[Lab7] Acl

[Lab7] Acl

Access control lists are referred to as ACLs, which use packet filtering technology to read third and fourth headers on routers

such as source address, destination address, source port, destination port, etc., filter packets according to pre-defined rules,

So as to achieve the purpose of access control. There are many kinds of ACLs, and different kinds of ACLs are applied on different occasions.

1. Standard ACL

The simplest of standard ACLs is to filter by using the source IP address in the IP packet, the table number range 1-99 or

1300-1999;

2. Extending ACLS

Extended ACLs have more matches than standard ACLs, are more powerful and granular, and can be targeted to include protocol types,

Source address, Destination address, source port, destination port, TCP connection establishment, etc. to filter, table number range 100-199 or

2000-2699;

3. Naming ACLs

Use list names instead of list numbers to define ACLs, which also include both standard and extended lists.

In the access control list of learning, pay special attention to the following two terms.

1. Wildcard Mask: A 32-bit numeric string that specifies when an IP address is associated with other IP locations

Which bits in the IP address should be ignored when the site is compared. The "1" in the wildcard mask indicates that the IP address is ignored

The corresponding bit, while "0" indicates that the bit must match. Two special wildcard masks are "255.255.255.255" and

"0.0.0.0", the former equivalent to the keyword "any", and the latter equivalent to the keyword "host";

2. Inbound and outbound: When an Access control list is applied on an interface, the user indicates the Access control list

Whether it is applied to incoming or outgoing data.

In summary, the application of ACLs is very extensive, it can achieve the following functions:

1. Deny or allow incoming (or outgoing) traffic through a specific interface;

2. Define the data stream of interest for the DDR application;

3. Filter the content of routing updates;

4. Control access to the virtual terminal;

5. Provide flow control.

7-1 Standard ACLs

650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt = "clip_image002" src= "http://s3.51cto.com/wyfs02/M01/6F/CC/wKioL1WozZuRWPwnAAC-OO4uscc148.jpg" height= "225"/>

This experiment rejects the PC2 network segment to access the router R2, while only allowing the host PC3 network segment to access the router R2 telnet

Service. The entire network configuration EIGRP guarantees the connectivity of the IP.

Look at the configuration of R2:

Access-list deny 172.16.1.0 0.0.0.255 log

Access-list Permit any

Access-list Permit 172.16.3.0 0.0.0.255 Log

Line vty 0 4

Access-class

Password Fuyi

Login

Interface fastethernet0/0

IP address 12.1.1.2 255.255.255.0

IP access-group

Duplex Auto

Speed auto

1-access Control List entries are checked in top-down order, starting with the first table entry, so

2-the order in which statements are defined in the Access control list must be considered;

3-The router does not filter the IP packets generated by itself;

4-access Control list The last one is implied deny all;

5-Each router interface in each direction, each protocol can only create an ACL;

6-the "access-class" command is valid only for standard ACLs.

[Tip] Zeroing the access Control List counter with "Clear access-list counters"

2-Extended ACL

This experiment requires that only the host of the PC2 network segment be allowed to access the WWW and Telnet service of router R2, and to deny the PC3 network segment ping Router R2.

R1 (config) #access-list permit TCP 172.16.1.0 0.0.0.255 any [the actual situation can not be used any, here is just lazy, should write full R2 direct connection network segment] EQ www

R1 (config) #access-list permit TCP 172.16.1.0 0.0.0.255 any[The actual situation can not use any, here is just lazy, should write full R2 direct connection network segment] EQ telnet

R1 (config) #int f1/0

R1 (config-if) #ip Access-group

R3 (config) #access-list the ICMP 172.16.3.0 0.0.0.255 any [the actual situation can not use any, here is just lazy, should write full R2 direct connection network segment]

R3 (config) #access-list permit IP any any

R3 (config) #int f0/0

R3 (config-if) #ip Access-group

Skills

(1) The parameter "log" generates the corresponding log information, which is used to record the packet through the ACL entry;

(2) Consider placing the extended access control list near the filter source as much as possible so that the filter created

Does not in turn affect the flow of data on other interfaces. Also, try to keep the standard access control list close to the

The quasi-access control list uses only the source address, and if it is close to the source it prevents the packet from flowing to the other port

3-command ACL

Named ACLs allow for ACLs to be represented in standard ACLs and extended ACLs, using strings instead of the numbers used earlier.

A named ACL can also be used to remove individual control entries from a specific ACL, which allows the network administrator to

To modify the ACL.

R3 (config) #ip access-list?

Extended Extended Access List

Log-update Control access list log updates

Logging Control access list logging

Resequence resequence Access List

Standard Access List

4-based on time ACL

Requires only the Telnet service that allows the PC3 host to access the router R2 every day from Monday to Friday 8:00-18:00

IP Access-list Extended TELNET

Permit TCP host 172.16.3.4 host 2.2.2.2 eq telnet time-range Fuyi

Time-range Fuyi

Periodic weekdays 8:00am to 18:00

Interface fastethernet0/0

IP address 172.16.3.250 255.255.255.0

IP Access-group TELNET in

R3#sh Time-range

Time-range Entry:fuyi (inactive)

Periodic weekdays 8:00am to 18:00

Used In:ip ACL Entry

5-Dynamic ACL

Dynamic ACLs are a security feature of Cisco IOS that enables users to temporarily open a notch in a firewall without destroying other configured security restrictions.

Requires that if the PC3 network segment wants to ping the router R2, the Telnet router R2 (2.2.2.2) must be successful before it can be accessed

R2:

Access-list Permit TCP host 172.16.3.4 host 2.2.2.2 eq telnet//Turn on Telnet access

Access-list Permit EIGRP any any

Access-list Dynamic test Timeout permit IP host 172.16.3.4 host 2.2.2.2

Parameters timeout:maximum time for dynamic ACLs to live

R2:

R2 (config) #username fuyi password Fuyi

R2 (config) #line vty 0 15

R2 (config-line) #login Local

R2 (config-line) #autocommand access-enable host Timeout 5

\ \ Creates a temporary access control list entry in a dynamic ACL, and timeout is the time that this entry exists.

If the parameter "host" is used, then the temporary entry will be created only for the individual IP address used by the user, and if not used, the entire network of the user will be allowed by that temporary entry.

6-reflexive ACL

1. The reflexive ACL is always permit;

2. Reflexive ACL allows IP packet filtering of high-level session information;

3. Use a reflexive ACL to allow only outgoing traffic, but to block flows to the internal network generated from the external network

To better protect the internal network;

4. A reflexive ACL is automatically generated when there is traffic, as in the direction of the traffic, and when the session

The end entry is deleted;

5. Reflexive ACLs are not applied directly to an interface, but are nested under an extended named Access list.

650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image004 "src=" http://s3.51cto.com/wyfs02/M02/6F/CF/wKiom1Woy96DffQjAADf3B8r6QQ692.jpg "height=" 209 "/>

Intranet is required to proactively access the network, but the external network can not actively access the intranet, so as to effectively protect the Intranet

R2 (config) #ip Access-list extended Aclout

R2 (CONFIG-EXT-NACL) #permit TCP any any reflect REF//define reflexive ACL

R2 (CONFIG-EXT-NACL) #permit UDP any any reflect REF

R2 (config) #ip Access-list extended Aclin

R2 (CONFIG-EXT-NACL) #evaluate REF//Evaluate Reflection

R2 (config) #int F0/1

R2 (config-if) #ip Access-group aclout out

R2 (config-if) #ip Access-group Aclin in

When there is internal to external traffic, a list is automatically generated on a temporary basis.

This article from the "Erick" blog, declined to reprint!

[Lab7] Acl