ACL access control List
How the Access Control List works:
Out: The router is already over the packet that is leaving the router interface.
Into: Packets that have reached the router interface will be processed by the router.
The process by which the ACL processes the data flow:
The router will match the packet, and the router will determine the pass or deny of the packet, and the next hop match will be matched three times after rejection until the last refusal is discarded.
ACL Type
standard Access: Based on the packet's source IP address to allow or deny. List Number 1~99.
extended access: Based on the packet's source IP address, destination IP address, specified protocol, port, and flag to allow or deny. List Number 100~199.
named access: Allows the use of standard or extended access, with name instead of list number .
Command syntax
Standard access Control List
Creating ACL Statements
Access-list Access-list-number {Permit | deny} source {Source-wildcard}
Access-list-number: List Number
Permit: Allow
Deny: Deny
Source: Origin IP
Source-wildcard: Anti-mask for source IP
Apply to Interface
Router (config-if)#ip access-group Access-list-number {in | out}
Note: You can use the keyword host with any in the ACL access control list. ( Host represents the master , any represents all)
Cases:
Access-list 1 Permit 192.168.1.1 0.0.0.255 equivalent to access-list 1 permit host 192.168.1.1
Allow host 192.168.1.1 through
Access-list 1 deny 0.0.0.0 255.255.255.255 equals access-list 1 deny any// deny all
Extensibility Access Control Lists
Creating ACL Statements
Access-list Access-list-number {Permit | deny} protocol source Source-wildcard Destination Destination-wildcard op Erator Operan
Protocol: Protocol
Destination: Destination IP
Destination-wildcard: Anti-mask for destination IP
Operator Operan: can use lt(less than),GT(greater than),eq(equals), or neq(not equal to) a port number.
Imperative access Control List
Creating ACL Statements
IP Access-list {standard | extended} Acces-list-name
Standard: Standards
Extended: Extended
Create naming statements for standard ACLs
Router (config-std-nacl)# [Sequence-number] {permit | deny} source [Source-wildcard]
Create naming statements for extensibility ACLs
Router (config-ext-nacl)# [Sequence-number] {permit | deny} protocol source Source-wildcard destination Destination-wildcard operator Operan
ACL statement is inserted into 10 second is 20 , and so on. If the DENY statement is 30 , then this can be written 10-30 any number within the , you can insert it. )
Router (config-std-nacl)#// standard ACL
Router (config-ext-nacl)#// extended ACL
Instance section
650) this.width=650; "title=" figure. jpg "src=" http://s3.51cto.com/wyfs02/M02/5F/9D/wKiom1UqKVyRvls9AAED33lAJ-s338.jpg " alt= "Wkiom1uqkvyrvls9aaed33laj-s338.jpg"/>
See the configuration details of the topology diagram first
The experimental steps are as follows
The first step: Configure the IP address and interworking for the real machine, VPCS1, Web page.
Real-machine configuration
650) this.width=650; "Title=" ·. JPG "src=" http://s3.51cto.com/wyfs02/M02/5F/9E/wKiom1UqKyrCYV3dAANIoEAANF0068.jpg "alt=" Wkiom1uqkyrcyv3daanioeaanf0068.jpg "/>
Web Service Configuration
650) this.width=650; "title=" 1.jpg "src=" Http://s3.51cto.com/wyfs02/M02/5F/9E/wKiom1UqK22Q3zJNAALTXrmXQYE464.jpg " alt= "Wkiom1uqk22q3zjnaaltxrmxqye464.jpg"/>
VPCS1 Configuration
650) this.width=650; "title=" 3.jpg "src=" Http://s3.51cto.com/wyfs02/M02/5F/9F/wKiom1UqL66Bs6A0AAJhg2eqADg549.jpg " alt= "Wkiom1uql66bs6a0aajhg2eqadg549.jpg"/>
A duplex is configured between the router R1 and the switch.
650) this.width=650; "title=" 5.jpg "src=" Http://s3.51cto.com/wyfs02/M00/5F/A0/wKiom1UqMqXhHGW9AAHkgV7vZjo191.jpg " alt= "Wkiom1uqmqxhhgw9aahkgv7vzjo191.jpg"/>
Real-Machine Ping Web Service
650) this.width=650; "title=" 4.jpg "src=" Http://s3.51cto.com/wyfs02/M01/5F/9F/wKiom1UqL5DizyIjAAIDkZE7ULg188.jpg " alt= "Wkiom1uql5dizyijaaidkze7ulg188.jpg"/>
Step Two: Configure the standard ACL access control list
R1 Router
650) this.width=650; "title=" 9.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/A1/wKiom1UqNH_ Gf5jtaaekfxossny217.jpg "alt=" Wkiom1uqnh_gf5jtaaekfxossny217.jpg "/>
Real-Machine testing
650) this.width=650; "title=" 7.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/wKiom1UqNH_ Rjrbbaacuvhcajyo699.jpg "alt=" Wkiom1uqnh_rjrbbaacuvhcajyo699.jpg "/>
Web Test
650) this.width=650; "title=" 8.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/9C/ Wkiol1uqnc2h9kc7aaeirt1r3hk297.jpg "alt=" Wkiol1uqnc2h9kc7aaeirt1r3hk297.jpg "/>
Extensibility Access Control Lists
The first statement means to allow the host 192.168.2.1 access to the host 192.168.3.2 intranet
The second statement means to reject the host 192.168.2.1 to ping the host 192.168.3.2
The third statement means to allow the host 192.168.2.1 to ping the other network segment address.
650) this.width=650; "title=" 17.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/9D/ Wkiol1uqnildvpojaajnc2c8mt4150.jpg "alt=" Wkiol1uqnildvpojaajnc2c8mt4150.jpg "/>
Building a Web service on Windows Server 2008
650) this.width=650; "title=" 11.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/9D/ Wkiol1uqnilhp5aqaaiuaiygn1i775.jpg "alt=" Wkiol1uqnilhp5aqaaiuaiygn1i775.jpg "/>
650) this.width=650; "title=" 12.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/9D/ Wkiol1uqnipc1zg-aalb-np-mti006.jpg "alt=" Wkiol1uqnipc1zg-aalb-np-mti006.jpg "/>
650) this.width=650; "title=" 13.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M00/5F/A1/ Wkiom1uqnnwblgglaagfee_qq40561.jpg "alt=" Wkiom1uqnnwblgglaagfee_qq40561.jpg "/>
After the service is set up, go to Internet Information Services Manager and see if the Web service is started.
650) this.width=650; "title=" 14.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/ Wkiom1uqnnxhy2qoaajirisxcoo495.jpg "alt=" Wkiom1uqnnxhy2qoaajirisxcoo495.jpg "/>
If the service is not started, right-click the tag to open it.
650) this.width=650; "title=" 15.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/9D/wKioL1UqNiOR_ Oouaamxgh62mvs927.jpg "alt=" Wkiol1uqnior_oouaamxgh62mvs927.jpg "/>
Test with IE browser on the real machine. (Ping different Web servers but can access its intranet)
650) this.width=650; "title=" 16.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M01/5F/A1/ Wkiom1uqnnwh0xmbaajrgj_rjn4353.jpg "alt=" Wkiom1uqnnwh0xmbaajrgj_rjn4353.jpg "/>
650) this.width=650; "title=" 10.jpg "style=" Float:none; "src=" http://s3.51cto.com/wyfs02/M02/5F/A1/ Wkiom1uqnnwiyqvxaakma6i4bru309.jpg "alt=" Wkiom1uqnnwiyqvxaakma6i4bru309.jpg "/>
Imperative access Control list (not using the topology above)
Cases:
Router (config) #ip access-list standard Wang
Router (CONFIG-STD-NACL) #permit host 192.168.1.1
Router (config-std-nacl) #deny any
You can use show access-lists to view
Standard IP access list Wang//Standards Access control lists
Permit 192.168.1.1//Configure the first ACL statement with a sequence number of 10
Deny any//configure the second ACL statement with the sequence number 20
If you want to let the 192.168.2.1 can also allow flow through.
Router (CONFIG-STD-NACL) # Permit host 192.168.2.1//Configure the serial number of the ACL statement
In the show access-lists command to view
Standard IP access list Wang//Standards Access control lists
Permit 192.168.1.1//Configure the first ACL statement with a sequence number of 10
Permit 192.168.2.1
Deny any//configure the second ACL statement with the sequence number 20
ACL access control list (standard, extensibility, naming)