Shulou(Shulou.com)06/02 Report--

ACL (access control list) overview Access control lists are lists of instructions applied to router interfaces that tell the router which packets to accept and which to reject. Access control is the main strategy of network security prevention and protection. Its main task is to ensure that network resources are not illegally used and accessed. It is one of the most important core strategies to ensure network security. Access control involves a wide range of technologies, including access control, network access control, directory level control and attribute control. Common TCP port numbers and their functions   port       agreement   Description 21FTPFTP server open control port, port 20 ftp data connection, port 21 ftp control connection 23TELNET for remote login, can be remotely controlled to manage the target computer 25 SMTP SMTP server open port, used to send mail 80HTTP hypertext transfer protocol, https 443 security 110POP3 for mail acceptance 143IAMP for sending mail 22SSH ciphertext remote login 68, 67DHCPIP address automatic assignment 67 for client requests, 6853 for server responses DNS domain name resolution 3389 UDP port numbers commonly used in RDP remote desktops and their functions   port      agreement   Description 69TFTP Simple File Transfer Protocol 111RPC Remote Procedure Call 123NTP Network Time Protocol Access Control List Filtering based on Layer 3 (IP) and Layer 4 (port, protocol)(apply firewall, Layer 7 filtering) Reading Layer 3, Layer 4 packet header information Filtering packets according to predefined rules

Access control lists in the direction in which the interface is applied (as it relates to the direction of the data) Out: Packets that have been processed by the router and are leaving the router interface In: Packets that have arrived at the router interface will be processed by the router

Processing of access control lists (top-down, matching one by one, implicitly rejecting all by default)

whitelist

Allow 1.2

Allow 1.3

Refuse all (may not write)

blacklist

Denial 1.2

Denial 1.3

Allow all (must be written)

standard access control list filters packets based on source IP address Standard access control list access control list numbers 1 to 99 Extended access control list filters packets based on source IP address, destination IP address, specified protocol, port, and flags Extended access control list access control list numbers are 100 to 1 ~ 99 Named access control list Named access control list Allows names to be used in standard and extended access control lists instead of table numbers ACL configuration command 1, Create ACLaccess-list access-list-number { permit| deny} source [source-wildcard ] //permit means to allow the packet to pass,deny means to deny the packet to pass,source [ source-wildcard ] only controls the source IP +(Anti-subnet mask) Example Router(config)# access-list 1 permit 192.168.1.0 0.0.255Router (config)#access-list 1 permit 192.168.2.20.0.0.0 192.168.1.0/24 and host 192.1684.2.2 traffic through 2, delete ACLno access-list access-list-number //directly delete ACL list number 3, implied deny access-list 1 deny 0.0.0.0 255.255.255.255 all ip4, Keyword host //host can be followed by ip address, without subnet mask input any //equivalent to rejecting all ip5, apply ACL to interface ip access-group access-list-number {in| out} //The nearest port of the controller, in is to enter out is to output 6, cancel ACL application on the interface no ip access-group access-list-number {in| out}ACL Standard Configuration Sample Requirements

Forbidden 192.168.10.2 Access to PC3

double-click configure sw switch sw#conf t ##Enter global mode sw(config)#no ip routing ##Turn off routing sw(config)#int f1/0 ##Enter interface f1/0sw(config-if)#speed 100 ##Configure duplex mode and speed sw(config-if)#duplex full Double-click to configure R1 route R1#conf t ##global mode R1(config-if)#int f0/1 R1(config-if)#ip add 255.255.255.0 ##Configure gateway R1(config-if)#no shut ##Enable R1(config-if)#int f0/0R1(config-if)#ip add 192.168.20.1 ##Configure gateway R1(config-if)#no shut ##Enable IP address and gateway of three PCs to test whether they can ping each other PC1> ip 192.168.10.2 192.168.10.1 PC2> ip www.example.com 192.168.10.1PC3> ip 192.168.20.2 192.168.20.1 192.168.10.3 255.255.255.0 192.168.10.1

Open R1 Configuration Access Control List R1#conf t ##global mode R1(config)#access-list 1 deny host 192.168.10.2 ##Prevent 10.2 from accessing R1(config)#access-list 1 permit any ##Allow all (must be written) R1(config)#do show access-list ##View access control list Standard IP access list 1 10 deny 192.168.10.2 20 permit anyR1(config)#int f0/1R1(config-if)#ip access-group 1 in ##Applied to interface f0/1 to test whether 10.2 machines can access pc3

Thanks for reading!!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.