Configuring ACLs

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is desired, such as QoS and IPsec.

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the referenced ACL rules and processed according to the first rule that it matches:

• Each ACL rule matches both the outbound traffic and the returned inbound traffic. For the outbound traffic, IPsec uses the source and destination IP addresses specified in the rule to match the source and destination IP addresses of the traffic. For the returned inbound traffic, IPsec uses the destination IP address and the source IP address specified in the rule to match the source IP address and the destination IP address of the traffic.

• In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it. If a deny statement is matched or no match is found, IPsec considers that the packet does not require protection and delivers it to the next function module.

• In the inbound direction:

  • Non-IPsec packets that match a permit statement are dropped.

  • IPsec packets that match a permit statement and are destined for the device itself are de-encapsulated and matched against the rule again. Only those that match a permit statement are processed by IPsec.

When you configure an ACL for IPsec, follow these guidelines:

• Permit only data flows that need to be protected and use the any keyword with caution. With the any keyword specified in a permit statement, all outbound traffic matching the permit statement will be protected by IPsec and all inbound IPsec packets matching the permit statement will be received and processed, but all inbound non-IPsec packets will be dropped. This will cause the inbound traffic that does not need IPsec protection to be all dropped.

• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be careful with its matching scope and matching order relative to permit statements. The policies in an IPsec policy group have different match priorities. ACL rule conflicts between them are prone to cause mistreatment of packets. For example, when configuring a permit statement for an IPsec policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.

• An ACL can be specified for only one IPsec policy. ACLs referenced by IPsec policies cannot be used by other services.

• You must create a mirror image ACL rule at the remote end for each ACL rule created at the local end. Otherwise, IPsec may protect traffic in only one direction.

To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer.

If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met:

• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer.

• The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA initiator, the negotiation request may be rejected because the matching traffic is beyond the scope of the responder.

The switch supports IPsec for data flows in standard mode. In standard mode, one tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it.

For more information about ACL configuration, see ACL and QoS Configuration Guide.

	NOTE: To use IPsec in combination with QoS, make sure IPsec's ACL classification rules match the QoS classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For more information about QoS classification rules, see ACL and QoS Configuration Guide.