Vro Access Control List

The first level of Network Security Protection

For many network administrators, configuring the access control list of routers is a regular task. It can be said that the access control list of routers is the first level to ensure network security. The access list provides a mechanism to control and filter information flows through different router interfaces in different directions. This mechanism allows users to use access tables to manage information flows and formulate policies for the company's internal network. These policies can describe security features and reflect traffic priority. For example, an organization may want to allow or deny Internet access to internal Web servers, or allow one or more workstations on the internal LAN to send data streams to the wide area network. These scenarios and other functions can be achieved through table access.
　　
　　
Access list category

Currently, vrouters generally support two types of access tables: basic access tables and extended access tables.
The basic access table controls the information flow based on network addresses and only filters the source addresses.
The extended access table controls the information flow through the network address and the data type in the transmission, allowing you to filter the source address, destination address, and upper-layer application data.
Table 1 lists the number ranges of different access tables supported by routers.
　　
Standard IP Address Access Table

The basic format of the standard IP Address Access Table is:
Access-list [list number] [permit | deny] [host/any] [sourceaddress] [wildcard-mask] [log]
The parameters in the basic format of the standard IP Address Access Table are described as follows:
1. list number --- table number range
The table number of the standard IP Access Table ranges from 1 to 99.
2. permit/deny ---- Allow or deny
The keywords permit and deny are used to indicate whether the packets that meet the access table items are allowed through the interface or need to be filtered out. Permit indicates that packets are allowed to pass through the interface, while deny indicates that packets matching the standard IP address to access the table source address will be discarded.
3. source address ---- source address
For the standard IP Address Access Table, the source address is the host or a group of hosts in decimal notation, for example, 198.78.46.8.
4. host/any ---- host match
Host and any are used to specify a single host and all hosts respectively. Host indicates an exact match, and its shielding code is 0.0.0.0. For example, if we want to allow packets from 198.78.46.8, use the following standard access control list statement:
Access-list 1 permit 198.78.46.8 0.0.0.0
If the keyword host is used, the following statement can be used instead:
Access-list 1 permit host 198.78.46.8
That is to say, the host is short for the 0.0.0.O wildcard screen code.
In contrast, any is short for the source Certificate/target address 0. O/000000000000255. If we want to reject packets from the source address 198.78.46.8 and allow packets from other source addresses, the standard IP Address Access Table can use the following statement to achieve this purpose:
Access-list 1 deny host 198.78.46.8
Access-list 1 permit any
Note: The order of the two statements; the order of processing the Access Table statements is from top to bottom. If we reverse the order of the two statements and put the permit statement before the deny statement, we will not be able to filter packets from the host address 198.78.46.8, because the permit statement will allow all packets to pass. Therefore, the order of statements in the access table is very important, because unreasonable order of statements may cause security vulnerabilities in the network, or users may not be able to make good use of the company's network policies.
5. wi1dcardmask ------ wildcard shielding code
The wildcard shielding code supported by the Cisco table access function is the opposite of the subnet shielding code. That is to say, the binary O represents a "match" condition, binary 1 indicates a condition that "does not care. Assume that the Organization has a class C network 198.78.46.0. If a subnet is not used, each workstation in the network is used as the network shield code when it is configured. In this case, 1 indicates a "match", and 0 indicates a condition that "does not care. Because the Cisco wildcard shielding code is the opposite of the subnet shielding code, the wildcard shielding code matching all packets in the source network address 198.78.46.0 is 0.0.O.255.
6. Log ---- Log record
Log keywords only exist in IOS 11.3. If this keyword is used to access a table, logs are recorded for packets that can match the permit and deny statements in the access table. The log information includes the access table number, the allowed or denied packets, the source IP address, and the number of packets per five minutes since the first match is displayed. Using the log keyword will enable the console log to provide test and alarm functions. The system administrator can use logs to observe the message matching conditions under different activities, so as to test the design of different access tables. When used for alarm, the administrator can view the display results to locate Access Table statements that are rejected for multiple attempts. Multiple attempts to execute an access TABLE statement are rejected, which may indicate a potential hacker attack.
　　
　　
Expanded IP Address Access Control List

As the name suggests, the Extended IP Address Access Table is used to expand the packet filtering capability. An extended IP Address Access Table allows users to filter packets based on the following content: Source and Destination addresses, protocols, source and destination ports, and allow special bit comparisons in specific packet fields. The general syntax of an extended IP address access table or the following briefly introduces the functions of each keyword:
1. list number ---- table number range
The table ID of the Extended IP Address Access Table ranges from l00 to 199.
2. protocol ----- protocol
Protocol items define the protocols to be filtered, such as IP, TCP, UDP, and 1CMP. Protocol options are very important, because there is a close relationship between various protocols in the TCP/IP protocol stack. If the administrator wants to filter packets based on special protocols, it is necessary to specify the protocol.

In addition, the Administrator should pay attention to putting the important filter items at the top. If the command set by the Administrator allows the IP address statement to be placed before the statement to reject the TCP address, the latter statement does not work at all. However, if you change the positions of the two statements, the TCP protocol is rejected while other protocols on the address are allowed.
3. Source Port Number and destination port number
The source port number can be specified in several different ways. It can be explicitly specified to use a number or a recognizable mnemonic. For example, we can use 80 or http to specify the Hypertext Transfer Protocol for the Web. For TCP and UDP, you can use the operators "" (greater than) "=" (equal to) and "" (not equal to) to set.
The method for specifying the destination port number is the same as that for specifying the source port number. You can specify a port range by using numbers, Enis, or operators in combination with numbers or Enis.
The following example shows how to use some keywords in the extended IP address access table:
Access-list 101 permit tcp any host 198.78.46.8 eq smtp
Access-list 101 permit tcp any host 198.78.46.3 eq www
The first statement allows TCP packets from any host to reach the smtp service port (25) of the specified host 198.78.46.8 ); the second statement allows any TCP packet from any host to reach the www or http service port (80) of the specified host 198.78.46.3 ).
4. Options
The Extended IP Address Access Table supports many options. One of the common options is log, which has been introduced in the standard access table discussed earlier. Another common option is fistahlishfid. This option is only used for TCP and only responds to sessions initiated by the other end in one direction of the TCP communication stream. To implement this function, use the access TABLE statement of the estab1ished option to check each TCP packet to determine whether the ACK or RST bit of the packet has been set.
For example, consider the following extended IP address access TABLE statement:
Access-list 101 permit tcp any host 198.78.46.8 established
The statement is used to allow TCP packets from any source address to flow to the specified host 198.78.46.8 as long as the ACK and RST bits of the message are set. This means that the host must initiate a TCP session before 198.78.46.8.
5. Other keywords
The usage of deny/permit, source address and wildcard screen code, Destination Address and wildcard screen code, and host/any are the same as those in the standard IP Access Table.
　　　
Manage and use access tables

To configure an Access Table on an interface, three steps are required:
(1) define an access table;
(2) Specify the interface used to access the table;
(3) define the direction in which the access table acts on the interface.
We have discussed how to define a standard and extended IP Address Access Table. Next we will discuss how to specify the interface used to access the table and the direction of the interface application.
Generally, an interface is specified using the interface command. For example, to apply the access table to serial port 0, use the following command to specify the Port:
Interface serial0
Similarly, to apply the Access Table to the Ethernet port of the router, if the port is Ethernet0, use the following command to specify the Port:
Interface ethernet0
The third step in the above three steps is to define the interface direction applied to the access table, which is usually specified by the ip access-group command. The list number identifies the access table, and the keyword in or out indicates the direction used to access the table. It is used to indicate that the packet is filtered when it enters or leaves the router interface. The following examples combine these three steps:
　　
Intface serial0
Ip access-group 107 in
Access-list 107 remark allow traffic to tom's pc
Access-list 107 ip any host 198.78.46.8
Access-list 107 remark allow only web traffic to webserver
Access-list 107 tcp any host 198.78.46.12 eq 80
Access-list 107 remark block everything else
Access-list 107 deny any
　　
In this example, use the interface command to specify the serial port 0, and use the ipaccess-group command to apply the statements in the Access Table l07 to the inner direction of the serial interface. Finally, enter six Access Table statements, three of which use the keyword remark to provide annotations for subsequent statements in the list. Note that the last statement in the access table indicates the implicit denyall settings related to each access table, and this statement is not displayed if it is not explicitly listed. If you want to directly enter these commands and statements on the terminal connected to the Console port of the vro, use the EXEC privileged command first. The following is an example of the terminal session process:
　　
In addition, when the reader configures the access table and uses the show command on IOS to view the list, the displayed content is sometimes confusing, this is because when the wildcard shielding code bit is set to 1 (unrelated), 1OS sets this bit of the IP address of the table entry to binary 0.
For example, enter the following configuration command to create an extended IP Address Access Table and display the list content:
　　
In this example, the host address 198.78.46.20 on the 198.78.46.0 network is automatically converted to the network segment address because the sub-segments of the host with the wildcard shielded code of the class C address are set to full 1 (255.

Article entry: csh responsible editor: csh