Shulou(Shulou.com)06/01 Report--

ACL function

Filtering: manage IP traffic by filtering packets passing through the router, allow or deny packets passing through the router, or control access to router VTY, etc.

Classification: identify traffic for special treatment. *; routing protocols; NAT;QoS, etc.

◆ Overview:

Is an ordered language set that allows or denies a message to pass through the interface by comparing the fields in the message with the ACL parameter

The ACL statement consists of:

Conditions. Fields in matching packets are used

Operation. When the conditions match, take the action that is allowed or denied.

◆ matching rules:

The sequence numbers match one by one from the top to the bottom, and the operation is performed at the top of the match, without continuing to match down. Therefore, when configuring, we should pay attention to the gradual increase of the range from top to bottom.

There is a deny any any by default, which will be rejected if there is no match.

◆ ACL type

Standard: check only source IP

Extension: you can check the source and destination, as well as the upper port number.

The usual function of ■ standard ACL: only the source IP of IP packet headers can be filtered

Restrict access to the router through VTY lines (Telnet. Ssh)

Restrict access to the router through HTTP or https

Filter routing updates

Configuration

Numbering or naming

Number: access-list 1-99 permit/deny Source IP Mask

Name: ip access-list standard name

Permit/deny Source IP Mask

■ extension ACL is used to extend the packet filtering ability to accurately match data.

Various options in the source and destination IP, protocol, source and destination ports, and special message fields that allow special bit comparison

Configuration

Numbering and naming

Number access-list 100-199 permit/deny protocol source or destination IP mask port

Name ip access-list extended name

Permit/deny protocol source or destination IP mask port

◆ ACL Placement principle

The extended ACL is placed closer to the source device. Avoid wasting link resources on the destination device because it is based on source and destination control

The standard ACL is placed close to the target device, because it can only be controlled based on the source IP. If it is placed on the source device, the equipment along the link will be affected. In order to avoid too large the scope of influence, it will be placed close to the target location.

◆ ACL guidelines

Only one ACL is allowed per interface, protocol (IP; ipx;appletalk), direction

The most specific statement of ACL must be at the top of the list

At the end of ACL, there is an implicit reject all, so at least one permit statement is required for each list.

ACL affects traffic and speed through the interface, but does not filter traffic generated by the router itself

ACL matches only the traffic that passes through the router, ignoring the traffic generated by itself.

Example:

In the picture above, the whole network runs the eigrp protocol, announcing the direct connection and loopback port

Filter VTY on the router

5 virtual channels (0-4)

The router's vty port can filter data

Perform access control for VTY on the router

■ standard ACL instance:

R3:access-list 12 permit 1.1.1.0 0.0.0.255

Line vty 0 4

Pass cisco

Access-class 12 in

R1:int lo0

Ip add 1.1.1.1 255.255.255.255

Telnet 23.1.1.3 rejected

Telnet 23.1.1.3 / source-interface loopback 0 is available!

■ extended ACL instance:

Demand, R1 source is 1.1.1.1 ping R3 can be connected, R1 source is 1.1.1.1 telnet R3 is not available

R2:access-list 100 permit icmp host 1.1.1.1 host 23.1.1.3

Access-list 100 deny tcp host 1.1.1.1 host 23.1.1.3 eq 23

Access-list 100 permit eigrp any any

Int f0/0

Ip access-group 100 in

View, see configuration show access-list

Look at the interface application show ip access-group

Increase by default at a base of 10, if you want to insert it in the middle

Ip access-list extend 100

15 permint any any

◆ wildcard bits (inverse mask)

0: (exact match) indicates that the value matches the corresponding address bit

1: (any match) means ignoring the value of the corresponding address bit

Any: 0.0.0.0 1.1.1.1

Host:172.1.1.1 0.0.0.0

Example: match 172.30.16.0 to 24Murray 172.30.31.0 to 24

Wildcard 172.30.16.0 0.0.15.255

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.