Article Directory
1、ACL
ACL (Access Control Lists, abbreviated ACL) is an access control list. It reads the header information of the third and fourth layers (here we have led to the four elements of communication: original address, destination address, source port. destination port), and filters the packets according to preset rules.
2. The application of ACL on the interface
At the entrance: the data packet enters the router from the entrance, and it will be processed by the router.
At the exit: the data packet is processed by the router before it goes out from the exit.
3. The working principle of ACL
ACL working principle: When a data packet passes through an interface, because the interface is enabled with ACL, the router will check the packet at this time, and then make corresponding processing.
In fact, it is to match one by one from the top to the next, until the end, discard or Send it out.
4. The role of ACL
1) Used for inter-access control of data packets (discarded or released)
2) Combined with other protocols, used to match the range
5. ACL types
Basic ACL (2000-2999): Only the source IP address can be matched.
Advanced ACL (3000-3999): It can match the three-layer and four-layer fields such as source IP, destination IP, source port, and destination port.
Layer 2 ACL (4000-4999): According to the source MAC address, destination MAC address, 802.1Q priority, layer 2 protocol type and other layer 2 information of the data packet, it is sufficient to formulate rules and regulations), but because the layer 2 ACL uses MAC address matching , But after replacing the host, the rules need to be reset, which is more troublesome for frequent host replacement, so it is rarely used.
Commonly used are basic ACL and advanced ACL.
6. Application principles and rules of ACL
The principle of ACL application:
basic ACL. Try to use it as close to the destination as possible.
Advanced ACL, try to use it as close to the source as possible (can protect bandwidth and other resources)
Applying rules
1. Only one ACL can be called in the same direction of an interface
2. There can be multiple rules in an ACL, which are sorted from small to large according to the rule ID, and executed from top to bottom.
3. Once a data packet is affected by a certain rule If it matches, it will not continue to match downwards.
4. When used for data packet access control, the default is to implicitly let all (Huawei equipment)
6.1 Basic ACL configuration
[Huawei]acl number 2000
###Create acl 2000
[Huawei-acl-basic-2000]rule 5 deny source 192.168.1.1 0
### Reject the traffic whose source address is 192.168.10.1, 0 means only this one, 5 is the step value of this rule (optional)
[Huawei] interface GigabitEthernet 0/0/1
[ Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2000
###The outbound direction of the interface is called acl2000, outbound represents the outbound direction, and inbound represents the inbound direction
[Huawei -GigabitEthernet0/0/1]undo sh
[Huawei]acl number 2000
###Enter acl 2000 list
[Huawei -acl -basic- 2001]rule permit source 192.168.1.0 0.0.0.255
###permit stands for permission , source stands for source, and the mask part is the reverse mask
[Huawei-acl-basic-2000] rule deny source any
### Deny all access, or rule deny
[Huawei] interface GigabitEthernet 0/0/1 ###Enter the exit interface
[Huawei -GigabitEthernet0/0/1]ip address 192.168.2.254 24
[Huawei -GigabitEthernet0/0/1]traffic-filter outbound acl 2000
6.2 Advanced ACL configuration
[Huawei]acl nmuber 3000
#Reject tcp is an advanced control, so starting from 3000
[ Huawei-acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.3.1 0
###Reject Ping
[Huawei-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.1 0 destination-port eq 80
###destination represents the destination address, destination-port represents the destination port number, 80 can be replaced by www
[Huawei-acl-adv- 3000] rule deny tcp source any destination 192.168.3.1 0 destination-port eq 80
###Implicitly deny all
[Huawei-acl-adv-3000] rule deny tcp source 192.168.10.0 0.0.0.255 destination 12.0.0.2 destination-port eq 21
###Reject the source address 192.168.10.0 network segment to access the FTP server 12.0.0.2.
[Huawei-acl-adv-3000]dis this
###Check whether the current ACL configuration is configured successfully
[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/1] ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
###Apply acl in the inbound direction of the interface
[Huawei -Gigabi tEthernet0/0/1]undo traffic- filter inbound
### Cancel the application of ac1 on the interface
[Huawei] display acl 3000
###Display acl configuration
[Huawei] acl nmuber 3000
[Huawei -acl-adv-3000]dis this
###View rule number
[Huawei-acl-adv- 3000]undo rule
###Delete an acl statement
[Huawei]undo acl number 3000
###Delete the entire ACL
7. Experimental operation of ACL
7.1 Only allow PC1 to access 192.168.2.0/24
You can see that the PC1 host at 192.168.1.1 can be pinged, but the other hosts cannot be pinged.
Experiment completed
7.2 Prohibit the 192.168.1.0/24 network from pinging the web server
You can see that the ping is nearly impossible, indicating that the 192.168.1.0/24 network has been denied access to the Web server
7.3 Only Client1 is allowed to access the WWW service of the Web server
You can access the WWW service of the Web server.