port number, or incoming port number. For instance, a classifier can be configured to select traffic from a specific protocol port (e.g., Telnet) to form a flow.
Policy Rule: A policy rule ensures that a classified traffic flow receives the requested treatment in the network. To apply a policy rule, you must first configure a classifier.

How Does an ACL Work?

An ACL works by using classifiers to sort incoming traffic and then applying policy rules to these traffic flows. This setup determines whether matched incoming packets are allowed to be forwarded or discarded, effectively controlling network traffic. Users can define multiple ACLs to avoid malicious attacks or unintended mistakes that may cause network malfunctions.

Purpose of an ACL

The primary purposes of ACLs are:

To specifically filter certain types of traffic and provide extra security for networks.
To control traffic within a network, ensuring smooth and secure data transmission.

Criteria for Classifiers

Classifiers group traffic based on the following criteria:

Source Port: The port from which the traffic originates.
Source MAC/Destination MAC: The hardware addresses of the source and destination devices.
VLAN ID: The identifier for the Virtual Local Area Network.
DSCP (Differentiated Services Code Point): A field in the IP header for packet classification.
IP Protocol Type: The type of IP protocol (e.g., TCP, UDP).
Source IP/Destination IP: The IP addresses of the source and destination.
UDP/TCP Protocol Number: The port numbers for UDP or TCP protocols.

Configurable Parameters for Classifiers

The parameters that can be configured for a classifier include:

Classifier Name: Identifies the classifier.
Weight for Classifier: Determines the priority when the match order is in manual mode.
Ingress Port: Specifies the incoming port(s).
Packet Format: Defines the packet format (e.g., 802.3, L2).
VLAN ID: Specifies VLAN ID or range of VLAN IDs.
Priority: Sets the priority for tagged packets.
Ethernet Type: Specifies the type of Ethernet protocol (e.g., IP, ARP).
Source/Destination MAC Address: Defines MAC addresses with subnet mask.
IP Packet Length: Specifies the length of IP packets.
DSCP: Sets the DSCP value for IPv4 or IPv6.
Precedence: Sets the IP precedence value.
ToS (Type of Service): Specifies the ToS value.
IP Protocol: Defines the IP protocol (e.g., TCP, UDP).
IPv6 Next Header: Specifies the next header for IPv6.
Source/Destination IP Address: Defines IP addresses with prefix.
Source/Destination Socket Number: Specifies UDP/TCP port numbers.

What is a Policy Rule?

A Policy Rule ensures that classified packets get the appropriate forwarding actions. Each policy rule is associated with one classifier and involves setting parameters and defining actions such as forwarding, priority handling, queuing, and more.

Configurable Actions in a Policy Rule

The actions that can be configured in a Policy Rule include:

Forwarding: Determines whether packets are forwarded or discarded.
Priority: Assigns priority levels to packets.
Queue: Assigns packets to specific queues.
Diffserv: Manages Differentiated Services settings.
Outgoing: Directs packets to specific ports.
Metering: Limits the bandwidth for incoming packets.

Managing Bandwidth with ACLs

ACLs can manage bandwidth through the metering action, which limits the bandwidth for incoming packets. For example, if the metering is set to 500Kbps, the switch will handle only 500Kbps of incoming traffic. Any traffic exceeding this rate will follow the Out-of-Profile setting, such as dropping excess packets.

Conclusion

Access Control Lists (ACLs) are vital for network security and traffic management. By setting up ACLs, network administrators can efficiently control traffic flow, enhance security, and ensure optimal network performance. Understanding and configuring ACLs appropriately can significantly contribute to a secure and well-managed network environment.