ACL access control list
-
Access Control List
-
ACL is a packet filtering technology.
-
ACL is based on the IP address of the IP packet header, the port number of the TCP/UDP header of the fourth layer, [Layer 5 data] is
based on the third and fourth layer filtering -
ACL is configured on the router or on the firewall (generally called a policy)
-
ACL is mainly divided into 2 categories:
1) Standard ACL
2) Extended ACL -
Standard ACL:
Table Number: 1-99
Features: Only filter packets based on source IP
Command:
conf t
access-list table number permit/deny Source IP or source network segment Anti-subnet mask
Note: Anti-subnet mask : Invert the positive subnet mask 0 and 1
255.0.0.0 – 0.255.255.255
255.255.0.0 – 0.0.255.255
255.255.255.0 – 0.0.0.255
Anti-subnet mask Function: used to match conditions, and the corresponding 0 needs to be strictly matched , Ignore the corresponding 1!For example: access-list 1 deny 10.0.0.0 0.255.255.255
Explanation: This entry is used to deny all source IP starting with 10!access-list 1 deny 10.1.1.1 0.0.0.0 解释:该条目用来拒绝所有源IP为10.1.1.1的主机 简写: access-list 1 deny host 10.1.1.1 access-list 1 deny 0.0.0.0 255.255.255.255 解释:该条目用来拒绝所有所有人 简写: access-list 1 deny any
The complete case:
conf t
acc 1 deny host 10.1.1.1
acc 1 deny 20.1.1.0 0.0.0.255
acc 1 permit any
View the ACL table:
show ip access-list [table ID]
Apply ACL to the interface:
int f0/x
ip access-group table number in/out
exit
sh run
7. Extended ACL:
table number: 100-199
features: can filter packets based on source IP, destination IP, port number, protocol, etc.
Command:
acc 100 permit/deny protocol source IP or source network segment anti-subnet mask destination IP or source network segment reverse subnet mask [eq port number]
Note: Protocol: tcp/udp/icmp/ip
案例:
acc 100 permit tcp host 10.1.1.1 host 20.1.1.3 eq 80
acc 100 permit icmp host 10.1.1.1 20.1.1.0 0.0.0.255
acc 100 deny ip host 10.1.1.1 20.1.1.0 0.0.0.255
acc 100 permit ip any any
- ACL principle
1) The ACL table must be applied to the incoming or outgoing direction of the interface to take effect!
2) Only one table can be applied to one direction of one interface!
3) In or out direction application? It depends on the general direction of flow control.
4) The ACL table checks each item strictly from top to bottom, so the main writing sequence is required.
5) Each item is composed of conditions and actions. When the flow completely meets the conditions, when a certain flow does not meet a certain condition, then Continue to check the next one.
6) Write the standard ACL as close to the target as possible.
7) Wencoll principle:
1) For flow control, we must first determine where the ACL is written (which router? Which direction is the interface?)
2) Reconsider How to write ACL.
3) How to write?
First of all, you must judge whether you want to allow all or deny all,
and then pay attention when writing: write strict control in the front
8) Generally, once the standard or extended acl number is written, one cannot be modified or deleted. You cannot modify the order, nor can you insert new entries in the middle, you can only add new entries at the end.
If you want to modify or insert or delete, you can only delete the entire table and write again!
conf t
no access-list table number
9. Naming ACL:
Function: You can customize the naming of standard or extended ACLs.
Advantages: Custom naming is easier to identify and easy to remember!
You can modify an item at will, delete an item, or insert an item in the middle
Command:
conf t
ip access-list standard/extended Customize table name
Start to write ACL entry
exit from deny or permit
Delete an entry :
ip access-list standard/extended custom table name
no entry ID
exit
Insert an entry :
ip access-list standard/extended custom table name
entry ID action condition
exit