What is ACL
Once configured, ACL performs the following tasks:
限制网络流量以提高网络性能。例如,如果公司政策不允许在网络中传输视频流量,那么就应该配置和应用 ACL 以阻止视频流量。这可以显著降低网络负载并提高网络性能。
提供流量控制。ACL 可以限制路由更新的传输,从而确保更新都来自一个已知的来源。
提供基本的网络访问安全性。ACL 可以允许一台主机访问部分网络,同时阻止其他主机访问同一区域。例如,“人力资源”网络仅限授权用户进行访问。
根据流量类型过滤流量。例如,ACL 可以允许邮件流量,但阻止所有 Telnet 流量。
屏蔽主机以允许或拒绝对网络服务的访问。ACL 可以允许或拒绝用户访问特定文件类型,例如 FTP 或 HTTP。
How ACLs work
An ACL defines a set of rules that impose additional control over packets entering an inbound interface, packets relayed through a router, and packets exiting a router's outbound interface. ACLs have no effect on packets generated by the router itself.
As shown, ACLs can be configured to apply to both inbound and outbound traffic.
Inbound ACL - Incoming packets are processed before being routed to the outbound interface. Inbound ACLs are very efficient because they save the overhead of performing a route lookup if the packet is dropped. If the ACL allows the packet, it is processed for routing. Inbound ACLs are best used to filter packets when the network connected to the inbound interface is the only source of packets that need to be inspected.
Outbound ACL - After incoming packets are routed to the outbound interface, they are processed by the outbound ACL. Outbound ACLs are best used when the same filter is applied to packets from multiple inbound interfaces before passing through the same outbound interface.
ACL wildcard mask
Wildcard masking rules
IPv4 ACEs include wildcard masks. A wildcard mask is a string of 32 binary digits that a router uses to determine which bits of an address to check for a match.
As with subnet masks, the digits 1 and 0 in a wildcard mask identify how the corresponding IPv4 address bits are handled. However, in wildcard masks, the bits are used differently and the rules are followed differently.
The difference between wildcard masks and subnet masks is how they match binary 1s and 0s. Wildcard masks match binary 1s and 0s using the following rules:
- wildcard mask bit 0 - matches the value of the corresponding bit in the address
- wildcard mask bit 1 - ignore the value of the corresponding bit in the address
The figure above shows how different wildcard masks filter IPv4 addresses
wildcard mask keyword
Decimal representations using binary wildcard mask bits can sometimes be verbose. This task can be simplified at this point by using the keywords host and any to identify the most common wildcard masks . These keywords avoid the hassle of typing wildcard masks when identifying specific hosts or complete networks. These keywords also provide visual cues about the source and destination of the condition, making ACLs easier to understand.
The host keyword can be substituted for the 0.0.0.0 mask. This mask indicates that all IPv4 address bits must match in order to filter out a host address.
The any option can be substituted for the IPv4 address and the 255.255.255.255 mask. This mask indicates that the entire IPv4 address is ignored, which means that any address is accepted.
Example 1: Wildcard masking procedure to match a single IPv4 address
In example 1 in the figure, instead of entering 192.168.10.10 0.0.0.0, we could use host 192.168.10.10.
Example 2: Wildcard masking procedure to match all IPv4 addresses
In Example 2 of the figure, instead of entering 0.0.0.0 255.255.255.255, we could have used the keyword any.
ACL Creation Principles
An ACL can be configured for each protocol (per protocol), each direction (per direction), and each interface (per interface):
- One ACL per protocol - To control traffic on an interface, a corresponding ACL must be defined for each protocol enabled on the interface.
- One ACL per direction—An ACL can only control traffic in one direction on an interface. To control inbound and outbound traffic, two ACLs must be defined separately.
- One ACL per interface - An ACL can only control traffic on one interface (eg GigabitEthernet 0/0).
A router can have up to 8 different ACLs.
Use ACLs with care and attention to detail. Making a mistake can have costly consequences such as downtime, time-consuming troubleshooting, and poor network service. Before configuring ACLs, basic planning must be done. The guidelines shown in the figure are the basis for implementing ACL best practices.
ACL Placement Principles
Proper placement of ACLs can make the network operate more efficiently. ACLs can be placed to reduce unnecessary traffic. For example, traffic that would be denied by a remote destination should not consume network resources on the route to that destination for forwarding.
Every ACL should be placed where it can do the most good. As shown in the figure, the basic rules are as follows:
- Extended ACL - Place the extended ACL as close as possible to the source of the traffic that needs to be filtered. This way, unwanted traffic is denied close to the source network, without going through the network infrastructure.
- Standard ACL - Since a standard ACL does not specify a destination address, it should be located as close to the destination as possible. Placing a standard ACL near the source of the traffic effectively prevents traffic from reaching any other network through the interface to which the ACL is applied.
The topology in the figure above is used to demonstrate how standard ACLs can be placed. An administrator wants to prevent traffic originating on the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network.
Following the basic placement principles of placing a standard ACL close to the target, the diagram to the right shows the interfaces on R3 to which a standard ACL might apply:
- R3 S0/0/1 interface - Applying a standard ACL to block traffic from 192.168.10.0/24 from entering the S0/0/1 interface will prevent that traffic from reaching 192.168.30.0/24 and all other networks reachable through R3. This will include the 192.168.31.0/24 network. Since the intent of the ACL is to filter only traffic destined for 192.168.30.0/24, the standard ACL should not be applied to this interface.
- R3 G0/0 interface - Applying a standard ACL to traffic going out of the G0/0 interface filters packets sent from 192.168.10.0/24 to 192.168.30.0/24. This does not affect other networks reachable through R3. Packets from 192.168.10.0/24 can still reach 192.168.31.0/24.
Configure Standard IPv4 ACL
Configure Standard IP Access Control List
The full syntax of the standard ACL command is as follows:
Router(config)# access-list access-list-number {
deny | permit | remark } source [ source-wildcard ][ log ]
To delete an ACL, use the global configuration command no access-list. Issue the show access-list command to confirm that access-list 10 has been removed.