"Ti layman" network knowledge note 11 access control List ACL (1 standard access list)

access Control List (LIST,ACL) is a list of instructions for the router and switch interfaces that control the ports in and out of the packet. ACLS apply to all routed protocols , such as IP, IPX, AppleTalk, and so on.

Effects of ACLs:

ACLs can limit network traffic and improve network performance.

ACLs provide a means of controlling traffic flow.

ACLs are the basic means of providing secure access to a network.

ACLs can determine at the router port which type of traffic is being forwarded or blocked.

3P principle:

in the Routers general rules for applying ACLs on. You can configure an ACL for each protocol (per protocol), each direction (per direction), each interface (per interface):

One ACL per protocol: to control traffic on an interface, the appropriate ACLs must be defined for each protocol enabled on the interface.

One ACL in each direction: an ACL can only control traffic in one Direction on the interface. To control inbound traffic and outbound traffic, you must define two ACLs separately.

one ACL per interface: An ACL can control only one interface (for example, Fast Ethernet 0/0) on the flow.

ACL classification

There are currently three main ACLs: Standard ACL, extended ACL, and named ACL. Other standard Mac ACLs, time-control ACLs, Ethernet protocol ACLs, IPV6 ACLs, and so on.

The standard ACL uses numbers between 1 ~ 99 and 1300~1999 as the table number, and the extended ACL uses numbers between 100 to 199 and 2000~2699 as the table number.

A standard ACL can block all traffic from a network, or allow all traffic from a particular network, or deny all traffic to a protocol cluster (such as IP).

Extended ACLs provide a broader range of control than standard ACLs. For example, if a network administrator wants to "allow foreign web traffic to pass, rejecting traffic such as external FTP and Telnet," then he can use an extended ACL to achieve the goal, and the standard ACL cannot be controlled so precisely.

Use the table number in both the standard and extended access control lists, and use a string of letters or numbers in the named access Control list instead of the number used earlier. Using a named access Control list can be used to delete a particular control entry, which allows us to easily modify it during use. When using a named access Control list, the router's iOS is required to be in more than 11.2 versions, and multiple ACLs cannot be named with the same name, and different types of ACLs cannot use the same name.

With the development of the network and changes in user requirements, Cisco routers have added a new time-based access list starting with iOS 12.0. It allows you to control the forwarding of network packets based on different times of the day, or depending on the date of the week, or both. This time-based access list, in the original standard access list and extended access list, adds an effective time range to control the network more reasonably and effectively. First define a time range, and then apply it on the basis of the original various access lists.

In the design of a time-based access list, use the Time-range command to specify the name of the time range, and then use the Absolute command, or one or more periodic commands, to define the time range.

Where ACLs are applied

When you create after you access the control list , it must be applied to an interface before it can begin to take effect. An ACL controls the flow of traffic to and from an interface.

The router interface has out and into two directions: out; Data ready to go through the router, incoming, ready to enter the router data

The standard ACL should be as close as possible to the destination side.

extend the ACL as close as possible to the source side.

The router interface checks the rules for ACL entries:

Top-down; If the first match is no longer checked, the packet is discarded according to the default rule if none of the last rule matches. Add an interface packet for the ACL, either allow or deny

command format:      

Access-list: Access List command.

Access-list-number: Access list number with a value of 1~99.

Permit: Allow.

Deny: Deny.

To illustrate:

Config T

Access-list 1 Permit 192.168.1.0 0.0.0.255 Create a standard list 1, allow all traffic for the 192.168.1.0 network segment

Access-list 1 deny 0.0.0.0 255.255.255.255 or any of the standard list 1 deny all, this words can not write, reject the There is an implied statement.

Apply to Interface:

int f0/0 into f0/0

IP Access-group 1 in or out applies the standard list 1 to the in direction or out direction of the interface

show ip access-list 1 View list 1 information

This article from "It Layman teahouse" blog, declined reprint!

"Ti layman" network knowledge note 11 access control List ACL (1 standard access list)