The ninth day of studying in HCIA
About ACL
ACL: Access Control List, access control list
effect:
1. Realize access control
2. Grab interesting traffic for other technologies
Working principle: By manually defining an ACL list on the router, the table contains multiple access rules, and then calling this table in a certain direction of a certain interface of the route,
Let the router perform actions on the received traffic based on the rules in the table-allow, deny
ACL matching rules:
Matches in order from top to bottom. Once the traffic is matched, the next one will not be checked.
ACL classification:
Basic ACL: can only match the source IP address in the data packet.
Advanced ACL: can identify the source and destination IP addresses, source and destination port numbers and protocol numbers in the data packet
ACL configuration:
Basic ACL: Because it can only identify the source IP, in order to avoid accidental deletion, try to be as close as possible to the required target when calling
[r2]acl?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000- 3999> Advanced access-list(add to current using rules)
[r2]acl 2000 //Create ACL 2000
[r2-acl-basic-2000]rule deny source 172.16.0.30 0 //Reject a single IP
[r2-acl-basic-2000]rule deny source 172.16.0.30 0.0.0.255 / /Reject a range (network segment)
[r2-acl-basic-2000]rule deny source any //Reject all
Note: The action can be changed to permit
[r2]interface GigabitEthernet 0/0/1
[r2-GigabitEthernet0/0/1]traffic-filter outbound acl 2000 //interface calls ACL
Advanced ACL: Because it can be identified more accurately, it is as close to the source as possible when calling
[r1]acl 3000
[r1-acl-adv-3000]rule deny tcp source 172.16.0.10 0 destination 172.16.0.1 0 destination-port eq 23
protocol source IP destination IP destination port number
[r1]acl name vlan10 basic/advance naming configuration method
[r1]display acl all //View all ACL lists
Total quantity of nonempty ACL number is 2
Advanced ACL 3000, 2 rules
Acl’s step is 5
rule 5 deny tcp source 172.16.0.10 0 destination 172.16.0.1 0 destination-port eq telnet
rule 10 deny icmp source 172.16.0.10 0 destination 172.16.0.66 0 (5 matches)
Advanced ACL vlan10 3999, 3 rules
Acl’s step is 5
rule 5 deny ip source 1.1.1.1 0
rule 10 deny ip source 1.1.1.2 0
rule 15 deny ip source 1.1.1.3 0
序号
Note: When configuring ACL rules, the device will automatically generate 5+ serial numbers for sorting.
You can add and delete rules based on the serial number
Telnet service: remote login service
based on TCP 23 port work, based on C/S architecture
[r1]user-interface vty 0 4
[r1-ui-vty0-4]authentication-mode aaa //Use username and password
[r1]aaa
[r1-aaa]local-user zhaobin privilege level 15 password cipher qwer1234
Actual operation
1. Set the IP address of each node
2. Use IP route-static to realize the whole network connection.
3. Turn on the Telnet service.
As shown in the figure, set the user name of R1 to MUHAN and the password to 123456. The same is
true for R2. The user name is 2000928 and the password is 654321
All are advanced ACL
commands PC1 cannot ping R1, PC2 cannot log in to R1
Command PC1 cannot log in R2, PC2 cannot PING R2
test
There will always be an ellipsis when unable to connect
The experiment was successful and ended