Access Control List (ACL)
Reading a third layer, the fourth layer header, according to good packet filtering rule defined in advance.
Access control lists in the direction of interface applications
List to the direction of the interface associated with the data direction
A : the router has been processed, the data packet is leaving the router interface;
into : packet have reached the router interface, the router will be processed.
Access control list processing
The type of access control list
Standard Access Control Lists
- Filtering based on the source IP address of packets;
- Standard access control list ACL number from 1 to 99.
Extended Access Control Lists
- To filter packets based on source IP address, destination IP address, specify the protocol, the port and signs;
- Extended access control list ACL number from 100 to 199.
Named Access Control Lists
- Naming ACL allows names are used instead No. standard and extended access control list.
Standard configuration of access control lists
Basic commands:
Router(config)#access-list access-list-number {permit | deny} source [ source-wildcard ] //创建ACL
Router(config)# no access-list access-list-number //删除ACL
Router(config-i)# ip access-group access-list-number {in lout} //将ACL应用于接口
Router(config-if)# no ip access-group access-list-number {in lout} //在接口上取消ACL的应用Applications:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 //创建ACL,允许网段192.168.1.0/24
Router(config)# access-list 1 permit 192.168.2.2 0.0.0.0 //创建ACL,允许IP192.168.2.2Note the implicit denial of access control lists, default deny when you do not set the rules, equivalent to using the following command:
Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255
When we set a fixed host address can not write subnet mask, before the IP address of the host to add keywords, when we set all IP addresses, you can use any substitute "0.0.0.0 255.255.255.255".
Extended Access Control List configuration
Basic commands
Router(config)# access-list access-list-number { permit| deny } protocol { source source-wildcard destination destination-wildcard } [ operator operan ] //创建ACL
Router(config)# no access-list access-list-number //删除ACL
Router(config-if)# ip access-group access-list-number {in |out} //将ACL应用于接口
Router(config-if)# no ip access-group access-list-number {in |out} //在接口上取消ACL的应用Applications
Router(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config)# access-list 101 deny ip any any
Router(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 21
Router(config)# access-list 101 permit ip any any
Router(config)# access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.2 echo
Router(config)# access-list 101 permit ip any anyNamed Access Control List configuration
Basic commands
Router(config)# ip access-list { standard | extended } access-list-name //创建ACL,standard标准命名ACL,extended配置标准命名ACL
Router(config-std-nacl)# [ Sequence-Number] { permit | deny } source [ source-wildcard] //扩展命名ACL,Sequence-Number决定ACL语句在ACL列表中的位置
Router(config-ext-nacl)# [ Sequence-Number ] { permit| deny } protocol { source source-wildcard destination destination-wildcard } [ operator operan ] //配置扩展命名ACL
Router(config)# no ip access-list { standard lextended } access-list-name //删除整组ACL
Router(config-std-nacl)# no Sequence-Number //删除组中单一ACL语句,建议这种方法
Router(config-std-nacl)#no permit host ACL语句 //删除组中单一ACL语句
Router(config-if)# ip access-group access-list-name {in |out} //将ACL应用于接口
Router(config-if)# no ip access-group access-list-name {in |out} //在接口上取消ACL的应用
Router#show access-lists //查看ACL配置信息Applications
Router(config)# ip access-list standard cisco //标准命名ACL
Router(config-std-nacl)#15 permit host 192.168.2.1
Router(config)# ip access-list extended cisco //扩展命名ACL
Router(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 21
Router(config-ext-nacl)# permit ip any any