The access control list (ACL) is the command list of the router interface, used to control incoming and outgoing packets on the port. ACL applies to all routing protocols, such as IP, IPX, and appletalk.
The ACL is also defined based on each protocol. If the router interface is configured to support three Protocols (IP, appletalk, and IPX), you must define three ACLs to control the data packets of these three protocols.
The role of ACL
ACL can limit network traffic and improve network performance. For example, an ACL can specify the priority of a data packet based on the protocol of the data packet.
ACL provides control measures for communication traffic. For example, an ACL can limit or simplify the length of route update information, thus limiting the communication traffic through a certain network segment of the router.
ACL is the basic means to provide secure network access. As shown in figure 1, acl allows host a to access the Human Resources Network, and denies access from host B.
The ACL can determine which type of communication traffic is forwarded or blocked at the vro port. For example, you can allow the e-mail communication traffic to be routed and reject all Telnet communication traffic.
ACL Execution Process
Which ACL does a port execute? This must be determined based on the execution sequence of the conditional statements in the list. If the header of a data packet matches a condition judgment statement in the table, the subsequent statements will be ignored and will not be checked.
See figure 2.
In Figure 2, a data packet is handed over to the next condition judgment statement in the ACL for comparison only when it does not match the first condition. If the match is performed (for example, sending is allowed), the data is immediately sent to the Target Interface, whether it is the first or last statement. If all the ACL judgment statements are detected and no matching statement exists, the packet is discarded as rejected.
Note that ACL cannot control the data packets generated by this router.
ACL Classification
Currently, there are two main ACLs: Standard ACL and extended ACL.
The difference between the two ACLs is that the standard ACL only checks the source address of the data packet. The extended ACL checks both the source address of the data packet and the destination address of the data packet, you can also check the specific protocol type and port number of the data packet.
Network administrators can use standard ACLs to block all traffic from a network, allow all traffic from a specific network, or reject a protocol cluster (such as an IP address) all communication traffic.
The extended ACL provides wider control range than the standard ACL. For example, if a network administrator wants to "allow external web communication traffic to pass, reject external FTP, telnet, and other communication traffic", he can use extended ACL to achieve the goal, the standard ACL cannot be controlled so accurately.
In the router configuration, the difference between the standard ACL and the extended ACL is reflected by the ACL table number. The preceding table lists the valid table number value ranges allowed by each protocol.
Place ACL correctly
ACL controls communication traffic by filtering packets and dropping packets that do not want to reach the destination. However, whether the network can effectively reduce unnecessary communication traffic depends on where the network administrator places the ACL.
Assume that in a network environment running the TCP/IP protocol shown in figure 3, the network only wants to deny access from the network connected by the T0 interface of the routerd to the network connected by the E1 interface of the routerd, that is, Access From Network 1 to Network 2 is prohibited.
According to the traffic rule to reduce unnecessary communication traffic, the network administrator should try to place the ACL in the source near the rejected communication traffic, that is, the routertraffic. If the network administrator uses a standard ACL to restrict network traffic, the actual execution is as follows: any packet that matches the source IP address and network 1 will be discarded, that is, access from network 1 to Network 2, network 3 and network 4 will be disabled. It can be seen that this ACL control method cannot achieve the goal of network administrators. Similarly, the same problem also exists when placing the ACL on routerb and routerc. Only by placing the ACL on the routerd connected to the target network (E0 Interface) Can the network accurately achieve the goal of the network administrator. Therefore, we can conclude that the standard ACL should be as close as possible to the target end.
If the network administrator uses the extended ACL to perform the preceding control, the ACL can be placed on the routeside because the extended ACL can control the source address (Network 1) and the target address (Network 2 ), in this way, packets accessed from network 1 to Network 2 will be discarded on the routerb and will not be transferred to routerb, routerc, or routerd, thus reducing unnecessary network traffic. Therefore, we can draw another conclusion: the extended ACL should be as close as possible to the source.
ACL Configuration
The ACL Configuration is divided into two steps:
Step 1: In global configuration mode, use the following command to create an ACL:
The access-list-number indicates the table number of the ACL. Frequently Used table numbers are standard ip acl (1-99) and extended ip acl (100-199 ).
In a vro, if the table number of the ACL is configured, the list cannot be inserted or deleted. If you want to insert or delete a row in the list, you must first remove all ACLs and reconfigure them. This change is cumbersome when the number of entries in an ACL is large. A more effective solution is to enable a TFTP server on a remote host. First, download the vro configuration file to your local computer and use the text editor to modify the ACL table, then, the modified configuration file is transmitted back to the vro through TFTP.
Note that in the ACL Configuration, if you delete a table item, the result is to delete all the ACLs, so be careful when configuring.
In Versions later than Cisco ios11.2, the network can use an ACL table named by name. In this way, you can delete a row of ACL, but you still cannot insert a row or re-sort it. Therefore, we recommend that you use the TFTP server for configuration modification.
Step 2: In interface configuration mode, apply the access-Group Command ACL to an interface:
The in and out parameters can control data packets in different directions in the interface. If this parameter is not configured, the default value is out.
The ACL can be bidirectional controlled on one interface, that is, two commands are configured, one is in, and the other is out. The two commands can run the same or different ACL table numbers. However, there can be only one ACL control in one direction of an interface.
It is worth noting that when configuring the ACL, the network administrator must first configure the ACL table in the Global Status and then configure the table on a specific interface. Otherwise, the network security risks may occur.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
