Shulou(Shulou.com)06/01 Report--

ACL access control list access control list (router, layer 3 switching) packet filtering firewall type of ACL access control list

Standard access control list

Filter packets based on source IP address

The access control list number of the standard access control list is 1: 99

Extended access control list

Filter packets based on source IP address, destination IP address, specified protocol, port, and flag

The access control list number of the extended access control list is 1000199

Named access control list

Named access control lists allow names to replace table numbers in the use of standard and extended access control lists

Access control lists are filtered based on layer 3 (IP) and layer 4 (port, protocol)

ACL matching rule: match one by one from top to bottom, default implicitly reject all

White list

Allow 1.2

Allow 1.3

Reject all (do not write)

Black list

Reject 1.2

Reject 1.3

Allow all (must be written)

Configuration of standard access control lists

Create an ACL:

Router (config) # access-list accsee-list-number

{permit allows packets to pass | deny rejects packets through} source [source-wildcard] to control the source IP

Delete ACL:

Router (config) # no access-list access-list-number

Application example:

Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255

Router (config) # access-list 1 permit 192.168.2.2 0.0.0.0

Allow traffic from 192.168.1.0 amp 24 and host 192.168.2.2 to pass through

Implied reject statement:

Router (config) # access-list 1 deny 0.0.0.0 255.255.255.255

Lab: configuration of Standard ACL

Experimental topology diagram

Configure the switch interfac

Conf t

No ip routing

Int f1/2

Speed 100

Dup full

Configure router interfac

Conf t

Int f0/0

Ip add 192.168.10.1 255.255.255.0

No shut

Int f0/1

Ip add 192.168.20.1 255.255.255.0

No shut

Configure PC IP address

PC1 ip 192.168.10.2 192.168.10.1

PC2 ip 192.168.10.3 192.168.10.1

PC3 ip 192.168.20.2 192.168.20.1

Test the connectivity of each PC

Ping 192.168.10.2

Ping 192.168.10.3

Define rules on R1 in global mode

Access-list 1 deny host 192.168.10.2

Do show access-list

Access-list 1 permit any

Int f0/0

Ip access-group 1 in

At this point, it is verified whether the experimental requirements are met.

You can use PC1 and PC2 to pingPC3,PC2 ping, but PC1 cannot ping.

PC1 > ping 192.168.20.2

PC2 > ping 192.168.20.2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.