Configuring An Acl - HP MSR2000 Configuration Manual

Configuring an ACL

IPsec uses ACLs to identify the traffic to be protected. To use IPsec to protect VPN traffic, specify the VPN
parameters in the ACL rules.
Keywords in ACL rules
An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement
identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected
by IPsec. With IPsec, a packet is matched against the referenced ACL rules and processed according to
the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
•
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches
both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
•
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection and delivers it to the next function module.
In the inbound direction:
•
Non-IPsec packets that match a permit statement are dropped.
IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated and matched against the rule again. Only those that match a permit statement
are processed by IPsec.
When defining ACL rules for IPsec, follow these guidelines:
Permit only data flows that need to be protected and use the any keyword with caution. With the
•
any keyword specified in a permit statement, all outbound traffic matching the permit statement will
be protected by IPsec and all inbound IPsec packets matching the permit statement will be received
and processed, but all inbound non-IPsec packets will be dropped. This will cause all the inbound
traffic that does not need IPsec protection to be dropped.
Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement, be
•
careful with its matching scope and matching order relative to permit statements. The policy entries
in an IPsec policy have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy entry to protect an outbound traffic flow, you must avoid the situation that the traffic flow
matches a deny statement in a higher priority IPsec policy entry. Otherwise, the packets will be sent
out as normal packets. If they match a permit statement at the receiving end, they will be dropped
by IPsec.
The following example shows how an improper statement causes unexpected packet dropping. Only the
ACL-related configurations are presented.
Assume Router A connects subnet 1.1.2.0/24 and Router B connects subnet 3.3.3.0/24, and the IPsec
policy configurations on Router A and Router B are as follows:
IPsec configurations on Router A:
•
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
143