Access Control List (ACL) configuration instance

1) How access control list (ACL) works:

The ACL uses packet filtering technology to read information from layer 3rd and layer 4th headers of the OSI Layer 7 model on the router. For example, the source address, target address, source port, and target port are filtered based on predefined rules to achieve access control.

2) topology

650) this. width = 650; "title =" 2013-08-24_215340.png "src =" http://img1.51cto.com/attachment/201308/215945760.png "width =" 627 "height =" 411 "/>

3) Networking requirements

1. By configuring the basic access control list, you can achieve ~ Filter packets sent from hosts whose source IP address is 10.1.1.2 within; 2. the Advanced Access Control List must be configured to prohibit mutual access between the R & D department and the Technical Support Department, and restrict the R & D department from visiting the salary query server from to on work hours. the layer-2 Access Control List is used to implement ~ Filter packets whose source MAC is 00e0-fc01-0101. 4) command configured system-view [Quidway] vlan 10 // create vlan [Quidway-vlan10] port Ethernet 1/0/1 // Add port [Quidway-vlan10] vlan 20 [Quidway-vlan20] port Ethernet 1/0/2 [Quidway-vlan20] vlan 20 [Quidway-vlan20] port Ethernet 1/0/3 [Quidway-vlan20] vlan 30 [Quidway-vlan30] port Ethernet 1/0/3 [Quidway-vlan30] vlan 40 [Quidway-vlan40] port Ethernet 1/0/4 [quidway-vlan40] quit2. configure VLAN Virtual interface address [Quidway] interface Vlan-interface 10 // enter vlan [Quidway-Vlan-interface10] ip address 10.1.1.1 24 // configure ip address [Quidway-Vlan-interface10] quit [Quidway] interface vlan-interface 20 [Quidway-Vlan-interface20] ip address 10.1.2.1 24 [Quidway-Vlan-interface20] quit [Quidway] interface Vlan-interface 30 [Quidway-Vlan-interface30] ip address 10.1.3.1 24 [Quidway-Vlan-interface30] quit [Quidway] interface Vlan- interface 40 [Quidway-Vlan-interface40] ip address 10.1.4.1 24 [Quidway-Vlan-interface40] quit3. define a time period [H3C] time-range ssl To Working-day // defines the time period Requirement 1 Configure basic ACL Configuration) [Quidway-Ethernet1/0/1] acl number 2000 // go to basic Access Control List View of 2000 [Quidway-acl-basic-2000] rule 1 deny source 10.1.1.2 0 time-range ssl // define access rule filter 10.1.1.2 host sent Packets [Quidway-acl-basic-2000] interface Ethernet1/0/1 // apply no. 2000 ACL on the interface [Quidway-Ethernet1/0/1] packet-filter inbound ip-group 2000 [Quidway-Ethernet1/0/1] quit Requirement 2 Configure advanced ACL Configuration)[Quidway] acl number 3000 // go to Advanced Access Control List View on 3000 [Quidway-acl-adv-3000] rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.255 // define access rules prohibit R & D department and Technology support exchange between departments [H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range ssl // define access rules prohibit R & D department from visiting payroll query server from to working hours [H3C-acl-adv-3000] quit [H3C-acl-adv-3000] interface Ethernet1/0/2 // use the 3000 ACL on the interface [H3C-Ethernet1/0/2] packet-filter inbound ip-group 3000 Requirement 3 Configure L2 ACL Configuration)[Quidway] acl number 4000 // go to Layer 2 Access Control List View of 4000 [Quidway-acl-ethernetframe-4000] rule 1 deny source 02e0-fc02-0101 ffff-ffff time-range ssl // define access rule Filtering packet for source MAC 02e0-fc02-0101 [Quidway-acl-ethernetframe-4000] interface Ethernet1/0/4 // apply no. 4000 ACL [Quidway-Ethernet1/0/4] packet-filter inbound link-group 4000 requirement 2 configure [Quidway] acl number 3000 // go to Advanced Access Control List View of 3000 [Quidway-acl-adv-3000] rule 1 deny ip sou Rce 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 // define access rules prohibit access between R & D department and Technical Support Department [Quidway-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range ssl // define access rules prohibit R & D departments from accessing the payroll query server from to working hours [Quidway-acl-adv-3000] quit [Quidway] traffic classifier abc definition stream classification [Quidway-classifier-abc] if-match acl 3000 [quidway-classifier-abc] quit [H3C] traffic behavior abc // The definition is as follows, determine whether the packets that match the stream classification are prohibited [H3C- Behavior-abc] filter deny [H3C-behavior-abc] quit [Quidway] qos policy abc defines Qos policy, associate stream classification and popularity with [Quidway-qospolicy-abc] classifier abc behavior abc [Quidway-qospolicy-abc] quit [Quidway] interface g1/1/2 // issue Qos on the port policy [Quidway-Ethernet1/1/2] qos apply policy abc inbound supplement: lacl is only used to differentiate data streams. permit and deny are determined by the filter. l if a port has both the permit and deny data streams, You need to define the stream classification and popularity respectively, and is associated in the same QoS policy. The lQoS policy matches the message and classifier according to the configuration order. After the classifier matches, execute the behavior corresponding to the classifier, and then the policy execution ends, and the rest of the classifier will not be matched; l after applying the QoS policy to the port, the system does not allow the corresponding modification of the definition stream classification, popular as, and QoS policies until the release is canceled. Four configuration key points: 1. time-name can be defined freely. 2. after setting an access control rule, you must apply the rule to the corresponding interface. When applying the rule, note that the inbound direction should correspond to the source and destination directions in the rule;

This article is from the "those once" blog, please be sure to keep this source http://slayr.blog.51cto.com/7613374/1282222