The security Importance of the Cisco router ACL cannot be ignored.

Source: Internet
Author: User

Everyone knows that the Cisco router ACL plays an important role in the security policy of the Cisco router. Therefore, it is essential for everyone to master these knowledge points. In fact, this content is involved in many places. Access List) is an ordered statement set. It is a Sort table that allows or rejects packet streams based on matching rules with packets. The criteria used to allow or deny packets are based on the information contained in the packets. Generally, this information is limited to the information contained in the header of the layer-3 and layer-4 packets. When the packet arrives at the router interface, the router checks the packet. If the packet matches, the action in this statement is executed. If the packet does not match, the next statement in the Access Table is checked.

If no matching statement exists until the end of the last message, the message is rejected according to the default rule. Correct use and configuration of the access list is a vital part of the Cisco router ACL Configuration. This not only enables administrators to control network traffic, but also implements Security Policies and protects sensitive devices from unauthorized access. The access list is basically a series of conditions, which control access to a CIDR Block and access from a CIDR block. The access list can filter unnecessary data packets and implement security policies. With the appropriate combination of access lists, the network administrator can implement any creative access policy.

IP addresses and IPX access lists work in a similar way-they are both package filters, which compare, classify, and follow the rules. Once a list is created, You Can Apply inbound) or outbound outgoing bound traffic on any interface. Here are some important rules that are followed when data packets are compared with the access list: Generally, each row of the access list is compared in order, for example, usually starting from the first line and then going to the second line, the third line, and so on. Compare the rows in the access list until the matched rows are compared. Once a data packet matches a row in the access list, it complies with the rules and will not be compared later.

At the end of each access list, there is a line of implicit "deny)" Statement-meaning that if the data packet does not match all rows in the access list, it will be discarded. When you use the access list to filter IP addresses and IPX packets, each rule has a strong meaning. The IP address and IPX have two types of access lists: standard access list, which only uses the source IP address of the IP packet when filtering the network. This basically allows or rejects the entire Protocol group. The IPX standard access list can be filtered based on the source IPX address and destination IPX address. Extended access list this access list checks the source IP address and destination IP address, the protocol field in the network layer header, and the port number in the transport layer header. The IPX extended access list uses the source IPX address and destination IPX address, the network layer protocol field, and the socket number in the transport layer header.

Once an access list is created, it can be applied to an output or input interface: the input access list data packet is processed through the access list before it is routed to the output interface. The output access list data packet is routed to the output interface and then processed through the access list. There are also some access list guidelines that should be followed when creating and implementing access lists in the Cisco router ACL: each interface, each protocol, or each direction can only assign one access list. This means that if an IP address access list is created, each interface can have only one input access list and one output access list. Organize the access list and place more special tests at the top of the access list. When a new entry is added to the access list at any time, the new entry is placed at the end of the list. A row cannot be deleted from the access list.

If you try to do this, the entire access list will be deleted. Unless the permitany command exists at the end of the access list, packets that do not meet the test conditions of the list will be discarded. Each list should have at least one allowed statement. Otherwise, the interface may be closed. First, create an access list and apply the list to an interface. If the access list from any application to an interface is not a ready-made access list, the list does not filter traffic.

The access list is designed to filter traffic through routers. Does not filter traffic generated by the Cisco router ACL. Place the IP standard access list as close as possible to the destination address. Place the IP address extended access list close to the source address as much as possible. Standard IP access list. Table 1 lists configuration commands related to the standard IP access list, and Table 2 lists related EXEC commands. The standard IPX access list is configured in the same way as the standard IP address access list:

Access-list {numer} {permit | deny} {source_address} {destination_address}
Ipx access-group {number | name} {in | out}

Extended IPX access list, extended IPX access list can be filtered according to any of the following content: Source Network/Node Address, destination network/Node Address IPX protocol SAP, SPX, etc.), IPX socket, the configuration method is the same as that of the standard access list, but the protocol and socket information are added: access-list {numer} {permit | deny} {protocol} {source} {socket} {destination} {socket}, because IPX is not the focus of our introduction, (J) The number of the access list is worth noting. The following is an example of an access list that can be used to filter the network. The different protocols available for the access list depend on the IOS version. The following is the specific code of the Cisco router ACL!

Router (config) # access-list?
<1-99> IPstandard access list
<100-199> IP extended access list
<1000-1099> ipx sap access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code accesslist

<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address accesslist
<800-899> IPX standard access list
<900-999> IPX extended access list

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.