There are many types of access control list ACLs in Huawei 3COM devices. Different types of ACLs are applied in different scenarios. The simplest of them is the standard access control list. It uses the source IP address in the IP package for filtering and uses the access control list numbers 1 to 99 to create the corresponding ACL.
I. Format of the standard access control list:
The standard access control list is the simplest ACL. The specific format is as follows:
Acl ACL No.
// Enter the ACL settings page
Rule permit | deny source IP address reverse Subnet Mask
For example, the command rule deny source 192.168.1.1 0.0.0.0 discards all data packets from the 192.168.1.1 address. Of course, we can also use CIDR blocks to filter a CIDR block. The command is as follows:
Rule deny source 192.168.1.0 0.0.255
// Filter and discard all computer data packets from 192.168.1.0/24. Why does the subnet mask in the backend represent 0.0.0.255? This is because Huawei devices and CISCO require that the subnet mask be represented by the reverse mask in the ACL. The reverse mask 0.0.0.255 indicates that the subnet mask is 255.255.255.0.
2. Configure the instance:
To make the standard ACL take effect, we need to configure two commands:
1. Configure the ACL itself to add detailed rules to the ACL.
2. Declare the ACL and add the configured ACL to the corresponding port.
Network Environment Introduction:
We use the network structure shown in. The vro is connected to two CIDR blocks 172.16.4.0/24,172.16 .3.0/24. One server in the CIDR Block 172.16.4.0/24 provides the WWW Service and the IP address is 172.16.4.13.
Instance 1: Disable the computer except 172.16.4.13 in the 172.16.4.0/24 network segment to access the computer 172.16.3.0/24. 172.16.4.13 can access 172.16.3.0/24 normally.
Vro configuration command:
Acl 1
// Set ACL 1 and enter the ACL Setting Mode
Rule deny source any
// Set the ACL to prevent communication between all other IP addresses.
Int e1
// Enter port E1.
Firewall packet-filter 1 inbound
// Declare ACL 1.
After the preceding settings, port E1 only allows data packets from the IP address 172.16.4.13 to be transmitted. Data packets from other IP addresses cannot be transmitted through E1.
TIPS:
Because the permit ANY statement is added to the device of Huawei 3COM in each ACL by default, the preceding command rule deny source any must be added, otherwise, the configured ACL will not take effect, and all data packets will be forwarded normally due to the end of the permit statement. In addition, you can use the firewall packet-filter 1 outbound command on port E0 when the vro is not connected to the network. The result is the same as that of the last two statements.
Instance 2: Disable access from the computer 172.16.4.13 to the CIDR Block 172.16.3.0/24, while other computers in 172.16.4.0/24 can access the CIDR Block normally.
Vro configuration command:
Access-list 1
// Set the ACL To Go To The ACL1 settings page.
Rule deny source 172.16.4.13 0.0.0.0
// Disable access to the computer 172.16.4.13.
Rule permit source any, for example)
// Set the ACL to allow computers with other addresses to communicate
Int e1
// Enter port E1
Firewall packet-filter 1 inbound
// Declare ACL1. Similarly, you can use firewall packet-filter 1 outbound to complete the declaration after entering port E0.
After configuration, all IP addresses except 172.16.4.13 can communicate with the vro to transmit data packets. Note that by default, the Huawei device adds the rule permit source any statement at the end of the ACL. Therefore, this statement can be left blank in this example, and the effect is the same.
Summary:
The standard ACL occupies few vro resources and is the most basic and simple Access Control List format. It is widely used and is often used when the control level is low. For more complex control of data packet transmission, you need to use the extended access control list, which can meet our requirements at the port level.(