ACL access control list (standard, extensibility, naming)

ACL access control List

How the Access Control List works:

Out: The router is already over the packet that is leaving the router interface.

Into: Packets that have reached the router interface will be processed by the router.

The process by which the ACL processes the data flow:

The router will match the packet, and the router will determine the pass or deny of the packet, and the next hop match will be matched three times after rejection until the last refusal is discarded.

ACL Type

standard Access: Based on the packet's source IP address to allow or deny. List Number 1~99.

extended access: Based on the packet's source IP address, destination IP address, specified protocol, port, and flag to allow or deny. List Number 100~199.

named access: Allows the use of standard or extended access, with name instead of list number .

Command syntax

Standard access Control List

Creating ACL Statements

Access-list Access-list-number {Permit | deny} source {Source-wildcard}

Access-list-number: List Number

Permit: Allow

Deny: Deny

Source: Origin IP

Source-wildcard: Anti-mask for source IP

Apply to Interface

Router (config-if)#ip access-group Access-list-number {in | out}

Note: You can use the keyword host with any in the ACL access control list. ( Host represents the master , any represents all)

Cases:

Access-list 1 Permit 192.168.1.1 0.0.0.255 equivalent to access-list 1 permit host 192.168.1.1

Allow host 192.168.1.1 through

Access-list 1 deny 0.0.0.0 255.255.255.255 equals access-list 1 deny any// deny all

Extensibility Access Control Lists

Creating ACL Statements

Access-list Access-list-number {Permit | deny} protocol source Source-wildcard Destination Destination-wildcard op Erator Operan

Protocol: Protocol

Destination: Destination IP

Destination-wildcard: Anti-mask for destination IP

Operator Operan: can use lt(less than),GT(greater than),eq(equals), or neq(not equal to) a port number.

Imperative access Control List

Creating ACL Statements

IP Access-list {standard | extended} Acces-list-name

Standard: Standards

Extended: Extended

Create naming statements for standard ACLs

Router (config-std-nacl)# [Sequence-number] {permit | deny} source [Source-wildcard]

Create naming statements for extensibility ACLs

Router (config-ext-nacl)# [Sequence-number] {permit | deny} protocol source Source-wildcard destination Destination-wildcard operator Operan

ACL statement is inserted into 10 second is 20 , and so on. If the DENY statement is 30 , then this can be written 10-30 any number within the , you can insert it. )

Router (config-std-nacl)#// standard ACL

Router (config-ext-nacl)#// extended ACL

Instance section

650) this.width=650; "title=" figure. jpg "src=" http://s3.51cto.com/wyfs02/M02/5F/9D/wKiom1UqKVyRvls9AAED33lAJ-s338.jpg " alt= "Wkiom1uqkvyrvls9aaed33laj-s338.jpg"/>

See the configuration details of the topology diagram first

The experimental steps are as follows

The first step: Configure the IP address and interworking for the real machine, VPCS1, Web page.

Real-machine configuration

650) this.width=650; "Title=" ·. JPG "src=" http://s3.51cto.com/wyfs02/M02/5F/9E/wKiom1UqKyrCYV3dAANIoEAANF0068.jpg "alt=" Wkiom1uqkyrcyv3daanioeaanf0068.jpg "/>

Web Service Configuration

650) this.width=650; "title=" 1.jpg "src=" Http://s3.51cto.com/wyfs02/M02/5F/9E/wKiom1UqK22Q3zJNAALTXrmXQYE464.jpg " alt= "Wkiom1uqk22q3zjnaaltxrmxqye464.jpg"/>

VPCS1 Configuration

650) this.width=650; "title=" 3.jpg "src=" Http://s3.51cto.com/wyfs02/M02/5F/9F/wKiom1UqL66Bs6A0AAJhg2eqADg549.jpg " alt= "Wkiom1uql66bs6a0aajhg2eqadg549.jpg"/>

A duplex is configured between the router R1 and the switch.

650) this.width=650; "title=" 5.jpg "src=" Http://s3.51cto.com/wyfs02/M00/5F/A0/wKiom1UqMqXhHGW9AAHkgV7vZjo191.jpg " alt= "Wkiom1uqmqxhhgw9aahkgv7vzjo191.jpg"/>

Real-Machine Ping Web Service

650) this.width=650; "title=" 4.jpg "src=" Http://s3.51cto.com/wyfs02/M01/5F/9F/wKiom1UqL5DizyIjAAIDkZE7ULg188.jpg " alt= "Wkiom1uql5dizyijaaidkze7ulg188.jpg"/>

Step Two: Configure the standard ACL access control list

R1 Router

650) this.width=650; "title=" 9.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/A1/wKiom1UqNH_ Gf5jtaaekfxossny217.jpg "alt=" Wkiom1uqnh_gf5jtaaekfxossny217.jpg "/>

Real-Machine testing

650) this.width=650; "title=" 7.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/wKiom1UqNH_ Rjrbbaacuvhcajyo699.jpg "alt=" Wkiom1uqnh_rjrbbaacuvhcajyo699.jpg "/>

Web Test

650) this.width=650; "title=" 8.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/9C/ Wkiol1uqnc2h9kc7aaeirt1r3hk297.jpg "alt=" Wkiol1uqnc2h9kc7aaeirt1r3hk297.jpg "/>

Extensibility Access Control Lists

The first statement means to allow the host 192.168.2.1 access to the host 192.168.3.2 intranet

The second statement means to reject the host 192.168.2.1 to ping the host 192.168.3.2

The third statement means to allow the host 192.168.2.1 to ping the other network segment address.

650) this.width=650; "title=" 17.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/9D/ Wkiol1uqnildvpojaajnc2c8mt4150.jpg "alt=" Wkiol1uqnildvpojaajnc2c8mt4150.jpg "/>

Building a Web service on Windows Server 2008

650) this.width=650; "title=" 11.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/9D/ Wkiol1uqnilhp5aqaaiuaiygn1i775.jpg "alt=" Wkiol1uqnilhp5aqaaiuaiygn1i775.jpg "/>

650) this.width=650; "title=" 12.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/9D/ Wkiol1uqnipc1zg-aalb-np-mti006.jpg "alt=" Wkiol1uqnipc1zg-aalb-np-mti006.jpg "/>

650) this.width=650; "title=" 13.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/A1/ Wkiom1uqnnwblgglaagfee_qq40561.jpg "alt=" Wkiom1uqnnwblgglaagfee_qq40561.jpg "/>

After the service is set up, go to Internet Information Services Manager and see if the Web service is started.

650) this.width=650; "title=" 14.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/ Wkiom1uqnnxhy2qoaajirisxcoo495.jpg "alt=" Wkiom1uqnnxhy2qoaajirisxcoo495.jpg "/>

If the service is not started, right-click the tag to open it.

650) this.width=650; "title=" 15.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/9D/wKioL1UqNiOR_ Oouaamxgh62mvs927.jpg "alt=" Wkiol1uqnior_oouaamxgh62mvs927.jpg "/>

Test with IE browser on the real machine. (Ping different Web servers but can access its intranet)

650) this.width=650; "title=" 16.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/ Wkiom1uqnnwh0xmbaajrgj_rjn4353.jpg "alt=" Wkiom1uqnnwh0xmbaajrgj_rjn4353.jpg "/>

650) this.width=650; "title=" 10.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/A1/ Wkiom1uqnnwiyqvxaakma6i4bru309.jpg "alt=" Wkiom1uqnnwiyqvxaakma6i4bru309.jpg "/>

Imperative access Control list (not using the topology above)

Cases:

Router (config) #ip access-list standard Wang

Router (CONFIG-STD-NACL) #permit host 192.168.1.1

Router (config-std-nacl) #deny any

You can use show access-lists to view

Standard IP access list Wang//Standards Access control lists

Permit 192.168.1.1//Configure the first ACL statement with a sequence number of 10

Deny any//configure the second ACL statement with the sequence number 20

If you want to let the 192.168.2.1 can also allow flow through.

Router (CONFIG-STD-NACL) # Permit host 192.168.2.1//Configure the serial number of the ACL statement

In the show access-lists command to view

Standard IP access list Wang//Standards Access control lists

Permit 192.168.1.1//Configure the first ACL statement with a sequence number of 10

Permit 192.168.2.1

Deny any//configure the second ACL statement with the sequence number 20

ACL access control list (standard, extensibility, naming)