ACL(Access Control List)

Basic concepts

        ACL It's a packet filtering technology

        ACL be based on IP Baotou IP Address 、 four layers TCP/UDP The port number of the header 、[5 The layer data ]

         Based on three-layer and four layer filtering

        ACL Configure... On the router , You can also configure on the firewall （ It is generally called strategy ）

working principle

ACL There are two main categories ：

1） standard ACL:

         Table number ：1-99

         characteristic ： It can only be based on the source IP Filter packets

        command ：

conf t

        access-list Table number permit/deny Source ip Or source network segment Anti subnet mask

        notes ：

                Anti subnet mask ： Mask the subnet 0 and 1 The horse

                255.0.0.0 -- 0.255.255.255

                255.255.0.0  -- 0.0.255.255

                255.255.255.0 -- 0.0.0.255

                Anti subnet mask operation ： To match , And 0 The corresponding needs to be strictly matched , And 1 Corresponding ignore ！

        for example ：access-list 1 deny 10.1.1.1 0.255.255.255

                  explain ： This entry is used to reject all sources IP by 10 At the beginning ！

                  access-list 1 deny 10.1.1.1 0.0.0.0

                  explain ： This entry is used to reject all sources IP by 10.1.1.1 At the beginning ！

                  Abbreviation ：access-list 1 deny host 10.1.1.1       

                 

                  access-list 1 deny 0.0.0.0 255.255.255.255

                  explain ： This entry is used to deny everyone ！

                   Abbreviation ：access-list 1 deny any

        

        take ACL Apply to the interface ：

int f0/x

        ip access-group Table number in/out                          take ACL Apply to the interface (no Cancel , But the watch is still )

        exit

2） Expand ACL

         Table number ：100-199

        characteristic : Can be based on source IP、 The goal is IP、 Port number 、 Protocols filter packets

        command ： The commands in brackets represent optional

acc 100 permit/deny agreement Source ip Or source network segment Anti subnet mask The goal is ip Or target network segment Anti subnet mask [eq Port number ]

        notes :

                agreement ：tcp/udp/icmp/ip 

ACL principle

1）ACL The table must be applied to the in or out direction of the interface to take effect

2） Only one table can be applied to one direction of an interface ！

3） In or out direction Application ？ Depends on the general direction of flow control

4） ACL The table checks every item strictly from top to bottom , All should be written in the main order

5） Each is composed of conditions and actions , When the flow completely meets the conditions When a certain flow does not meet a certain condition , Then continue to check the next

6） standard ACL Try to write close to the target

7） matters needing attention

Do flow control , First of all, judge ACL Where to write （ The router ？ The direction of that interface ？）

Thinking about how to write ACL

How to write

First of all, we should decide whether to allow all or reject all

        Then pay attention when writing ： Will be strict

8) In general , Standard or extended ACL Once written , A certain item cannot be modified , You can't delete a certain item , Nor can you change the order , You can't insert a new entry in the middle , You can only always add new entries at the end .

        If you want to modify , Or insert or delete , Only the whole table can be deleted , Rewrite

conf t

        no access-list Table number                  Delete the entire table

see ACL surface ：

        show IP access-list                Show all the tables

        show IP access-list surface id          Show a certain （id） surface

name ACL:

effect ： Can be extended to standard or ACL Custom naming

advantage ： Custom naming makes it easier to recognize , It's also easy to remember

        You can modify a certain item at will , Or delete a day , You can also insert a certain day in the middle

conf t

        name , Choose standard or extension ACL

        ip access-list extended/standard  Custom table name

        notes ：extended Expand /standard standard

Enter after input ACL Control mode （ Can enter other ACL Even if it is not created in a named way ）

        To configure

        permit/deny agreement Source ip Or network segment Anti subnet mask The goal is ip Or network segment Anti subnet mask [eq Port number ]

        Delete       

        To delete the next day , stay ACL Control mode Input

        no entry id

        Here is 20

        add to

         stay ACL Control mode Input

        entry id permit/deny agreement Source ip Or network segment Anti subnet mask The goal is ip Or network segment Anti subnet mask [eq Port number ]

        entry id  Such as 15, The higher the value, the lower the position of the entry in the table