One, ACL overview
1.1 Access Control List
(Access Control List)
Importance level: high!
1.2 The role of ACL
ACL is a packet filtering technology!
1.3 ACL application scenarios
On the router, on the firewall
The router is called ACL!
Generally called policies on firewalls! The policy is an upgraded version of ACL, which can be filtered based on IP, port, protocol, and application layer data
2. How to filter ACL?
ACL is to filter data packets based on the IP address and port number in the data packet!
Three, ACL classification
3.1 Standard ACL
Standard---Standard
Table No.: 1-99 or 1300-1999
Features: Only filter packets based on the source IP address!
3.2 Extended ACL
Extended---Extended
Table No.: 100-199 or 2000-2699
Features: It can filter packets based on source IP address, destination IP address, destination port number, protocol, etc.!
Four, ACL filtering principle
4.1 Fei Ge’s tips for configuring ACL
1)先判断要控制的数据流源和目标,并画出控制数据流的方向!进而判断ACL可以写在哪些路由器上!
2)打开那台路由器,开始编写ACL过滤规则!
3)最后将ACL表应用到某个接口的某个方向才能生效!
4.2 Principle of ACL
1)ACL表配置完毕后,必须应用到接口的in或out方向上,才能生效!
2)一个接口的一个方向上只能应用一张表。
3)在所有ACL表的最后都有一条隐藏的拒绝所有条目(大boss) !
4)在匹配ACL时,是严格自上而下的匹配每一条的! 匹配成功,则完成动作,没匹配成功,则继续匹配下一条,如全部不匹配,则直接丢弃拒绝通过!(一定要注意书写的先后顺序!!)
5)标准ACL因为只能基于源IP对包进行过滤,so建议写在靠近目标端的地方!
6) 一个ACL编写完成后,默认情况下,不能删除某一条,也不能往中间插入新的条目,只能继续往最后追加新的条目!
4.3 ACL explanation principle process diagram
Five, ACL commands
5.1 Standard ACL commands
conf t
access-list 表号 permit/deny 条件
No.: 1-99
conditions: source IP + Subnet Mask trans
trans Subnet Mask: 0.0.0.255 0 representative of an exact match and 255 need not match!
E.g:
access-list 1 deny 192.168.1.0 0.0.0.255 # 拒绝源IP为192.168.1.0网段的流量
access-list 1 permit 0.0.0.0 255.255.255.255 # 允许所有网段
access-list 1 deny 192.168.2.1 0.0.0.0 # 拒绝一台主机/拒绝一个人
simplify:
0.0.0.0 255.255.255.255 == any
192.168.2.1 0.0.0.0 == host 192.168.2.1
After simplification:
access-list 1 deny 192.168.1.0 0.0.0.255 # 拒绝源IP为192.168.1.0网段的流量
access-list 1 permit any # 允许所有网段
access-list 1 deny host 192.168.2.1 # 拒绝一台主机/拒绝一个人
5.2 Extended ACL commands
conf t
access-list 表号 permit/deny 协议 源IP 反掩码 目标IP 反掩码 [eq 端口号]
Table Number: 100-199
protocols: TCP / UDP / IP / ICMP ( when writing a port number, write only tcp or udp)
Notes: ICMP protocol is the protocol used by the ping command, ICMP protocol is a network protocol detection , ping others , Is to generate an ICMP detection packet and send it to the other party, and then the other party responds to me with an ICMP detection packet, which means the ping is successful!
[]: Optional
The following case:
conf t
access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.6.1 0.0.0.0 eq 80
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 permit ip any any
Another case:
access-list 102 deny icmp 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 permit ip any any
Here is another case:
acc 103 deny tcp 192.168.1.0 0.0.0.255 host 192.168.6.1 eq 23
acc 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.6.1
acc 103 deny ip any any
Here is another case:
acc 104 deny ip host 192.168.1.1 any
acc 104 permit ip any any
5.3 Apply ACL table to interface
int f0/1
ip access-group 102 in/out
exit
5.4 View and list all ACL tables
show ip access-list
Six, named ACL
6.1 The method of creating a table with named acl
conf t
ip access-list extended 表名
Start editing each entry from permit/deny
You can exit after writing exit!
6.2 Benefits of naming ACLs
Use the named ACL format to delete a certain one, or insert a certain one!
E.g:
R1(config)#do sh ip acce
Extended IP access list 120
10 deny icmp any any
20 deny udp 192.168.1.0 0.0.0.255 any eq domain
30 permit ip any any
You can delete one item, if you need to delete the second item, do the following:
R1(config)#ip access-list extended 120
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#exit
The results are as follows:
R1(config)#do sh ip acce
Extended IP access list 120
10 deny icmp any any
30 permit ip any any
R1(config)#
Note: If you need to insert a certain item, you need to add a number before the item!