Shulou(Shulou.com)06/03 Report--

ACL access Control list ACL Overview

(1) ACL full name access control list (Access Control List).

(2) basic principle: ACL uses packet filtering technology to read the information (such as source address, destination address, protocol port, port number, etc.) in the packet header of layer 3 and layer 4 on the router, and filter the packet according to the pre-defined rules, so as to achieve the purpose of control.

(3) the purpose of ACL: to limit the network traffic, improve the network performance, provide the control means of the communication flow, and provide the basic security means of the network access.

(4) function: the nodes in the network are divided into resource nodes and user nodes, in which the resource node provides services or data, while the user node accesses the services and data provided by the resource node. The main function of ACL is, on the one hand, to protect resource nodes and prevent illegal users from accessing resource nodes; on the other hand, to restrict the access of specific user nodes to resource nodes.

(5) the visiting order of ACL

A, according to the order of the statements in the access list, search in order, once found a matching condition, the end of the match, no longer check the following statements.

B. if all statements do not match, by default, although the last line is not visible, all traffic is always rejected in the end.

The commonly used port number and its functional port protocol describe that the control port 23TELNET opened by the 21FTPFTP server is used for remote login and can remotely control and manage the open port of the target calculator 25SMTPSMTP server to send mail 80HTTP Hypertext transfer Protocol 110POP3 for receiving 69TFTP simple text transfer Protocol 111RPC remote procedure call 123NTP Network time Protocol Port Protocol 443HTTPS143IMAP20ssh3389 remote Desktop 67DHCP68DHCP access Control list (ACL)

(1) read the header information of layer 3 and layer 4

(2) filter packets according to predefined rules

(3) the access control list uses the rules defined by these four elements (source address, destination address, source port, destination port).

The direction in which access control lists are applied to interfaces

(1) outgoing: packets that have been processed by the router and are leaving the interface of the router

(2) incoming: packets that have reached the router interface will be processed by the router.

The direction in which the list is applied to the interface is related to the data direction.

The process of access control list

Standard access control list

(1) filter packets based on source IP address

(2) the access control list number of the standard access control list is 1: 99.

Create ACLRouter (config) # access-list access-list-number {permint (allow packets to pass) | deny (deny packets)} source [source-wildcard] Delete ACLRouter (config) # no access-list access-list-number application instance

Allow traffic from 192.168.1.0 amp 24 and host 192.168.2.2 to pass through

Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255Router (config) # access-list 1 permit 192.168.2.2 0.0.0.0 implied reject statement Router (config) # access-list 1 deny 0.0.0.0 255.255.255.255 keyword

Host: fixed addr

Any: all addresses

Apply ACL to interface Router (config) # ip access-group access-list-number {in | out} cancel the application of ACL on the interface Router (config) # no ip access-group access-list-number {in | out} extend the access control list

(1) filter packets based on source IP address, destination IP address, specified protocol, port and flag

(2) the access control list number of the extended access control list is 100,199.

Create ACLRouter (config) # access-list access-list-number {permit | deny} protocol {source source-wildcard destination destination-wildcard} [operator operan] Delete ACLRouter (config) # no access-list access-list-number apply ACL to interface Router (config-if) # ip access-group access-list-number {in | out} remove ACL's application Router (config-if) # no ip access-group access-list-number {in | out} application instance Router (config- If) # access-list 101 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255Router (config-if) # access-list 101 deny ip any anyRouer (config-if) # access-list 101 deny tcp 192.168.1.0 0.0.255 host 192.168.2.2 eq 21Router (config-if) # access-list 101 permit ip any anyRouter (config-if) # access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.2 echoRouter (config-if) # access-list 101 permit ip any any named access Control list

(1) named access control lists allow names to be used instead of table numbers in standard and extended access control lists

Create ACLRouter (config-if) # ip access-list {standard (standard named ACL) | extended (extended named ACL)} access-list-name configuration standard named ACLRouter (config-std-nacl) # [Sequence-Number] {permit | deny} source [source-wildcard] configure standard named ACL instance

Only traffic from host 192.168.1.1 to 24 is allowed to pass

Router (config) # ip access-list standard ciscoRouter (config-stdnacl) # permit host 192.168.1.1Router (config-stdnacl) # deny any

Change the ACL and allow traffic from host 192.168.2.1 Universe 24 to pass through

Router (config) # ip access-list standard ciscoRouter (config-stdnacl) # 15 permit host 192.168.1.1 / add ACL statement with sequence number 15 configure extension named ACLRouter (config-ext-nacl) # [Sequence-Number] {permit | deny} protocol {source source-wildcard destination destination-wildcard} [operator operan] configure extension named ACLRouter (config) # ip access-list extandard ciscoRouter (config-ext-nacl) # deny tcp 192.168.1.00. 0.0.255 host 192.168.2.2 eq 21Router (config-ext-nacl) # permit ip any anySequence-Number determines the position of the ACL statement in the ACL list to delete the entire set of ACLRouter (config) # no ip access-list {standard | extended] access-list-name delete a single ACL statement in the group

No Sequence-Number

No ACL statement

Create ACLRouter (config) # ip access-list standard ciscoRouter (config-stdnacl) # permit host 192.168.1.1Router (config-stdnacl) # end to delete a single ACL statement from the group Router (config-stdnacl) # no 10 or Router (config-stdnacl) # no permit host 192.168.1.1 apply ACL to interface Router (config-if) # ip access-group access-list-name {in | out} cancel ACL's application Router (config-if) # no on the interface Ip access-group access-list-name {in | out}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.