Shulou(Shulou.com)06/01 Report--

Principle of ACL Control access list + experiment

1. Principle: ACL uses packet filtering technology to read the information in the packet header of the third and fourth layers of the ISO seven-layer model on the router, such as source address, destination address, source port, destination port, etc., and filter the packet header according to the pre-defined rules.

2, match one by one from top to bottom, once match, stop matching, a mismatch, execute implicit (reject) command.

3. In principle, the ACL control access list is more efficient at the ingress port.

4. There are three types of ACL:

A, standard ACL, allows or denies forwarding packets based on the source IP address of the packet, list number (1-99)

B, extended ACL, based on the source IP address, destination IP address, protocol, port and flag of the packet to allow or deny forwarding of the packet, list number

C, named ACL, named ACL allows names to be used instead of list numbers in standard and extended ACL

5. The command syntax of standard ACL is as follows:

Router (config) # access-list access-list-number (permit | deny) source (source-wildcard)

Access-list-number: list number

Permit: allow deny: deny

Source: the source address of the packet

Source-wildcard: wildcard mask, also known as inverse code

6. The command syntax for extending ACL is as follows:

Router (config) # access-list access-list-number source (permit | deny) protocol

(source source-wildcard destination destination-wildcard) (operator operan)

Protocol: specify the protocol type, such as tcp, ip, udp, icmp, etc.

Destination: destination addr

Operator operan: It (less than), gt (greater than), eq (equal to), neq (not equal to) one port number

7. The command syntax for naming ACL is as follows:

Router (config) # ip access-list (standard | extended) access-list-name

Standard: standard

Extended: extension

For example, 192.168.10.2 0.0.0.0 can also be expressed as host 192.168.10.2 0.0.0.0 255.255.255.255 or as any

The ACL access control list will not take effect until ACL is applied to the interface

The command syntax is as follows: router (config-if) # ip access-group access-liat-number (in | out)

The function of named ACL is to better manage access control lists, which can be added or subtracted, and the order of lists can be adjusted according to the size of Sequence-Number numbers.

If you want to use a named ACL, whether it's standard ACL or extended ACL, the first step is to name the ACL operation

8. According to the standard ACL, extend ACL and name ACL. Do experiments separately

1. Experimental topology diagram:

Obviously, according to the requirements, this is a standard ACL access control list. The details are as follows.

Experimental topology diagram:

It is obvious that you need to add an extended ACL access list, as follows:

Experimental topology diagram:

The specific operations are as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.