Need help? Send Email To Us leo.zhao@ccitel.com

The difference between Cisco and Huawei router access control lists (ACLs)

Network Basics

In order to filter packets, the router needs to configure a series of rules to determine what packets can pass. These rules are defined by the Access Control List (ACL). An access control list is a series of ordered rules consisting of a permit | deny statement. These rules are described according to the source address, destination address, port number, etc. of the packet. The ACL classifies packets by these rules. These rules are applied to the router interface. Based on these rules, the router determines which packets can be received and which packets need to be rejected.

First, the difference between Cisco routers and Huawei router access control list classification

 

1. The purpose of access control lists in Huawei routers can be divided into three categories:

 

1)Basic access control list (basic acl)

The basic access control list can only use source address information as an element of the rule that defines the access control list. Through the acl command described in the previous section, you can create a basic access control list and enter the basic access control list view. In the basic access control list view, you can create rules for basic access control lists.

rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } ] [ time-range time-name ]

 

2) Advanced access control list (advanced acl)

The advanced access control list can use the source address information, destination address information, protocol type of IP bearer, and protocol characteristics, such as TCP source port, destination port, ICMP protocol type, code, etc. . You can use advanced access control lists to define rules that are more accurate, richer, and more flexible than basic access control lists.

rule [ rule-id ] { permit | deny } protocol [ source {sour-addr sour-wildcard | any }] [ destination { dest-addr dest-wildcard | any }] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type icmp-type icmp-code ] [ precedence precedence ] [ tos tos ] [ time-range time-name ]

 

3)Interface-based access control list (interface-based acl)

An interface-based access control list is a special type of access control list that specifies rules based on the interface that receives the message.

rule [ rule-id ] { permit | deny } { interface interface-type interface-number | any } [ time-range time-name ]

 

2, There are two common types of access control lists in Cisco routers

 

1) Standard access control list

Like Huawei's basic access control list, only the source address of the packet is checked.

access-list ACL number permit|deny host ip address

 

2) Extended Access Control List

Similar to Huawei's advanced access control list, it checks both the source address of the packet and the destination address of the packet. It also checks the specific protocol type and port number of the packet.

access-list ACL number [permit|deny] [protocol] [definition filter source host range] [definition filter source port] [definition filter destination host access] [definition filter destination port]

 

3) In addition to the above two access control lists: Cisco routers also include: name-based access control lists, reverse access control lists, time-based access control lists, etc., but Less used in routine maintenance.

 

Second, the difference between the Cisco router and Huawei router access control list number range

The use of access control lists is specified by the range of numbers.

1. In the Huawei router, the access control list in the range of 2000 to 2999 is the basic access control list, and the access control list in the range of 3000 to 3999 is the advanced access control list, 1000 to 1999. Is an interface-based access control list.

2. In Cisco routers, standard access control lists use numbers from 1 to 99 and 1300 to 1999 as table numbers, and extended access control lists use 100 to 199 and 2000 to The number between 2699 is used as the table number.

 

Third, the difference between Cisco and Huawei access control list matching order

1, Huawei router access control list matching rule

An access control list can consist of multiple "permit | deny” statements, each of which describes a different rule. These rules may have duplicate or contradictory places in a packet and access control list. When rules are matched, what rules are used? It is necessary to determine the matching order of the rules.

 

There are two match orders:

1) Configuration order

The configuration order is matched according to the rules of the user-configured ACL.

2) Automatic sorting

Automatic sorting uses the principle of "depth-first". The "deep priority" rule is to put the statement with the smallest specified packet range first. This can be done by comparing the wildcards of the address. The smaller the wildcard, the smaller the range of the specified host. For example, 129.102.1.1 0.0.0.0 specifies a host: 129.102.1.1, while 129.102.1.1 0.0.255.255 specifies a network segment: 129.102.1.1 to 129.102.255.255. Obviously the former is ranked first in the access control rules. The specific criteria are: for the basic access control rule statement, the source address wildcard is directly compared, and the wildcard is the same, according to the configuration order; for the interface-based access control rule, the rules configured with "any" are listed later, and the others are in the order of configuration. For advanced access control rules, the source address wildcards are first compared, the same destination address wildcards are compared, and the same port number is compared. The range is smaller. If the port number range is the same, the configuration order is the same.

Use that matching order, which can be specified when creating an ACL.

acl [ number ] acl-number [ match-order { config | auto } ]

 

2, Cisco router access control list matching rules

Cisco routers generally use sequential matching. If one is satisfied, it will not continue to search. In addition, in Cisco's access control list, the last one is implicitly rejected, that is, if all the previous entries do not match, then The default is rejected. Under any conditions, only the minimum privilege that the user can meet their needs is given.

Related FAQ

What is the difference between PoE switches and ordinary switches?

What is the difference between PoE switches and ordinary switches?

What is the difference between PON and EPON and GPON?

What is the difference between PON and EPON and GPON?

HUAWEI MA5800 Series Frequently Asked Questions

HUAWEI MA5800 Series Frequently Asked Questions