ACL Principle and configuration
With the rapid development of network , Network security and network service quality QoS(QualityofService) The problem has become increasingly prominent . Access Control List (ACL,AccessControlList)
Is a technology closely related to it .
ACL Through the accurate identification of the newspaper flow in the network , Integration with other technologies , Achieve control of network access behavior , The purpose of preventing network attacks and improving network bandwidth utilization , So as to effectively ensure the security of the network environment and network security
Reliability of service quality .
one ACL summary
ACL Is made up of a series of permit or deny Statements , List of ordered rules .
ACL Is a matching tool , It can match and distinguish messages .
two ACL Basic concept and working principle of
1 ACL Composition of
ACL By several articles permit or deny Statement composition . Each statement is the ACL A rule of , In each statement permit or deny Is the processing action corresponding to this rule .
Rules are executed from top to bottom , Once a rule is matched , Subsequent rules no longer match execution , In writing ACL Is that we have to follow precise rules on . And the writing principle of rough and crazy rules .
ACL Implicit rules of （ Although there is no configuration, it is not displayed , In addition to flow filtration - source IP Waimo thinks deny Reject all ）, Flow filtering can only control the flow , Local originating traffic cannot usually be controlled .
2 Rule number and step size
Rule number （Rule ID）
One ACL Each rule in has a corresponding number .
Step size is automatically set to ACL When assigning numbers to rules , Difference between each adjacent rule number , The default value is 5. The function of step size is to facilitate the follow-up between the old rules , Insert new rule .
Rule ID Allocation rules
System is ACL When the number is assigned to the first rule in which the number is not manually specified , Use step value （ For example, step size =5, The first rule number is 5） As the starting number of the rule ; When assigning numbers to subsequent rules , Use greater than current ACL The smallest integer with the largest rule number in the and an integer multiple of the step size is used as the rule number .
3 ACL Classification and identification of
be based on ACL Classification of rule definition methods
Classification number range rule definition description
basic ACL2000~2999 Use only the source of the message IP address , Rules are defined by fragment information and effective time period information .
senior ACL3000~3999 Available IPv4 Source of message IP address , objective IP address ,IP Protocol type ,ICMP type ,TCP source / Destination port number ,UDP source / Destination port number , Effective time period
And so on .
Second floor ACL4000~4999 Use the Ethernet frame header information of the message to define the rules , Such as according to the source MAC address , objective MAC address , Layer 2 protocol type, etc .
User defined ACL5000~5999 Use message header , Offset position , String mask and user-defined string to define rules .
user ACL6000~6999 Available IPv4 Source of message IP Address or source UCL（User Control List） group , Purpose can also be used IP Address or purpose UCL group ,
IP Protocol type ,ICMP type ,TCP Source port / Destination port ,UDP Source port / Destination port number, etc .
be based on ACL Classification of identification methods
Classification rule definition description
Digital type ACL conventional ACL Identification method . establish ACL Time , Specify a unique number to identify the ACL.
Named type ACL Identify by name instead of number ACL.
establish ACL number
[Huawei]acl ? INTEGER<2000-2999> Basic access-list(add to current using
rules) INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group ipv6 ACL IPv6 name Specify a named
ACL number Specify a numbered ACL
stay ACL Create rule under number
[Huawei-acl-basic-2000]rule 5 deny source ? IP_ADDR<X.X.X.X> Address of
source any Any source
Use the flow filter at the interface ACL rule
[Huawei-GigabitEthernet0/0/0]traffic-filter ? inbound Apply ACL to the
inbound direction of the interface outbound Apply ACL to the outbound direction
of the interface
View all ACL rule
<Huawei>display acl all
Experiment 1 ： Basic configuration ACL（ Entry direction ）
[AR1]acl 2000 \\ establish ACL number 2000 [AR1-acl-basic-2000]rule 5 deny source 192.168.1.5
0 \\ refuse PC1 Flow rate [AR1-acl-basic-2000]rule 10 deny source 192.168.1.10 0 \\ refuse PC2 Flow rate
[AR1-acl-basic-2000]rule 10000 permit source any \\ Allow any other traffic to pass
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.1 24 \\ set up IP And mask
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 \\ At interface GE 0/0/0
Apply in the input direction of acl 2000 Rules of
Pass the test , Discovery host 1 And host 2 unable ping Communication router , While others 2 This host can ping through , Configuration succeeded .
Experiment 2 ： Basic configuration ACL（ Exit direction ）
The host configuration is the same as above
Router AR1 to configure
[AR1-GigabitEthernet0/0/0]undo traffic-filter inbound \\ Cancel the interface in the last experiment GE
0/0/0 In the direction of ACL rule [AR1-GigabitEthernet0/0/1]ip address 188.8.131.52 24 \\ to configure IP And mask
[AR1-GigabitEthernet0/0/1]traffic-filter outbound acl 2000 \\ At interface GE 0/0/1
Applied in the exit direction of ACL rule
Router AR2 to configure
[AR2]ip route-static 0.0.0.0 0 184.108.40.206 \\ Configure static default routes [AR2-GigabitEthernet0/0/1]ip
address 220.127.116.11 24 \\ to configure IP And mask
Through the test, it is found that , host 1 And host 2 Although you can ping Communication router AR1 of GE 0/0/1 Interface , But not ping Communication router AR2 of GE
0/0/0 Interface , Other hosts can ping Communication router AR2 of GE 0/0/0 Interface .
Experiment 3 ： Configure advanced ACL（ Target based IP address ）
The host configuration is the same as above
Router AR1 to configure
[AR1]acl 3000 [AR1-acl-adv-3000]rule 5 deny ip destination 18.104.22.168 0
[AR1-acl-adv-3000]rule 10000 permit ip source any destination any
[AR1-GigabitEthernet0/0/1]undo traffic-filter outbound
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
Through the test, it can be seen that , All four hosts can ping through 22.214.171.124, But not ping through 126.96.36.199, Successful experiment .
Experiment 4 ： Configure advanced ACL（ Protocol based ）
Router AR2 to configure
[AR2]user-interface vty 0 4 \\ Enter user VTY 0 4 Interface [AR2-ui-vty0-4]authentication-mode
password \\ Change the authentication mode to password mode [AR2-ui-vty0-4]set authentication password cipher 123456
\\ Set ciphertext password 123456 [AR2-ui-vty0-4]user privilege level 15 \\ Configure user permission level as 15
[AR2-ui-vty0-4]protocol inbound telnet \\ open telnet Login by [AR2]acl 3100
\\ establish ACL number 3100 [AR2-acl-adv-3100]rule 5 deny icmp \\ refuse ICMP flow
[AR2-acl-adv-3100]rule 20 permit tcp \\ allow TCP flow
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3100 \\ At interface GE
0/0/0 Application of input direction ACL3100 rule
In router AR1 Test effect
Test findings ping（ICMP） Impassability , however telnet（TCP） no problem , Successful experiment .
three Wildcard Mask （Wildcard）
The wildcard mask is a 32 Value of bit length , Used to indicate IP In address , Which bits need strict matching , Which bits do not need to be matched , Used to match multiple specific IP address , Or a continuous IP address .
Wildcard masks are usually expressed in dotted decimal form similar to network masks , But the meaning is completely different from that of netmask .
Matching rules ：
“0” express “ Strict matching ”;“1” express “ arbitrarily ”
Strict matching ： It means corresponding IP This bit in the address does not change .
arbitrarily ： It means corresponding IP This bit in the address can be either 0 It can also be 1.
Example 1 ： Match two addresses
First will IP Address and wildcard mask converted to binary
analysis ： Before wildcard mask 31 All of them 0, that IP Address corresponding front 31 No bits can be changed , And the last one is 1
, that IP The last bit in the address can be either 0, It can also be 1. After calculation , It matches 192.168.1.4 and 192.168.1.5 this 2 Addresses .
Example 2 ： Match multiple addresses
analysis ： Before wildcard mask 30 All of them 0, that IP Address corresponding front 30 No bits can be changed , And finally 2 Bit is 1
, that IP Latest in address 2 Bit can be either 0, It can also be 1. After calculation , It matches 192.168.1.4 --- 192.168.1.7 this 4 Addresses .
Example 3 ： Match entire network segment
analysis ： Before wildcard mask 24 All of them 0, that IP Address corresponding front 24 No bits can be changed , And finally 8 Bit is 1
, that IP Latest in address 8 Bit can be either 0, It can also be 1. After calculation , It matches 192.168.1.0 --- 192.168.1.255, that is
192.168.1.0/24 This segment .
Example 4 ： Match multiple discontinuous addresses
analysis ： Before wildcard mask 24 Rank and place 32 All of them 0, that IP Address corresponding front 24 Rank and place 32 No bits can be changed , And the first 25 Bit to 31 yes 1
, that IP Page in address 25 Bit to 31 Can be 0, It can also be 1. After calculation , It matches 192.168.1.1,192.168.1.3,192.168.1.5,192.168.1.7,192.168.1.9,192.168.1.11~~~~~~, that is
192.168.1.0/24 All odd numbers in this segment .