Super detailed how to configure advanced ACL

Configure advanced access control lists

Principle overview:

        The basic ACL can only be used to match the source IP address. In practical applications, it is often necessary to match other parameters of the packet, such as destination IP address, protocol number, port number, etc. Therefore, the basic ACL cannot achieve more functions due to the limitations of matching, so it is necessary to use advanced access control list.

        The advanced access control list is expanded on the matching items, with the number range of 3000-3999. It can use not only the source IP address of the message, but also the destination address, IP priority, IP protocol type, ICMP type, TCP source port / destination port, UDP source port / destination port number and other information to define the rules.

          Advanced access control list can define more accurate, richer and more flexible rules than basic access control list, so it has been more widely used.

Experimental purpose;

Understand the application scenario of advanced access control list

Master the method of configuring advanced access control list

Understand the difference between advanced access control lists and basic access control lists

Start the experiment:

 

Firstly, we configure the interface and OSPF protocol to make the whole network interworking;

The command is as follows:

AR1:

#

interface GigabitEthernet0/0/0

 ip address 10.0.13.1 255.255.255.0

#

interface GigabitEthernet0/0/1

#

interface NULL0

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 10.0.13.0 0.0.0.255

AR2:

#

interface GigabitEthernet0/0/0

 ip address 10.0.23.1 255.255.255.0

#

interface GigabitEthernet0/0/1

#

interface NULL0

#

ospf 1

 area 0.0.0.0

  network 10.0.23.0 0.0.0.255

AR3:

#

interface GigabitEthernet0/0/0

 ip address 10.0.13.254 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 10.0.23.254 255.255.255.0

#

interface GigabitEthernet2/0/0

 ip address 10.0.34.1 255.255.255.0

#

interface NULL0

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 10.0.13.0 0.0.0.255

  network 10.0.23.0 0.0.0.255

  network 10.0.34.0 0.0.0.255

AR4:

#

interface GigabitEthernet0/0/0

 ip address 10.0.34.254 255.255.255.0

#

interface GigabitEthernet0/0/1

#

interface NULL0

#

interface LoopBack0

 ip address 4.4.4.4 255.255.255.255

#

interface LoopBack1

 ip address 40.40.40.40 255.255.255.255

#

ospf 1

 area 0.0.0.0

  network 4.4.4.4 0.0.0.0

  network 10.0.34.0 0.0.0.255

  network 40.40.40.40 0.0.0.0

After all configurations are completed, we can check whether the whole network interworking is realized and check the routing table:

 

  It can be observed that the whole network interworking is realized, and AR1 also learns the routing information of relevant network segments;

Configure Telnet on AR4:

After configuration, try Telnet connection R1 to R4;

  We can find that as long as it is a device reachable by routing and has a Telnet password, it can log in successfully and normally;

To configure an advanced access control list:

According to the design requirements, the loopback interface of R1 can only be accessed by Telnet through 4.4.4.4 on R4, but not through 40.40.40.40;

      If you can only log in to the device by accessing the loopback port 0 address of R4, that is, matching the source address and destination address of the packet at the same time, you can't filter through the standard ACL. Because the ACL can only filter by matching the source address, you need to use the advanced ACL.

Use the ACL command on R4 to create an advanced ACL 3000;

It can be observed that when the rule ID is not specified, the default step size is 5, and the first rule ID is 5.

Call ACL 3000 under VTY and use the inbound parameter, that is, call it in the data input direction of R4.

  After configuration, try to access 40.40.40.40 on R1 using the loopback address

It can be observed that the filtering has been realized at this time, and R1 cannot access 40.40.40.40 using the loopback address

At this time, the advanced ACL can also match the source, destination port, protocol number and other information, which is very powerful.

End of experiment;

Remarks: if there is any error, please understand!

This article is my study notes, for reference only! If repeated!!! Please contact me!

Tags: network

Posted on Wed, 24 Nov 2021 19:09:33 -0500 by tomato