Shulou(Shulou.com)06/01 Report--

ACL access Control list

The theoretical part:

In the process of learning, we know the connectivity and communication of the network, but in the actual environment, network administrators are often faced with a difficult situation, such as those who do not want to access the connection must be denied, while allowing normal access. Then ACL (access control list) was born. Let's take a look at the principle of ACL.

1.ACL uses packet filtering technology to read the information of layer 3 and layer 4 packet headers on the router and filter them according to predetermined rules to achieve the purpose of access control.

Three modes of 2.ACL:

Standard ACL (allow or deny packets based on the source IP address of the packet, table number is 1: 99)

Extended ACL (allowed or denied based on the source IP address, destination IP address, specified protocol, port, and flag of the packet, table number is 100,199)

Naming ACL (allows names to be used instead of lists in standard and extended ACL)

How 3.ACL works: ACL is a set of rules, which is applied to the interface on the router. It has two directions of "out" and "in" to the interface. If ACL is applied to the interface, the router applies this rule to the packet for sequential inspection. If the first rule matches, it goes straight through and no longer needs to be checked. If there is no match, it will be checked down in turn. If not in the end, the router will discard the modified packet according to the default rules. In a word: either be allowed to pass or be rejected.

Let's experiment with this: here we configure a named ACL access control list.

1. First of all, build a topology diagram on GNS3. According to the figure below, the requirement for setting up ACL configuration is that only C1 and C2 are allowed to communicate with external C4ping, but C3 and C4 are not allowed to communicate with each other.

two。 Set IP addresses for four PCs on the virtual network card VPC, as shown in the following figure:

3. Next, to facilitate centralized operations, use xshell to remotely connect sw and R2. Set it up again, as shown in the following figure:

4. Next, configure router R2. As shown in the following figure:

5. To this port, IP, speed, and duplex mode have been configured. Next we configure the ACL rules. As shown in the following figure:

6. Next, we continue to disallow interworking between PC3 and foreign PC4, and apply the configured access control list to the interface. As shown in the following figure:

7. Next, let's ping it on VPC to verify it. As shown in the following figure:

The experiment here is successful!

Summary:

1. The ACL list information in the figure above, coupled with how the router works to ACL, what we can know is that the order of the rules is important. (the priority of executing the command is determined by the serial number, and if you want to continue to insert other control permissions in it, set the serial number according to the actual need)

two。 We need to be familiar with certain protocols, such as TCP IP UDP ICMP, etc.

3. Finally, we need to apply the rule of configuration number to the interface, and note that it is used in the IN interface.

4. It should be noted that the HOST is followed by a specific IP address, otherwise the IP will need to be followed by a reverse mask.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.