Cisco's access Control List (ACL)

An Access control list (ACL) is a list of instructions (that is, rules) that are applied to the router interface, which are used to tell the router which packets can be received and which packets need to be rejected. The basic principles are as follows: The ACL uses packet filtering technology to read the information in the third and fourth layers of the OSI seven layer model on the router, such as source address, destination address, source port, destination port, etc., according to predefined rules, the packet is filtered to achieve the purpose of access control.

ACLs can be divided into the following two basic types:

• Standard ACL: Checks the source address of the packet to determine whether to allow or deny forwarding of the packet, using a number between 1-99 as the table number.

• Extended ACL: Both the source and destination addresses of a packet can be checked, and a specific protocol, port number, and other parameters can be checked. Use a number between 100-199 as the table number.

An ACL is a set of rules that is applied to an interface on a router, so the ACL has two directions for the interface of the router:

• Out: The packet that has been processed by the router, leaving the router interface, checks the order: first Anza by the table, and then to isolate the ACL.

• Inbound: Packets that have reached the router interface will be processed by the router. Check Order: Check in the ACL first, then query the routing table.

  Matching rules:

• If the first rule is matched, the router will decide whether to allow or deny the packet through if it does not continue to look down.

• If you do not match the first rule, then check down until a rule is matched, and if no rule matches, the router discards the packet by default.

The above rule shows that the packet is either rejected or discarded. Such as:

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/94/D2/wKiom1kOp8_AZDdmAACQGo9JsgM744.jpg-wh_500x0-wm_ 3-wmp_4-s_3550271064.jpg "title=" 2017-05-07_125010.jpg "alt=" Wkiom1kop8_azddmaacqgo9jsgm744.jpg-wh_50 "/>

Example 1: Standard access Control List

ROUTE (config) #access-list 1 deny 192.168.3.0 0.0.0.255

ROUTE (config) #int f1/0 #应用到入站方向

ROUTE (config-if) #ip Access-group 1 in

Route#sh IP access-lists #查看ACL

Standard IP access list 1

Ten deny 192.168.3.0, wildcard bits 0.0.0.255

C:\users\win7>ping 172.16.2.1

Pinging 172.16.2.1 with 32 bytes of data:

Reply from 192.168.3.254: Unable to access target host.

Reply from 192.168.3.254: Unable to access target host.

Reply from 192.168.3.254: Unable to access target host.

Reply from 192.168.3.254: Unable to access target host.

Canceling an ACL application on an interface

ROUTE (config-if) #no IP access-group 1 in

C:\users\win7>ping 172.16.2.1 #取消ACL后, can ping through

Pinging 172.16.2.1 with 32 bytes of data:

Reply from 172.16.2.1: Byte =32 time =127ms ttl=252

Reply from 172.16.2.1: Byte =32 time =97ms ttl=252

Reply from 172.16.2.1: Byte =32 time =78ms ttl=252

Reply from 172.16.2.1: Byte =32 time =84ms ttl=252

To remove an ACL:

ROUTE (config) #no access-list 1

Allow only a single host to access

ROUTE (config) #access-list 2 Permit host 192.168.3.2

ROUTE (config) #int f1/0

ROUTE (config-if) #ip Access-group 2 in

Allow all:

ROUTE (config) #access-list 2 Permit any

Or

ROUTE (config) #access-list 2 Permit 0.0.0.0 255.255.255.255

Example 2: Extending the Access Control list

SW1 (config) #access-list 101 deny TCP any host 172.16.1.1 eq www

SW1 (config) #int VLAN 2

SW1 (config-if) #ip Access-group 101 in

Sw1#sh access-lists

Extended IP Access List 101

Ten deny TCP any host 172.16.1.1 eq www (matches)

sw1#sh IP int VLAN 2

Vlan2 is up, line protocol are up

Internet address is 172.16.2.254/24

Broadcast address is 255.255.255.255

Address determined by Setup command

MTU is bytes

Helper address is not set

Directed Broadcast forwarding is disabled

Multicast reserved Groups joined:224.0.0.5 224.0.0.6

Outgoing access list is not set

Inbound access list is 101

...

Client does not have normal access:

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M00/94/D4/wKioL1kOx4eiFW1fAADmspXbyrE943.jpg-wh_500x0-wm_ 3-wmp_4-s_3105771006.jpg "title=" 2017-05-07_150558.jpg "alt=" Wkiol1kox4eifw1faadmspxbyre943.jpg-wh_50 "/>

To cancel the ACL application on the interface, you can access it normally:

SW1 (config-if) #int VLAN 2

SW1 (config-if) #no IP access-group 101 in

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/94/D4/wKiom1kOyDfjufZ1AAJW3B06q7c763.jpg-wh_500x0-wm_ 3-wmp_4-s_3094523379.jpg "title=" 2017-05-07_150841.jpg "alt=" Wkiom1koydfjufz1aajw3b06q7c763.jpg-wh_50 "/>

Example 3: Naming access Control lists

SW1 (config) #ip Access-list extended Name

SW1 (CONFIG-EXT-NACL) #deny TCP any host 172.16.1.1 eq www

SW1 (config) #int VLAN 2

SW1 (config-if) #ip access-group name in

Sw1#sh IP access-lists Name

Extended IP Access list name

Ten deny TCP any host 172.16.1.1 eq www

When disabled, from the client is inaccessible, after cancellation can be accessed normally:

SW1 (config) #ip Access-list extended Name

SW1 (CONFIG-EXT-NACL) #no deny TCP any host 172.16.1.1 eq www

SW1 (CONFIG-EXT-NACL) #11 deny TCP 172.16.2.0 0.0.0.255 host 172.16.1.1 eq www

SW1 (CONFIG-EXT-NACL) #12 permit TCP 172.16.1.0 0.0.0.255 host 172.16.1.1 eq www

Sw1#sh IP access-lists

Extended IP Access list name

One-Deny TCP 172.16.2.0 0.0.0.255 host 172.16.1.1 eq www (matches)

Permit TCP 172.16.1.0 0.0.0.255 host 172.16.1.1 eq www

Note:

• There can be only one ACL per direction on the interface of the router, that is, each interface can have only two ACLs, one out of the direction ACL, and one into the direction ACL.

• ACLs work only on traversal traffic, and traffic generated by the router or layer three switch itself does not work.

• The standard ACL is as close to the target as possible, and the extended ACL is applied to the location closest to the source server.

• Standard and extended ACLs if you want to modify, you need to delete the entire ACL, and the named ACL can be implemented by adding or removing ACL statements.

This article from "10,000 years too long, seize" blog, please be sure to keep this source http://zengwj1949.blog.51cto.com/10747365/1922848

Cisco's access Control List (ACL)