Shulou(Shulou.com)06/01 Report--

ACL: Access control list (router, layer 3 switching), access control list. Packet filtering firewall

2. Type:

Standard access Control list (basic)

Filter packets based on source IP address

The access control list number of the standard access control list is 1-99

Extended access Control list (basic)

Filter packets based on source IP address, destination IP address, specified protocol, port, and flag

The access control list number of the extended access control list is 100-199

Named access control lists (more flexible)

Named access control lists allow names to be used instead of table numbers in standard and extended access control lists

3. Filter layer:

Access control lists are filtered based on layer 3 (IP) and layer 4 (port, protocol). All firewalls are based on these three layers of filtering. In addition to the application firewall for seven layers of filtering

IV. Overview:

Access control list (ACL)

Read the header information of layer 3 and layer 4

Filter packets according to predefined rules

Fifth, working principle

1. The direction in which access control lists are applied to interfaces

Out: packets that have been processed by the router and are leaving the router interface

Incoming: packets that have arrived at the router interface will be processed by the router

(the direction in which the list is applied to the interface is related to the data direction)

2. The process of access control list

VI. Black and white list:

Whitelist: (reject all if you don't write)

Example: 1.2 network segment allowed

Allow 1.3

Blacklist: (allows all must be written)

Example: reject 1.2

Reject 1.3

If it is not allowed, it is rejected by default. So you have to allow all and then set the deny segment.

ACL rule: line-by-line matching from top to bottom implicitly rejects all.

Seven: configuration of standard access control lists (control based on source IP)

Create ACL

Router (config) # access-list access-list-number {permit | deny} source [source-wildcard]

Delete ACL

Router (config) # no access-list access-list-number

Application example

Allow 192.168.10 Compact 24 and host 92.168 2. 2 traffic to pass through

Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255Router (config) # access-list 1 permit 192.168.2.2 0.0.0.0

Implied reject statement

Router (config) # access-list 1 deny 0.0.0.0 255.255.255.255

Keywords: host, any

Apply ACL to an interface

Router (config-if) # ip access-group access-list-number {in | out}

At the interface. Cancel the application of ACL on the

Router (config-if) # no ip access-group access-list-number {in | out}

Experimental requirements: prohibit pc1 from accessing pc3 and allow pc2 to access pc3

Experimental extension map:

The steps of the experiment:

1. Configure the switch (sw), turn off the routing function, enter the global mode, enter the f1Uniplet0 interface, and perform duplex rate matching (ACL can only be done on layer 3 switching).

Sw#conf t enters global mode sw (config) # no ip routing turns off routing function sw (config) # int f1ap0 enters interface f1/0sw (config-if) # speed 100 duplex rate matching sw (config-if) # dup full

2. Configure the router (R1), and configure the IP addresses of interfaces f0mox0 and f0lap1.

R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.10.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (conf1g-if) # ip add 192.168.20.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) #

3. Configure three PCs with IP addresses to test whether they can be interconnected.

PC1 > ip 192.168.10.2 192.168.10.1 / / configure pc1IP address PC2 > ip 192.168.10.3 192.168.10.1 / / configure PC2IP address PC3 > ip 192.168.20.2 192.168.10.1 / / configure PC3IP address PC1 > ping 192.168.20.2 / / use pc1 ping pc3PC2 > ping 192.168.20.2 / / use pc2 ping pc3

4. R1 configures ACL access control list, denies pc1 access, allows pc2 access, and applies ACL to the interface

Access-list 1 deny 192.168.10.2 0.0.0.0 deny pc1 access to access-list 1 deny host 192.168.10.2access-list 1 permit any allow pc2 to access do show access-list View access list ip access-group 1 in apply ACL to an interface

Both methods are fine.

5. Pc1 to ping pc3,pc2 and ping pc3 to test the configuration results of ACL

8. Expand the access list:

Create ACL

Router (config) # access-list access-list-number {permit | deny} protocol {source source-wildcard destination destination-wildcard} [operator operan]

Delete ACL

Router (config) # no access-list access-list-number

Apply ACL to an interface

Router (config-if) # ip access-group access-list-number {in | out}

At the interface. Cancel the application of ACL on the

Router (config-if) # no ip access-group access-list-number {in | out}

Application example

Router (config) # access-list 101 permit ip 192.168.1.0 0.0.255192.168.2.0 0.0.0.255Router (config) # access-list 101 deny ip any any

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.