Access control list (ACL)

Access control list (ACL)

catalogue

Function and principle of access control list (ACL)

Direction of access control list in interface application

Type of ACL

Application rules and principles of ACL

Basic instruction

Function and principle of access control list (ACL)

  1. Used to restrict access control (discard or release) of data packets
  2. Combined with other protocols to match the scope

How ACL works

When a packet passes through the interface, the router will check the packet and handle it accordingly because the interface has ACL enabled.

Read the header information of layer 3 and layer 4

Filter packets according to predefined rules

The source address and destination address in the IP header + the source port and destination port in the TCP header. The access control list uses the rules defined by these four elements. These four elements are used to filter and release.

Direction of access control list in interface application

Out: packets that have passed the processing of the router and are leaving the router interface.

In: packets that have reached the router interface will be processed by the router.

The direction in which the list is applied to the interface is related to the data direction

Type of ACL

Basic acl(2000-2999): only the source ip address can be matched

Advanced acl(3000-3999): it can match the fields and protocols of layer 3 and layer 4, such as source IP, destination IP, source port and destination port

Layer 2 acl(4000-4999): specify rules according to the source MAC address, destination MAC address 802, 1q priority, layer 2 protocol and other layer 2 information of the packet

Application rules and principles of ACL

Application principle

The basic ACL is used as close to the destination as possible

Advanced ACL, which is basically used near the source (it can protect bandwidth and other devices)

Application rules

1. Only one acl can be called in the same direction of an interface
2. There can be multiple rule rules in an acl, which are sorted from small to large according to the rule ID, and executed from top to bottom. 3. Once a packet is matched by a rule, it will not continue to match downward
4. When used for packet access control, all (Huawei devices) are implicitly let go by default

Basic instruction

**Basics ACL(2000~2999)**

[Huawei]acl number 2000      #Enter ACL2000 list
[Huawei-acl-basic-2000]rule 5 deny source 192.168.1.0 0.0.0.255	#Allow stands for allow, source stands for source, followed by unmask (allow to pass)
[Huawei-acl-basic-2000]rule deny source any     #Deny all access, any stands for all (no access)
[Huawei-acl-basic-2000]int g0/0/1   #Enter g0/0/1 interface
[Huawei-GigabitEthernet0/0/1]ip add 192.168.2.254 24             #Interface configuration IP address
[Huawei-GigabitEthernet0/0/1]traffic-filter  outbound  acl 2000  #The interface calls ACL2000 in the outbound direction (outbound is the outbound direction and inbound is the inbound direction)
**senior ACL(3000~3999)**

[Huawei]acl number 3000        #Enter ACL3000 list
[Huawei-acl-basic-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.3.10	
                               #Reject the Ping of 192.168.1.0 network segment
[Huawei-acl-basic-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.10 destination-port eq 80     #Destination represents the destination address, and destination port represents the destination port number
[Huawei-acl-basic-3000]rule deny tcp source any destination 192.168.3.10 destination-port eq 80
[Huawei-acl-basic-3000]rule deny tcp source 192.168.10.0 0.0.0.255 destination 12.0.0.2 0 destination-port eq 21 
                               #Deny access to FTP server 12.0.0.2 from source address 192.168.10.0 network segment
[Huawei-acl-basic-3000]int g0/0/0                     #Enter g0/0/0 interface
[Huawei-GigabitEthernet0/0/0]ip add 192.168.2.254 24  #Interface configuration IP address
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound  acl 3000  #Call ACL300 in the outgoing direction of the interface

[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 3000      ###Apply acl in the interface entry direction
[Huawei-GigabitEthernet0/0/1]undo traffic-filter inbound      ###Cancel the application of acl on the interface
[Huawei] display acl 3000        ###Display acl configuration
[Huawei]acl nmuber 3000
[Huawei-acl-adv-3000]dis this
###View rule sequence number
[Huawei-acl-adv-3000]undo rule 5
###Remove an acl statement
[Huawei]undo acl 3000 ###Delete entire acl

Tags: network Network Protocol acl

Posted on Fri, 22 Oct 2021 22:27:08 -0400 by ejwf