ACL access control list

1, Introduction

Access control list (ACL) is a list of instructions (i.e. rules) applied to the router interface. These instruction lists are used to tell the router which packets are acceptable and which packets need to be rejected.

1. Working principle

  • ACL uses packet filtering technology to read the information in the layer 3 and layer 4 packet headers of OSI seven layer model on the router. Such as source address, target address, source port, target port, etc. the packets are filtered according to the predefined rules, so as to achieve the purpose of access control.
  • ACl is a set of rules that apply to an interface of a router. For router interfaces, the access control list has two directions.
    Out: the packet that has been processed by the router and is leaving the router.
    Incoming: packets that have reached the router interface. Will be processed by the router.

2. Access control list type

  • Standard access control list
    Packets are allowed or rejected according to the source IP address of the packet. The access control list number of the standard access control list is 1-99.
  • Extended access control list
    According to the source IP address and destination IP address of the packet, specify the protocol, port and flag to allow or reject the packet. The access control list number of the extended access control list is 100-199

2, CLI instruction

1. Create ACL instruction

1.1 create standard ACL

access-list access-list-number {permit|deny} source [souce-wildcard]

host Refers to the host address  any Any host
access-list-number: Access control list number, standard ACL The value is 1-99. 

permit|deny: If the rule is met, it is allowed/Refuse to pass.

source: The source address of the packet can be a host address or a network address.

source-wildcard: Wildcard mask, also known as inverse code, that is, the inverse value of subnet mask.
For example: normal subnet mask 255.255.255.0 The inverse is 0.0.0.255. 

// Take a big chestnut
# Creating an ACL allows 192.168 All hosts of 1.0 network segment
access-list 1 permit 192.168.1.0 0.0.0.255

# Create a default ACL to deny access to all hosts.
access-list 1 deny any

1.2 create extended ACL

access-list access-list-number {permit|deny} protocol {source souce-wildcard destination destination-wildcard} [operator operan]

access-list-number: Access control list number, extended ACL The value is 100-199. 

permit|deny: If the rule is met, it is allowed/Refuse to pass.

protocol: Used to specify the type of protocol, such as IP,TCP,UDP,ICMP Wait.

source,destination: Source and destination are used to mark the source address and destination address respectively.

souce-wildcard,destination-wildcard: Subnet inverse code, souce-wildcard It's source inverse, destination-wildcard It's the target inverse code.

operator operan: lt(less than),gt(greater than),eq(be equal to),neq(Not equal to)A port number.

// Lift a lot of chestnuts
# 192.168.0 is allowed 1.0/24 access 192.168 2.0/24 and deny access to all other hosts.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip any any

# Reject network 192.168 1.0/24 access FTP server 192.168 2.100/24, while allowing other hosts to access.
access-list 102 deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.100 eq 21
access-list 102 permit ip any any

2. Delete ACL instruction

Delete standard ACL and extended ACL

no access-list access-list-number

3. View ACL instructions

show access-list

4. ACL and switch port (join)

  • Access list number: the access control list number specified when creating ACL
  • in: apply to inbound interface
  • out: apply outbound interface

ip access-group access-list-number {in|out}

5. ACL and switch port (deleted)

no ip access-group access-list-number {in|out}

3, Concrete implementation

For the final computer network course design

1. Access control analysis

1.1 administrative department

  • Communication within the Department
  • Communication between departments is not allowed
  • Can communicate with other teams and production workshops

1.2 Sales Department

  • Communication within the team
  • Communication between teams is not allowed
  • It can communicate with other departments and production workshops

1.3 production workshop

No requirement, no configuration required

2. Configuration statement

Configure switch SWRoot

2.1 allocation of administrative departments

// vlan 10
Switch(config)#access-list 110 deny ip 192.168.1.0 0.0.0.31 192.168.1.32 0.0.0.31
Switch(config)#access-list 110 deny ip 192.168.1.0 0.0.0.31 192.168.1.64 0.0.0.31
Switch(config)#access-list 110 deny ip 192.168.1.0 0.0.0.31 192.168.1.96 0.0.0.31
Switch(config)#access-list 110 deny ip 192.168.1.0 0.0.0.31 192.168.1.128 0.0.0.31
Switch(config)#access-list 110 permit ip any any
Switch(config)#int vlan 10
Switch(config-if)#ip access-group 110 in

// vlan 11
Switch(config)#access-list 111 deny ip 192.168.1.32 0.0.0.31 192.168.1.0 0.0.0.31
Switch(config)#access-list 111 deny ip 192.168.1.32 0.0.0.31 192.168.1.64 0.0.0.31
Switch(config)#access-list 111 deny ip 192.168.1.32 0.0.0.31 192.168.1.96 0.0.0.31
Switch(config)#access-list 111 deny ip 192.168.1.32 0.0.0.31 192.168.1.128 0.0.0.31
Switch(config)#access-list 111 permit ip any any
Switch(config)#int vlan 11
Switch(config-if)#ip access-group 111 in

// vlan 12
Switch(config)#access-list 112 deny ip 192.168.1.64 0.0.0.31 192.168.1.0 0.0.0.31
Switch(config)#access-list 112 deny ip 192.168.1.64 0.0.0.31 192.168.1.32 0.0.0.31
Switch(config)#access-list 112 deny ip 192.168.1.64 0.0.0.31 192.168.1.96 0.0.0.31
Switch(config)#access-list 112 deny ip 192.168.1.64 0.0.0.31 192.168.1.128 0.0.0.31
Switch(config)#access-list 112 permit ip any any
Switch(config)#int vlan 12
Switch(config-if)#ip access-group 112 in

// vlan 13
Switch(config)#access-list 113 deny ip 192.168.1.96 0.0.0.31 192.168.1.0 0.0.0.31
Switch(config)#access-list 113 deny ip 192.168.1.96 0.0.0.31 192.168.1.32 0.0.0.31
Switch(config)#access-list 113 deny ip 192.168.1.96 0.0.0.31 192.168.1.64 0.0.0.31
Switch(config)#access-list 113 deny ip 192.168.1.96 0.0.0.31 192.168.1.128 0.0.0.31
Switch(config)#access-list 113 permit ip any any
Switch(config)#int vlan 13
Switch(config-if)#ip access-group 113 in

// vlan 14
Switch(config)#access-list 114 deny ip 192.168.1.128 0.0.0.31 192.168.1.0 0.0.0.31
Switch(config)#access-list 114 deny ip 192.168.1.128 0.0.0.31 192.168.1.32 0.0.0.31
Switch(config)#access-list 114 deny ip 192.168.1.128 0.0.0.31 192.168.1.64 0.0.0.31
Switch(config)#access-list 114 deny ip 192.168.1.128 0.0.0.31 192.168.1.96 0.0.0.31
Switch(config)#access-list 114 permit ip any any
Switch(config)#int vlan 14
Switch(config-if)#ip access-group 114 in

2.2 configure Sales Department

// vlan 20
Switch(config)#access-list 120 deny ip 192.168.2.0 0.0.0.31 192.168.2.32 0.0.0.31
Switch(config)#access-list 120 deny ip 192.168.2.0 0.0.0.31 192.168.2.64 0.0.0.31
Switch(config)#access-list 120 deny ip 192.168.2.0 0.0.0.31 192.168.2.96 0.0.0.31
Switch(config)#access-list 120 deny ip 192.168.2.0 0.0.0.31 192.168.2.128 0.0.0.31
Switch(config)#access-list 120 permit ip any any
Switch(config)#int vlan 20
Switch(config-if)#ip access-group 120 in

// vlan 21
Switch(config)#access-list 121 deny ip 192.168.2.32 0.0.0.31 192.168.2.0 0.0.0.31
Switch(config)#access-list 121 deny ip 192.168.2.32 0.0.0.31 192.168.2.64 0.0.0.31
Switch(config)#access-list 121 deny ip 192.168.2.32 0.0.0.31 192.168.2.96 0.0.0.31
Switch(config)#access-list 121 deny ip 192.168.2.32 0.0.0.31 192.168.2.128 0.0.0.31
Switch(config)#access-list 121 permit ip any any
Switch(config)#int vlan 21
Switch(config-if)#ip access-group 121 in

// vlan 22
Switch(config)#access-list 122 deny ip 192.168.2.64 0.0.0.31 192.168.2.0 0.0.0.31
Switch(config)#access-list 122 deny ip 192.168.2.64 0.0.0.31 192.168.2.32 0.0.0.31
Switch(config)#access-list 122 deny ip 192.168.2.64 0.0.0.31 192.168.2.96 0.0.0.31
Switch(config)#access-list 122 deny ip 192.168.2.64 0.0.0.31 192.168.2.128 0.0.0.31
Switch(config)#access-list 122 permit ip any any
Switch(config)#int vlan 22
Switch(config-if)#ip access-group 122 in

// vlan 23
Switch(config)#access-list 123 deny ip 192.168.2.96 0.0.0.31 192.168.2.0 0.0.0.31
Switch(config)#access-list 123 deny ip 192.168.2.96 0.0.0.31 192.168.2.32 0.0.0.31
Switch(config)#access-list 123 deny ip 192.168.2.96 0.0.0.31 192.168.2.64 0.0.0.31
Switch(config)#access-list 123 deny ip 192.168.2.96 0.0.0.31 192.168.2.128 0.0.0.31
Switch(config)#access-list 123 permit ip any any
Switch(config)#int vlan 23
Switch(config-if)#ip access-group 123 in

// vlan 24
Switch(config)#access-list 124 deny ip 192.168.2.128 0.0.0.31 192.168.2.0 0.0.0.31
Switch(config)#access-list 124 deny ip 192.168.2.128 0.0.0.31 192.168.2.32 0.0.0.31
Switch(config)#access-list 124 deny ip 192.168.2.128 0.0.0.31 192.168.2.64 0.0.0.31
Switch(config)#access-list 124 deny ip 192.168.2.128 0.0.0.31 192.168.2.96 0.0.0.31
Switch(config)#access-list 124 permit ip any any
Switch(config)#int vlan 24
Switch(config-if)#ip access-group 124 in

2.3 production workshop

No special requirements, no configuration required

Keywords: Operation & Maintenance network computer networks Network Protocol

Added by yaatra on Tue, 28 Dec 2021 21:32:42 +0200

Popular Keywords

©2024 Programming VIP