Shulou(Shulou.com)06/02 Report--

"Firewall" on router interface-- access control list

As we all know, there is a firewall on any system, which helps the computer / server network to build a relatively isolated protection barrier between its internal and external networks, so as to protect the security of user data and information.

There is also a kind of "firewall" on the router, which is called access control list. The list is applied to router interfaces to tell the route which packets need to be filtered and which can pass. Next, I will explain it to you in detail.

ACL (access control list): access control list

It is mainly used to establish packet filtering firewall in routing and layer 3 switching. Access control lists are filtered based on layer 3 (depending on IP address) and layer 4 (depending on port and protocol) in the TCP/IP protocol. At the same time, there is a professional application firewall, which is filtered based on seven layers.

The filtering strategy is to filter packets according to artificially defined rules, which mainly depends on four elements: source address, destination address, source port and destination port.

It is mainly divided into the following categories

Standard access control list

​ can only filter based on source IP address

​ the access control list number for this kind of list is 1: 99.

Extended access control list

​ filters data based on source IP, destination IP, specified protocol, port, flag

​ the access control list number for this kind of list is 100,199.

Named access control lists-including standard and extended access

​ this kind of list allows the use of "name instead of table number" in standard and extended lists

Standard IPX access

Extend IPX acc

Named IPX access

PS: this blog will explain the first three types in detail. The process of ACL (access control list)

A specific explanation of the above process:

The whitelist blacklist allows (assuming 192.168.1.2 is allowed) to deny (suppose 192.168.1.2) allows (suppose 192.168.1.3 is allowed) to reject (suppose 192.168.1.3 is denied). Reject all (may not write) by default deny all allow all (must write) default implied reject all

Matching rules: match from top to bottom, one by one. The last one implicitly rejects all by default.

The above is related to the theory of ACL (access Control list). Let's start to explain the relevant configuration commands. Standard access control list configuration command

Create ACL

Router (config) # access-list access-list-number {permit | deny} source [source-wildcard]

Access-list-number: access control list table number

Permit | deny: allow packets to pass | deny packets to pass

Source [source-wildcard]: source IP + subnet mask inverse (any for all IP, host for a specific host)

Delete ACL

Router (config) # no access-list access-list-number

Apply / cancel ACL to application interfac

Router (config-if) # ip access-group access-list-number {in | out} / / apply to interface Router (config-if) # no ip access-group access-list-number {in | out} / / cancel the application on the interface

{in | out}: indicates that the data applied by the ACL to the restricting party flows to the entrance or exit of the router (usually placed in the in port near the restricting party)

Extended access control list configuration command

Create ACL

Router (config) # access-list access-list-number {permit | deny} protocol {source source-wildcard destination destination-wildcard} [operator operan]

Protocol: protocol name (TCP, UDP, ICMP, IP.)

Source source-wildcard: source IP + subnet mask inverse (any represents all IP, host represents a specific host)

Destination destination-wildcard: target IP + subnet mask inverse

Operator operan: Port number

Delete ACL

Router (config) # no access-list access-list-number

Apply / cancel ACL to application interfac

Router (config-if) # ip access-group access-list-number {in | out} / / apply to interface Router (config-if) # no ip access-group access-list-number {in | out} / / cancel the application named access control list configuration command on the interface

Create ACL

Router (config) # ip access-list {standard | extended} access-list-name

Configure standard named ACL

Router (config-std-nacl) # [Sequence-Number] {permit | deny} source [source-wildcard]

Configure extended named ACL

Router (config-std-nacl) # [Sequence-Number] {permit | deny} protocol {source source-wildcard destination destation-wildcard} [operator operan]

Sequence-number: serial number

Standard: standard named ACL

Extended: extending named ACL

Delete the entire group of ACL

Router (config) # no ip access-list {standard | extended} access-list-name

Delete a single ACL statement in a group

Router (config-std-nacl) # no Sequence-Number / / Delete Router (config-std-nacl) # no ACL statement by serial number / / through the entire ACL statement

Apply / cancel ACL to application interfac

Router (config-if) # ip access-group access-list-number {in | out} / / apply to the interface Router (config-if) # no ip access-group access-list-number {in | out} / / cancel the application on the interface, which is a detailed explanation of all the ACL theory and configuration-related commands. To be continued.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.