ACL Principle and configuration

With the rapid development of network , Network security and network service quality QoS(QualityofService) The problem has become increasingly prominent . Access Control List (ACL,AccessControlList)
Is a technology closely related to it .

ACL Through the accurate identification of the newspaper flow in the network , Integration with other technologies , Achieve control of network access behavior , The purpose of preventing network attacks and improving network bandwidth utilization , So as to effectively ensure the security of the network environment and network security
Reliability of service quality .

one ACL summary

ACL Is made up of a series of permit or deny Statements , List of ordered rules .

ACL Is a matching tool , It can match and distinguish messages .

two ACL Basic concept and working principle of

1 ACL Composition of

ACL By several articles permit or deny Statement composition . Each statement is the ACL A rule of , In each statement permit or deny Is the processing action corresponding to this rule .

Rules are executed from top to bottom , Once a rule is matched , Subsequent rules no longer match execution , In writing ACL Is that we have to follow precise rules on . And the writing principle of rough and crazy rules .

ACL Implicit rules of ( Although there is no configuration, it is not displayed , In addition to flow filtration - source IP Waimo thinks deny Reject all ), Flow filtering can only control the flow , Local originating traffic cannot usually be controlled .

2  Rule number and step size

Rule number (Rule ID)

One ACL Each rule in has a corresponding number .

step (Step)

Step size is automatically set to ACL When assigning numbers to rules , Difference between each adjacent rule number , The default value is 5. The function of step size is to facilitate the follow-up between the old rules , Insert new rule .

Rule ID Allocation rules

System is ACL When the number is assigned to the first rule in which the number is not manually specified , Use step value ( For example, step size =5, The first rule number is 5) As the starting number of the rule ; When assigning numbers to subsequent rules , Use greater than current ACL The smallest integer with the largest rule number in the and an integer multiple of the step size is used as the rule number .

3 ACL Classification and identification of

be based on ACL Classification of rule definition methods

Classification number range rule definition description
basic ACL2000~2999 Use only the source of the message IP address , Rules are defined by fragment information and effective time period information .
senior ACL3000~3999 Available IPv4 Source of message IP address , objective IP address ,IP Protocol type ,ICMP type ,TCP source / Destination port number ,UDP source / Destination port number , Effective time period
And so on .
Second floor ACL4000~4999 Use the Ethernet frame header information of the message to define the rules , Such as according to the source MAC address , objective MAC address , Layer 2 protocol type, etc .
User defined ACL5000~5999 Use message header , Offset position , String mask and user-defined string to define rules .
user ACL6000~6999 Available IPv4 Source of message IP Address or source UCL(User Control List) group , Purpose can also be used IP Address or purpose UCL group ,
IP Protocol type ,ICMP type ,TCP Source port / Destination port ,UDP Source port / Destination port number, etc .

be based on ACL Classification of identification methods

Classification rule definition description
Digital type ACL conventional ACL Identification method . establish ACL Time , Specify a unique number to identify the ACL.
Named type ACL Identify by name instead of number ACL.

Related commands

establish ACL number
[Huawei]acl ? INTEGER<2000-2999> Basic access-list(add to current using
rules) INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group ipv6 ACL IPv6 name Specify a named
ACL number Specify a numbered ACL

stay ACL Create rule under number
[Huawei-acl-basic-2000]rule 5 deny source ? IP_ADDR<X.X.X.X> Address of
source any Any source

Use the flow filter at the interface ACL rule
[Huawei-GigabitEthernet0/0/0]traffic-filter ? inbound Apply ACL to the
inbound direction of the interface outbound Apply ACL to the outbound direction
of the interface

View all ACL rule
<Huawei>display acl all

Experiment 1 : Basic configuration ACL( Entry direction )

  Host configuration

 

Switch configuration
[AR1]acl 2000 \\ establish ACL number 2000 [AR1-acl-basic-2000]rule 5 deny source 192.168.1.5
0 \\ refuse PC1 Flow rate [AR1-acl-basic-2000]rule 10 deny source 192.168.1.10 0 \\ refuse PC2 Flow rate
[AR1-acl-basic-2000]rule 10000 permit source any \\ Allow any other traffic to pass
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.1 24 \\ set up IP And mask
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 \\ At interface GE 0/0/0
Apply in the input direction of acl 2000 Rules of
Test connectivity

 

 

  Pass the test , Discovery host 1 And host 2 unable ping Communication router , While others 2 This host can ping through , Configuration succeeded .

Experiment 2 : Basic configuration ACL( Exit direction )

The host configuration is the same as above

Router AR1 to configure
[AR1-GigabitEthernet0/0/0]undo traffic-filter inbound \\ Cancel the interface in the last experiment GE
0/0/0 In the direction of ACL rule [AR1-GigabitEthernet0/0/1]ip address 1.1.1.1 24 \\ to configure IP And mask
[AR1-GigabitEthernet0/0/1]traffic-filter outbound acl 2000 \\ At interface GE 0/0/1
Applied in the exit direction of ACL rule
Router AR2 to configure
[AR2]ip route-static 0.0.0.0 0 1.1.1.1 \\ Configure static default routes [AR2-GigabitEthernet0/0/1]ip
address 1.1.1.2 24 \\ to configure IP And mask
Connectivity test

 

Through the test, it is found that , host 1 And host 2 Although you can ping Communication router AR1 of GE 0/0/1 Interface , But not ping Communication router AR2 of GE
0/0/0 Interface , Other hosts can ping Communication router AR2 of GE 0/0/0 Interface .

Experiment 3 : Configure advanced ACL( Target based IP address )

The host configuration is the same as above

Router AR1 to configure
[AR1]acl 3000 [AR1-acl-adv-3000]rule 5 deny ip destination 1.1.1.2 0
[AR1-acl-adv-3000]rule 10000 permit ip source any destination any
[AR1-GigabitEthernet0/0/1]undo traffic-filter outbound
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
Connectivity test

 

 

Through the test, it can be seen that , All four hosts can ping through 1.1.1.1, But not ping through 1.1.1.2, Successful experiment .

Experiment 4 : Configure advanced ACL( Protocol based )

Router AR2 to configure
[AR2]user-interface vty 0 4 \\ Enter user VTY 0 4 Interface [AR2-ui-vty0-4]authentication-mode
password \\ Change the authentication mode to password mode [AR2-ui-vty0-4]set authentication password cipher 123456
\\ Set ciphertext password 123456 [AR2-ui-vty0-4]user privilege level 15 \\ Configure user permission level as 15
[AR2-ui-vty0-4]protocol inbound telnet \\ open telnet Login by [AR2]acl 3100
\\ establish ACL number 3100 [AR2-acl-adv-3100]rule 5 deny icmp \\ refuse ICMP flow
[AR2-acl-adv-3100]rule 20 permit tcp \\ allow TCP flow
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 3100 \\ At interface GE
0/0/0 Application of input direction ACL3100 rule
In router AR1 Test effect

 

Test findings ping(ICMP) Impassability , however telnet(TCP) no problem , Successful experiment .

three Wildcard Mask (Wildcard)

The wildcard mask is a 32 Value of bit length , Used to indicate IP In address , Which bits need strict matching , Which bits do not need to be matched , Used to match multiple specific IP address , Or a continuous IP address .

Wildcard masks are usually expressed in dotted decimal form similar to network masks , But the meaning is completely different from that of netmask .

Matching rules :
“0” express “ Strict matching ”;“1” express “ arbitrarily ”

Strict matching : It means corresponding IP This bit in the address does not change .

arbitrarily : It means corresponding IP This bit in the address can be either 0 It can also be 1.

Example 1 : Match two addresses

192.168.1.5     0.0.0.1

First will IP Address and wildcard mask converted to binary

11000000‭10101000‬000000010000‭0101‬
00000000000000000000000000000001
analysis : Before wildcard mask 31 All of them 0, that IP Address corresponding front 31 No bits can be changed , And the last one is 1
, that IP The last bit in the address can be either 0, It can also be 1. After calculation , It matches 192.168.1.4 and 192.168.1.5 this 2 Addresses .

Example 2 : Match multiple addresses

192.168.1.5     0.0.0.3

11000000‭10101000‬000000010000‭0101‬
00000000000000000000000000000011
analysis : Before wildcard mask 30 All of them 0, that IP Address corresponding front 30 No bits can be changed , And finally 2 Bit is 1
, that IP Latest in address 2 Bit can be either 0, It can also be 1. After calculation , It matches 192.168.1.4 --- 192.168.1.7 this 4 Addresses .

Example 3 : Match entire network segment

192.168.1.5     0.0.0.255

11000000‭10101000‬000000010000‭0101‬
00000000000000000000000011111111
analysis : Before wildcard mask 24 All of them 0, that IP Address corresponding front 24 No bits can be changed , And finally 8 Bit is 1
, that IP Latest in address 8 Bit can be either 0, It can also be 1. After calculation , It matches 192.168.1.0 --- 192.168.1.255, that is
192.168.1.0/24 This segment .

Example 4 : Match multiple discontinuous addresses

192.168.1.5     0.0.0.254

11000000‭10101000‬000000010000‭0101‬
00000000000000000000000011111110
analysis : Before wildcard mask 24 Rank and place 32 All of them 0, that IP Address corresponding front 24 Rank and place 32 No bits can be changed , And the first 25 Bit to 31 yes 1
, that IP Page in address 25 Bit to 31 Can be 0, It can also be 1. After calculation , It matches 192.168.1.1,192.168.1.3,192.168.1.5,192.168.1.7,192.168.1.9,192.168.1.11~~~~~~, that is
192.168.1.0/24 All odd numbers in this segment .

Technology
©2019-2020 Toolsou All rights reserved,
【C++ Must see for entry 】C++ from 0 reach 1 Introductory programming axios Interceptor packaging and use Spring Boot Interview must ask : Automatic configuration principle VMware 16 install centos 7 Detailed tutorial C Language data structure - Sequence table delete duplicates V2.0.0 The 12th Blue Bridge Cup c++b Group personal problem solving On sending data from serial port single chip microcomputer to upper computer centos7 install RabbitMqjava Polymorphic array of opencv-python Fourier transform and inverse transform