Shulou(Shulou.com)06/01 Report--

An access control list (ACL) is a list of instructions (or rules) applied to a router interface that tells the router which packets can be received and which packets need to be denied. The basic principle is as follows: ACL uses packet filtering technology to read the information in the third and fourth layers of the OSI seven-layer model on the router, such as source address, destination address, source port, destination port, etc., and filters the packets according to the pre-defined rules, so as to achieve the purpose of access control.

ACL can be divided into the following two basic types:

Standard ACL: check the source address of the packet to determine whether to allow or deny forwarding of the packet, using a number between 1 and 99 as the table number.

Extended ACL: can check not only the source and destination addresses of packets, but also specific protocols, port numbers, and other parameters. Use a number between 100 and 199 as the table number.

ACL is a collection of rules that apply to an interface on a router, so for router interfaces, ACL has two directions:

Out: packets that have been processed by the router, leaving the router interface, check the order: first check the routing table, and then find out the ACL.

Incoming: packets that have arrived at the router interface will be processed by the router. Check the order: check the ACL first, and then query the routing table.

Matching rules:

If the first rule is matched, instead of going any further, the router will decide whether to allow or deny the packet.

If it does not match the first rule, it checks down until it matches a rule, and if no rules match, the router discards the packet by default.

As can be seen from the above rules, the packet is either rejected or discarded. As shown below:

Example 1: standard access control list

ROUTE (config) # access-list 1 deny 192.168.3.0 0.0.0.255

ROUTE (config) # int f1amp 0 # apply to inbound direction

ROUTE (config-if) # ip access-group 1 in

ROUTE#sh ip access-lists # View ACL

Standard IP access list 1

10 deny 192.168.3.0, wildcard bits 0.0.0.255

C:\ Users\ win7 > ping 172.16.2.1

Ping 172.16.2.1 has 32 bytes of data:

Reply from 192.168.3.254: the target host cannot be reached.

Reply from 192.168.3.254: the target host cannot be reached.

Reply from 192.168.3.254: the target host cannot be reached.

Reply from 192.168.3.254: the target host cannot be reached.

Cancel the ACL application on the interface

ROUTE (config-if) # no ip access-group 1 in

C:\ Users\ win7 > ping 172.16.2.1 # after canceling ACL, you can ping

Ping 172.16.2.1 has 32 bytes of data:

Reply from 172.16.2.1: byte = 32 time = 127ms TTL=252

Reply from 172.16.2.1: byte = 32 time = 97ms TTL=252

Reply from 172.16.2.1: byte = 32 time = 78ms TTL=252

Reply from 172.16.2.1: byte = 32 time = 84ms TTL=252

Delete ACL:

ROUTE (config) # no access-list 1

Only one host is allowed to access

ROUTE (config) # access-list 2 permit host 192.168.3.2

ROUTE (config) # int f1and0

ROUTE (config-if) # ip access-group 2 in

Allow all:

ROUTE (config) # access-list 2 permit any

Or

ROUTE (config) # access-list 2 permit 0.0.0.0 255.255.255.255

Example 2: extended access control list

Sw1 (config) # access-list 101 deny tcp any host 172.16.1.1 eq www

Sw1 (config) # int vlan 2

Sw1 (config-if) # ip access-group 101 in

Sw1#sh access-lists

Extended IP access list 101

10 deny tcp any host 172.16.1.1 eq www (24 matches)

Sw1#sh ip int vlan 2

Vlan2 is up, line protocol is up

Internet address is 172.16.2.254/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Outgoing access list is not set

Inbound access list is 101

...

The client cannot be accessed properly:

If you cancel the ACL application on the interface, you can access:

Sw1 (config-if) # int vlan 2

Sw1 (config-if) # no ip access-group 101 in

Example 3: named access control list

Sw1 (config) # ip access-list extended name

Sw1 (config-ext-nacl) # deny tcp any host 172.16.1.1 eq www

Sw1 (config) # int vlan 2

Sw1 (config-if) # ip access-group name in

Sw1#sh ip access-lists name

Extended IP access list name

10 deny tcp any host 172.16.1.1 eq www

After it is banned, it can no longer be accessed from the client, and can be accessed normally after cancellation:

Sw1 (config) # ip access-list extended name

Sw1 (config-ext-nacl) # no deny tcp any host 172.16.1.1 eq www

Sw1 (config-ext-nacl) # 11 deny tcp 172.16.2.0 0.0.255 host 172.16.1.1 eq www

Sw1 (config-ext-nacl) # 12 permit tcp 172.16.1.0 0.0.255 host 172.16.1.1 eq www

Sw1#sh ip access-lists

Extended IP access list name

11 deny tcp 172.16.2.0 0.0.255 host 172.16.1.1 eq www (36 matches)

12 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.1 eq www

Note:

There can be only one ACL in each direction on the interface of the router, that is, there can be only two ACL per interface, one ACL in the outgoing direction and one ACL in the incoming direction.

ACL works only for traversing traffic, not for traffic generated by the router or layer 3 switch itself.

The standard ACL is as close to the target as possible, and the extended ACL is applied as close to the source server as possible.

Standard and extended ACL if you want to modify, you need to delete the entire ACL, while named ACL can be achieved by adding or removing ACL statements.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.