ACL access control list and command configuration
1. Access control list
(I. Overview
1. Read the third and fourth layer header information
. Filter the packet according to the pre-defined rules.
IP header: source address, destination address
TCP header: source port, destination port
Data:
2. Working principle of access control list
(1 ) The access control list is applied in the direction
of the interface. Out: The data packet
that has been processed by the router and is leaving the router interface. In: The data packet that has reached the router interface will be processed by the router.
(2) The data packet that reaches the access control group interface
Huawei The default implicitly let go of all
(3) ACL working principle When the data packet passes through the interface, because the interface is enabled with ACL, the router will check the packet and then make the corresponding processing
(2) The role of ACL
(1) Used to access the data packet
(2) Combined with other protocols, used to match the range
(3) Types of acl
Basic ACL (2000~2999): can only match the source IP address.
Advanced ACL (3000~3999): can match the source IP, destination IP, source port, destination port, etc. Layer 3 and Layer 4 fields.
Layer 2 ACL (4000~4999) ): Formulate rules based on the source MAC address, destination MAC address, 802.1q priority, layer 2 protocol and other layer 2 information of the data packet
(4) Application principles of acl
Basic ACL: Try to use it as close to the destination as possible.
Advanced ACL: Try to use it as close to the source as possible (to protect bandwidth and other resources)
(5) ACL application rules
1. Only one ACL can be called in the same direction of an interface
2. There can be multiple rule rules in an ACL, which are sorted from small to large according to the rule ID, and executed from top to bottom
. 3. Once a data packet is matched by a certain rule, It will not continue to match downwards
. 4. When used for data packet access control, all are implicitly ignored by default (Huawei equipment)
Two, configuration commands
(1) Router configuration
[Huawei]sysname r1
[r1]user-interface console 0
[r1-ui-console0]idle-timeout 0 0
[r1-ui-console0]q
[r1]undo info-center enable
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[r1-GigabitEthernet0/0/0]undo shutdown
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[r1-GigabitEthernet0/0/0]int g0/0/2
[r1-GigabitEthernet0/0/2]ip add 192.168.2.1 24
[r1-GigabitEthernet0/0/2]undo shut
[r1-GigabitEthernet0/0/2]undo shutdown
Info: Interface GigabitEthernet0/0/2 is not shutdown.
[r1-GigabitEthernet0/0/2]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add 192.168.3.254 24
[r1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[r1-GigabitEthernet0/0/1]undo shutdown
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[r1-GigabitEthernet0/0/1]q
[r1]acl number 2000
[r1-acl-basic-2000]rule permit s
[r1-acl-basic-2000]rule permit source 192.168.1.1 0 ###Allow the ip of pc1 to pass because it is a host can use 0 if it is allowed to Reverse mask for network segment
[r1-acl-basic-2000]rule deny
[r1-acl-basic-2000]dis this
[V200R003C00]
acl number 2000
rule 5 permit source 192.168.1.1 0
rule 10 deny
return
[r1]int g0/0/2
[r1-GigabitEthernet0/0/2]traffic-filter outbound acl 2000
[r1-GigabitEthernet0/0/2]acl 3000
[r1-acl-adv-3000]rule deny icmp source 192.168 .1.0 0.0.0.255 destination 192.168.3.1 0 ###Prohibit ping from the 192.168.1.0 network segment
[r1-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.1 0 destination-port eq 80
[r1- acl-adv-3000]rule deny tcp source any destination 192.168.3.1 0 destination-port eq 80
[r1-acl-adv-3000]int g0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r1-GigabitEthernet0/0/0]
View acl configuration [r1] display acl 3000
View rule number [r1-acl-adv-3000] dis this
delete an acl statement [r1-acl-adv-3000] undo rule 5
delete The entire acl [r1]undo acl number 3000