Article Directory
One, know ACL
1. What is ACL:
Access Control List--ACL
ACL is a set of rules composed of one or more rules for message filtering, and different application effects can be achieved through the application of different functions.
The command list of router and switch interface is used to control the data packets entering and leaving the port, and cooperate with various applications (NAT, route police prefix list, etc.) to achieve corresponding effects.
2. The role of ACL:
Match specific data to achieve data control (deny-deny, permit-release) to
achieve network access control, QoS retention strategy, routing information filtering, policy routing and many other aspects.
3. Classification of ACL:
(1): According to ACL filtering message type and function division
Basic acl (2000-2999): can only match the source ip address.
Advanced ACL (3000-3999): It can match the three-layer and four-layer fields such as source ip, destination ip, source port, and destination port.
① Interface ACL (No. 1000-----19999)
② Basic ACL (No. 2000-----2999)
③ Advanced ACL (No. 3000-----3999)
④ Layer 2 ACL (No. 4000---- -4999)
⑤ Custom ACL (No. 5000----5999)
(2): Divided according to the naming method
① Numerical ACL (to create ACL is a number)
② Named ACL (giving a name to the created ACL)
4. The working principle of ACL:
Define ACL statement -------- "Interface/application mount ------- "Interface receives traffic matching ACL statement ---------- "Execute statement action after data hits ACL .
(1): An ACL can be composed of multiple "deny | permit" statements. Each statement describes a rule permit-permit
, allow, capture/match
deny-deny, filter.
(2): After the device receives the data traffic, it will match the ACL rules one by one to see if they match.
If it does not match, the next one is matched. Once a matching rule is found, the action defined in the rule (permit or deny) is executed and no subsequent sentences are matched.
If no matching rule is found, the device will not perform any processing on the packet (that is, prmit any any is executed by default, and all is allowed)
Note: These rules defined in ACL may be duplicated or contradictory. The matching order of the rules determines the priority of the rules. ACL sets the priority of the rules to deal with the duplication or contradiction between the rules.
5. The matching order of ACL rules:
Configuration order and automatic sorting
(1) Configuration sequence:
The configuration sequence is matched according to the ACL rule number (rule-id) from small to large.
The device automatically assigns a number (rule-id) to each rule during ACL creation. The rule number determines the order in which the rules are matched (the default rule number step of the ARG3 series routers is 5).
(2) Automatic sorting:
Automatic sorting uses the "depth first" principle for matching, that is, sorting according to the accuracy of the rules, and the matching conditions (such as protocol type, source and destination IP address range, etc.) are more restrictive and precise.
If the order of "depth first" is the same, the rule number will be sorted from small to large when matching the rule.
6. ACL rule number:
rule
(1) There can be one or more rules in an ACL. Each rule has its own number, which is unique in the rule number of each statement in an ACL. Each number represents an ACL statement and action.
(2) The rule id of the ACL is automatically generated by default, or can be specified manually. Generally, we adjust the matching rules of the ACL by manually inserting new rules.
(3) By default, each rule number starts from 0, and the increase rule is step 5 (modify the step number by step command).
Two, topology
Three, basic configuration
Configure the interface IP as shown in the figure.
PC1
Other PC configurations are similar.
AR-1
sysname AR-1
#
......
#
acl number 3000
rule 5 permit ip source 192.168.1.100 0 destination 192.168.3.100 0
rule 10 permit ip source 192.168.2.100 0 destination 192.168.4.100 0
rule 15 deny ip
#
......
#
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 12.1.1.1 255.255.255.0
traffic-filter outbound acl 3000 //接口下出方向调用acl 3000
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 12.1.1.1 0.0.0.0
network 192.168.1.1 0.0.0.0
network 192.168.2.1 0.0.0.0
#
......
AR-2
sysname AR-2
#
......
#
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.4.1 255.255.255.0
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 12.1.1.2 0.0.0.0
network 192.168.3.1 0.0.0.0
network 192.168.4.1 0.0.0.0
Four, demand
Configure advanced ACL on AR-1
[AR-1]acl 3000
[AR-1-acl-adv-3000]rule 5 permit ip source 192.168.1.100 0 destination 192.168.3.100 0
[AR-1-acl-adv-3000]rule 10 permit ip source 192.168.2.100 0 destination 192.168.4.100 0
[AR-1-acl-adv-3000]rule 15 deny ip
1. PC1 can only access Server1.
2. PC1 can only access Server2.
I am Yibodong! You are welcome to discuss with me and see you in the next issue.