[Warm reminder] Need information or need to enter the group to communicate to the bottom
Principles of
ACL What is ACL
In order to filter data packets, some rules need to be configured to specify what kind of data packets can pass and what kinds of data packets cannot pass. These rules are reflected in the Access Control List (Access Control List).
The access control list plays a role in filtering data packets according to the protocol number, source address, destination address, source port and destination port information of the IP packets.
The user needs to determine the access control list according to his own security policy and apply it to the whole machine or the designated interface. The security gateway will check all interfaces or all data packets on the designated interface according to the access control list. Packets are forwarded or discarded normally, thus acting as a firewall.
In addition to filtering data packets, the access control list can also be applied to:
· Qos (Quality of Service), which controls the data flow;
· In DCC, the access control list can also specify conditions for triggering dialing;
· Address conversion;
· When configuring routing policies, you can use the access control list to filter routing information.
The range of
ACL numbers indicates the purpose of the ACL type :
The classification method is divided according to the purpose of the access control list.
Basic Access Control List The
basic access control list is only to distinguish data packets based on their source addresses. Use the source address information as an element to define the rules of the access control list.
Advanced access control list
But the basic ACL function is very limited. It can only be crawled based on the source IP address, and cannot be crawled based on the destination IP address, port number, protocol number and other parameters . Therefore, the basic ACL cannot satisfy the administrator's network requirements. For management, we also need advanced access control lists.
The advanced access control list has been expanded on the matching items, and the number range is 3000-3999. The fields that can be matched are the source IP address, destination IP address, IP priority, IP protocol type, ICMP type, TCP source port number/destination Port number, UDP source port number/destination port number, etc.
The advanced access control list can define more accurate, rich and flexible rules than the basic access control list, and therefore it has been more widely used.
Experiment: Use advanced ACL to capture the source and destination IP addresses of traffic to achieve network access control
Experimental environment: OSPF running between R1/2/3 is declared to enter area 0, now there is a loopback port loo0 IP 2.2.2.2/32 on R2, R3 is configured with two loopback ports, loo0 IP 3.3.3.3/ 32 lo30 ip 30.30.30.30/32.
Experiment goal: Use advanced ACL filtering function to remotely manage R2 on R3 with some IPs.
First set up the topology according to the environment as shown in the figure, OSPF neighbor check is no problem, the network can be connected, R3 can log in to R2 by telnet.
Configuration explanation:
R 1
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 12.1.1.1 0.0.0.0
network 13.1.1.1 0.0.0.0
R 2
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
user-interface vty 0 4 Configure the vty interface
authentication-mode password
set authentication password cipher huawei
protocol inbound all release all management protocols
R 3
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 13.1.1.3 0.0.0.0
network 30.30.30.30 0.0.0.0
Check connectivity and telnet
As you can see, R3 can remotely log in to R2 with and without source address.
Next, configure the advanced ACL on R2, requiring 30.30.30.30/32 to not be able to remotely log in to R2, other addresses are fine.
Configuration explanation:
[R2]acl 3000 Configure to use advanced ACL number 3000
[R2-acl-adv-3000]rule 10 deny ip source 30.30.30.30 0 destination 2.2.2.2 0 Define deny access to this address, specify the source address and destination address
[R2-acl-adv-3000]rule 20 permit ip source 3.3.3.3 0 destination 2.2.2.2 0
Define the access to this address, specify the source address and destination address
[R2]user-interface vty 0 4
[R2-ui-vty0-4] Called under the acl 3000 inbound interface to indicate the direction
Next, test the result, access R2 with the source on R3
It can be found that after being rejected, the session will time out and you can no longer log in to R2 remotely. That's it for today's sharing. Students can change other addresses for further testing.