Access control list (ACL)
catalogue
Function and principle of access control list (ACL)
Direction of access control list in interface application
Application rules and principles of ACL
Function and principle of access control list (ACL)
- Used to restrict access control (discard or release) of data packets
- Combined with other protocols to match the scope
How ACL works
When a packet passes through the interface, the router will check the packet and handle it accordingly because the interface has ACL enabled.
Read the header information of layer 3 and layer 4
Filter packets according to predefined rules
The source address and destination address in the IP header + the source port and destination port in the TCP header. The access control list uses the rules defined by these four elements. These four elements are used to filter and release.
Direction of access control list in interface application
Out: packets that have passed the processing of the router and are leaving the router interface.
In: packets that have reached the router interface will be processed by the router.
The direction in which the list is applied to the interface is related to the data direction
Type of ACL
Basic acl(2000-2999): only the source ip address can be matched
Advanced acl(3000-3999): it can match the fields and protocols of layer 3 and layer 4, such as source IP, destination IP, source port and destination port
Layer 2 acl(4000-4999): specify rules according to the source MAC address, destination MAC address 802, 1q priority, layer 2 protocol and other layer 2 information of the packet
Application rules and principles of ACL
Application principle
The basic ACL is used as close to the destination as possible
Advanced ACL, which is basically used near the source (it can protect bandwidth and other devices)
Application rules
1. Only one acl can be called in the same direction of an interface
2. There can be multiple rule rules in an acl, which are sorted from small to large according to the rule ID, and executed from top to bottom. 3. Once a packet is matched by a rule, it will not continue to match downward
4. When used for packet access control, all (Huawei devices) are implicitly let go by default
Basic instruction
**Basics ACL(2000~2999)** [Huawei]acl number 2000 #Enter ACL2000 list [Huawei-acl-basic-2000]rule 5 deny source 192.168.1.0 0.0.0.255 #Allow stands for allow, source stands for source, followed by unmask (allow to pass) [Huawei-acl-basic-2000]rule deny source any #Deny all access, any stands for all (no access) [Huawei-acl-basic-2000]int g0/0/1 #Enter g0/0/1 interface [Huawei-GigabitEthernet0/0/1]ip add 192.168.2.254 24 #Interface configuration IP address [Huawei-GigabitEthernet0/0/1]traffic-filter outbound acl 2000 #The interface calls ACL2000 in the outbound direction (outbound is the outbound direction and inbound is the inbound direction)
**senior ACL(3000~3999)** [Huawei]acl number 3000 #Enter ACL3000 list [Huawei-acl-basic-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.3.10 #Reject the Ping of 192.168.1.0 network segment [Huawei-acl-basic-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.10 destination-port eq 80 #Destination represents the destination address, and destination port represents the destination port number [Huawei-acl-basic-3000]rule deny tcp source any destination 192.168.3.10 destination-port eq 80 [Huawei-acl-basic-3000]rule deny tcp source 192.168.10.0 0.0.0.255 destination 12.0.0.2 0 destination-port eq 21 #Deny access to FTP server 12.0.0.2 from source address 192.168.10.0 network segment [Huawei-acl-basic-3000]int g0/0/0 #Enter g0/0/0 interface [Huawei-GigabitEthernet0/0/0]ip add 192.168.2.254 24 #Interface configuration IP address [Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 #Call ACL300 in the outgoing direction of the interface
[Huawei]interface g0/0/0 [Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24 [Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 ###Apply acl in the interface entry direction [Huawei-GigabitEthernet0/0/1]undo traffic-filter inbound ###Cancel the application of acl on the interface [Huawei] display acl 3000 ###Display acl configuration [Huawei]acl nmuber 3000 [Huawei-acl-adv-3000]dis this ###View rule sequence number [Huawei-acl-adv-3000]undo rule 5 ###Remove an acl statement [Huawei]undo acl 3000 ###Delete entire acl