ACL (access control list) access control list Overview
Access control list is used in the router interface instruction list, a list of instructions which tell the router packet to be received and which packets need to be rejected.
Access control is the main strategy to prevent and protect the security of the network, its main task is to ensure that network resources from unauthorized access and use. It is one of the network to ensure the security of the most important core strategy. Access control technology involved is relatively broad, including network access control, network access control, directory-level control and control of property and other means.
Common TCP port numbers and their functions
| port | protocol | Explanation |
|---|---|---|
| 21 | FTP | FTP server open the control port, the port 20 is connected to the ftp data, the control port 21 is connected to the ftp |
| 23 | TELNET | For remote login, you can remotely control the target computer management |
| 25 | SMTP | SMTP server and open port for sending mail |
| 80 | HTTP | Hypertext transfer protocol, https 443 security |
| 110 | POP3 | Accepted for mail |
| 143 | IAMP | For sending mail |
| 22 | SSH | Ciphertext remote login |
| 68,67 | DHCP | IP address is automatically assigned, the client requests with 67, 68, back to the application server |
| 53 | DNS | DNS |
| 3389 | RDP | Remote Desktop |
Commonly used UDP port number and function
| port | protocol | Explanation |
|---|---|---|
| 69 | TFTP | Trivial File Transfer Protocol |
| 111 | RPC | Remote Procedure Call |
| 123 | NTP | Network Time Protocol |
Access control lists to filter based on Layer (IP) and four (port, protocol) (application firewall, seven filtering)
- Reading a third layer, the fourth layer header information
- Packet filtering based on predefined rules
Access Control Lists in the direction of interface applications (and related data direction)
- A: the router has been processed, is leaving the packet router interface
- Into: packet has arrived at the router interface, the router will be processed
Access control list processing
Access control processing list (top-down, one by one match, the default is implicitly denied all)
White List
allows 1.2
allow 1.3
reject all (can not write)Blacklist
refused to 1.2
reject 1.3
allows all (must be written)
Standard Access Control Lists
- Filtering packets based on source IP address
- Standard access control list ACL number from 1 to 99
Extended Access Control Lists
- To filter packets based on source IP address, destination IP address, specify the protocol, and port flags
- Extended access control list ACL number from 100 to 199
Named Access Control Lists
- Access control list named allowed in standard and extended access control list place names No.
ACL configuration commands
1. Create ACL
access-list access-list-number { permit | deny} source [source-wildcard ]
//permit表示允许数据包通过 ,deny表示拒绝数据包通过 ,source [ source-wildcard ]只对源IP进行控制+(反子网掩码)Examples
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit 192.168.2.2 0.0.0.0
//允许192.168.1.0/24和主机192.168.2.2的流量通过2, delete ACL
no access-list access-list-number //直接删除ACL列表号3, implicit denial statement
access-list 1 deny 0.0.0.0 255.255.255.255 //拒绝所有ip4, Keyword
host //host后面可跟ip地址,免去子网掩码的输入
any //等同于拒绝所有ip5, the ACL applied to an interface
ip access-group access-list-number {in | out}
//控制方最近的端口,in是进入out是输出6, the application ACL on the interface of cancellation
no ip access-group access-list-number {in | out}Standard ACL configuration examples
demand
192.168.10.2 prohibit access pc3
Double-click configuration sw switch
sw#conf t ##进入全局模式
sw(config)#no ip routing ##关闭路由功能
sw(config)#int f1/0 ##进入接口f1/0
sw(config-if)#speed 100 ##因为和路由相连所以要配置双工模式和速率
sw(config-if)#duplex fullDouble-click the routing configuration R1
R1#conf t ##全局模式
R1(config-if)#int f0/1
R1(config-if)#ip add 192.168.10.1 255.255.255.0 ##配置网关
R1(config-if)#no shut ##开启
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.20.1 255.255.255.0 ##配置网关
R1(config-if)#no shut ##开启Configuration three pc machine ip address and gateway, the test can ping each other
PC1> ip 192.168.10.2 192.168.10.1
PC2> ip 192.168.10.3 192.168.10.1
PC3> ip 192.168.20.2 192.168.20.1
Open R1 configure access control lists
R1#conf t ##全局模式
R1(config)#access-list 1 deny host 192.168.10.2 ##禁止10.2访问
R1(config)#access-list 1 permit any ##允许所有(必须写)
R1(config)#do show access-list ##查看访问控制列表
Standard IP access list 1
10 deny 192.168.10.2
20 permit any
R1(config)#int f0/1
R1(config-if)#ip access-group 1 in ##应用于接口f0/110.2 test machine can not access pc3
