10 access control list management – H3C Technologies H3C Intelligent Management Center User Manual

778

10 Access control list management

ACL Management allows you to view and configure existing ACLs on devices managed by IMC and to

import ACL from the devices into ACL Management as templates or resources. Once you have created

ACL templates and resources, they can be used to create ACLs for deployment to other managed devices.
ACL also has a deployment wizard that allows you to quickly deploy ACLs and ACL uses to manage

devices. The deployment task management features allow you to monitor and manage deployment and

removal of ACLs and ACL uses.
Rules are the core of an ACL. A rule contains conditions that define whether traffic is forwarded or filtered

by a network device and includes a rule number, the action that is taken in the rule - whether traffic is
permitted or denied, and a pattern for matching the contents of every packet to determine whether or not

the packet is forwarded. The pattern to match can be an IP or MAC address or range of addresses and

their masks and can include a Layer 4 TCP, UDP port number, or it can be a hexadecimal string and an

offset value that identifies where in the packet to begin the pattern matching. Rules may also include
identification of the protocol or type of traffic that the action is taken for and protocol specific

configuration options. Rules can also include time ranges and options specific to the protocol identified

in the rule or the type of ACL and rule. A rule set is a collection of individual rules that are identified by

the rule set name. An ACL is a container for one or more rule sets. In ACL Management, an ACL includes
the name or number that identifies the ACL (ACL Identifier), the type of ACL it is, and its name.
There are four types of ACLs that can be created in IMC and also four types of templates:

•

Basic: Allows you to create rules based on source IP addresses.

•

Advanced: Allows you to create rules based on Layer 3 and Layer 4 information including IP source
and destination addresses, TCP and UDP port information, and protocol specific options.

•

Link: Allows you to create rules based Layer 2 information including MAC source and destination
addresses, source VLAN and VLAN priority information as well as link layer protocol type.

•

User-Defined ACLs: Enable you to define a hexadecimal pattern and mask and the offset in the
packet header where pattern matching begins. When a pattern is matched, the actions specified in

the rule in the ACL are applied.

ACL Template in ACL Management is a container for the configuration options required to create an ACL

and to maintain the template. An ACL template contains configuration information including the ACL

template name and template description, the type of ACL it is, rules that define what actions are taken for

each packet examined by the ACL, protocol specific configuration options, and time ranges during
which the rules of the ACL are in effect. Once you have created an ACL template, you can import it into

an ACL resource. Once ACL resources are created, they can be deployed to devices managed by IMC

that support ACLs.
The ACL Assistant facilitates ACL template rule creation by modularizing some of the aspects of an ACL
rule – services, network address groups, and time ranges. With Services, you define one or more TCP or

UDP ports as a named service. With Net Address Groups, you can specify an IP address or range of IP

addresses and their subnet mask. With Time Ranges, you specify a fixed or recurring date and time

range. Once these are created using the Assistant, they become available for use when configuring rules
for templates.
ACL Management offers you a rich feature set for simplifying the task of managing ACLs and their rule

sets. Through the ACL Resource list, you have a single portal for viewing and managing all of the ACLs

that can be deployed to network devices. From this list, you can view, add, rename and delete ACLs.