Shulou(Shulou.com)06/02 Report--

Brief introduction of access Control list

Access control list (Access Control Lists, referred to as ACL) is a list of instructions applied to router interfaces. These instruction lists are used to tell the router which packets can be received and which packets need to be rejected. Whether a packet is received or rejected can be determined by specific indication conditions such as source address, destination address, port number, and so on. ACL reads the header information of the third and fourth layers, and filters the packets according to the predefined rules.

The function of ACL

1. Limit network traffic and improve network performance

two。 Provide means to control traffic flow

3. Provide basic security means for network access

4. At the network device interface, determine which type of traffic is forwarded and which type of traffic is blocked

The working principle of ACL 1. The direction in which access control lists are applied to the interface:

Outgoing direction: packets that have been processed by the router and are leaving the router interface

Incoming direction: packets that have reached the router interface will be processed by the router

The direction in which the list is applied to the interface is related to the data direction

two。 Process of access control list:

ACL rule: match one by one from top to bottom. The default implied reject is to reject all (any) whitelist allows 1.2 to allow 1.3 to reject all (but not to write, implied rejection will reject all) * * blacklist * * reject 1.2 to reject all (must be written, otherwise implied rejection will reject all) ACL's type standard access control list

Filter packets based on IP address

The access control list number of the standard access control list is 1: 99.

Extended access control list

Filter packets based on source IP, destination IP address, specified protocol, port, and flag

The access control list number of the extended access control list is 1000199

Named access control list

Named access control lists allow the use of name waiting table numbers in standard and extended access control lists

Relatively flexible to adjust security policy

ACL configuration command 1. Create ACLaccess-list access-list-number {permit | deny} source [source-wildcard] / / permit: allow the packet to pass, deny: deny the packet, and source [source-wildcard] only control the source IP + (anti-subnet mask)

Example demonstration

Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255Router (config) # access-list 1 permit 192.168.2.2 0.0.0.0Gap / allow traffic from 192.168.1.0 Universe 24 and host 192.168.2.2 to pass through 2. Delete ACLno access-list access-list-number / / directly delete ACL list number 3. The implied reject statement access-list 1 deny 0.0.0.0 255.255.255.255 / / rejects all ip 4. The keyword host / / host can be followed by an ip address, eliminating the input any / / of the subnet mask is equivalent to denying all ip5.ACL applications to the interface ip access-group access-list-number {in | out} / / in is defined in port 6 closest to the controller. Cancel the application of ACL on the interface no ip access-group access-list-number {in | out} ACL Standard Edition configuration demonstration

1. First configure the switch

Conf t / / enter global mode no ip routing / / turn off routing function int F1 / enter port f1/0speed 100 / / configure rate dup full / / configure full-duplex mode

two。 Configure router R2

Conf tint f0/0ip add 192.168.10.1 255.255.255.0 / configure the IP address of port f0Univer 0 no shutnt f0Univer 1p add 192.168.20.1 255.255.255.0 / configure the IP address no shutdo show ip route / / view the routing table of port f0amp1

3. Configure IP address on PC

(1) configure the IP address and gateway of PC1

Ip 192.168.10.2 192.168.10.1

(2) configure the IP address and gateway of PC2

Ip 192.168.10.3 192.168.10.1

(3) configure the IP address and gateway of PC3

Ip 192.168.20.2 192.168.20.1

4. Test the communication between PCs

PC1 > ping 192.168.20.2192.168.20.2 icmp_seq=1 timeout84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=31.242 ms84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=31.241 ms84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=31.243 ms84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=31.222 msPC3 > ping 192.168.10.3192.168.10.3 icmp_seq=1 timeout84 bytes from 192.168.10.3 icmp_seq=2 ttl=63 time=31. 518 ms84 bytes from 192.168.10.3 icmp_seq=3 ttl=63 time=31.266 ms84 bytes from 192.168.10.3 icmp_seq=4 ttl=63 time=31.263 ms84 bytes from 192.168.10.3 icmp_seq=5 ttl=63 time=31.244 ms

5. Create an ACL on router R1 and use port f0gamo

Access-list 1 deny host 192.168.10.2 / deny the host with an ip of 192.168.10.2 access to access-list 1 permit any / / allow all other ip access to int f0/0ip access-group 1 in / / do show access-list the inbound direction of the ACL application with port f0amp0 / / View the ACL list

6. Verify ACL configuration

(1) Test the communication between PC1 and PC3

PC1 > ping 192.168.20.2 / 192.168.10.1 icmp_seq=1 ttl=255 time=31.223 ms (ICMP type:3, code:13, Communication administratively prohibited) * 192.168.10.1 icmp_seq=2 ttl=255 time=15.618 ms (ICMP type:3, code:13, Communication administratively prohibited) * 192.168.10.1 icmp_seq=3 ttl=255 time=15.621 ms (ICMP type:3, code:13, Communication administratively prohibited) * 192.168.10.1 icmp_seq=4 ttl=255 time=15.622 ms (ICMP type:3, code:13) Communication administratively prohibited) * 192.168.10.1 icmp_seq=5 ttl=255 time=15.620 ms (ICMP type:3, code:13, Communication administratively prohibited)

Conclusion: it is found that the communication is unable to communicate and it is suggested that the communication is prohibited by the management, and the ACL becomes effective.

(2) Test the communication between PC1 and PC2

PC1 > ping 192.168.10.384 bytes from 192.168.10.3 icmp_seq=1 ttl=64 time=0.000 ms84 bytes from 192.168.10.3 icmp_seq=2 ttl=64 time=0.000 ms84 bytes from 192.168.10.3 icmp_seq=3 ttl=64 time=0.000 ms84 bytes from 192.168.10.3 icmp_seq=4 ttl=64 time=0.000 ms84 bytes from 192.168.10.3 icmp_seq=5 ttl=64 time=0.000 ms

Conclusion: the local area network is not restricted by ACL and can communicate normally.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.