Shulou(Shulou.com)06/02 Report--

ACL (access control list): access control list (mostly used for routing and establishing packet filtering firewalls in layer 3 switching)

I. ACL classification

1. Standard access control list

(1) filtering can only be based on source IP address

(2) the access control list number of this kind of list is 1: 99.

2. Extend the access control list

(1) filter data based on source IP, destination IP, specified protocol, port, and flag

(2) the access control list number of this kind of list is 1000199.

3. Named access control list-including standard access and extended access

(1) this kind of list allows the use of "name instead of table number" in standard and extended lists.

Second, filter parameters

1. Access control lists are filtered based on three layers (based on IP) and four layers (based on port and protocol).

2. Apply firewall to filter based on seven layers

3. Common ports and protocols are shown below.

4. The application direction of access control list in the interface.

Out: packets that have been processed by the router and are leaving the router interface

Incoming: packets that have reached the router interface will be processed by the router

III. ACL function

1. ACL filters packets according to artificially defined rules.

Fourth, whitelist blacklist

Matching flowchart:

Matching rules: all from top to bottom, match one by one, implicitly reject all by default

V. configuration

1. Standard access control list configuration

(1) create an ACL

Access-list access-list-number {permit | deny} source [source-wildcard]

Access-list 1 deny any: reject all

Access-list-number: list number (1-99)

Source [source-wildcard]: source IP+ subnet mask inverse

Keywords: host / any

(2) Delete ACL

No access-list access-list-number

(3) apply ACL to the port

Ip access-group access-list-number {in | out}

(4) cancel the application of ACL in the port

No ip access-group access-list-number {in | out}

TIP: the in port of ACL's access control list is mostly at the end near the restricted party.

2. Extend the access control list

(1) create an ACL

Access-list access-list-number {permit | deny} protocol {source source-wildcard destination destination-wildcard} [operator operan]

Protocol: protocol name (TCP, UDP, ICMP.)

Source-wildcard destination destination-wildcard: source IP, mask inverse and destination IP, mask inverse

Operator operan: the port or name of the service (80/www service)

(2) Delete ACL

No access-list access-list-numbe

(3) apply ACL to the port

Ip access-group access-list-number {in | out}

(4) cancel the application of ACL on the interface

No ip access-group access-list-number {in | out}

TIP:ip contains all protocols

Any any: source IP, destination IP

3. Named access control list

(1) create an ACL

Ip access-list {standard | extended} access-list-name

Access-list-name: list name (choose by yourself)

(2) configure standard named ACL

[Sequence-Number] {permit | deny} source [source-wildcard]

Sequence-Number: the sequence number in the list; determines the position of the ACL statement in the list.

(3) configure extended named ACL

[Sequence-Number] {permit | deny} protocol source {source-wildcard destination destination-wildcard} [operator operan]

(4) Delete a single ACL statement in the group

-- no Sequence-Number

-- no ACL statement

(5) Delete the entire group of ACL

No ip access-list {standard | extended} access-list-name

(6) apply ACL to the interface

Ip access-group access-list-name {in | out}

(7) cancel the application of ACL on the interface

Ip access-group access-list-name {in | out

(8) add a statement with a specific serial number to ACL

Operation commands executed by ip access-list {standard | extended} access-list-name Sequence-Number +

Expand:

1. NAT address translation: a private network is translated into a public network address.

2. Special form

PAT: multiple private networks are translated into one public network address (port multiplexing)

Function: alleviates the exhaustion of available IP address resources and improves the utilization of IP addresses.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.