Configure advanced access control lists
The basic ACL can only be used to match the source IP address. In practical applications, it is often necessary to match other parameters of the packet, such as destination IP address, protocol number, port number, etc. Therefore, the basic ACL cannot achieve more functions due to the limitations of matching, so it is necessary to use advanced access control list.
The advanced access control list is expanded on the matching items, with the number range of 3000-3999. It can use not only the source IP address of the message, but also the destination address, IP priority, IP protocol type, ICMP type, TCP source port / destination port, UDP source port / destination port number and other information to define the rules.
Advanced access control list can define more accurate, richer and more flexible rules than basic access control list, so it has been more widely used.
Understand the application scenario of advanced access control list
Master the method of configuring advanced access control list
Understand the difference between advanced access control lists and basic access control lists
Start the experiment:
Firstly, we configure the interface and OSPF protocol to make the whole network interworking;
The command is as follows:
AR1: # interface GigabitEthernet0/0/0 ip address 10.0.13.1 255.255.255.0 # interface GigabitEthernet0/0/1 # interface NULL0 # interface LoopBack0 ip address 18.104.22.168 255.255.255.255 # ospf 1 area 0.0.0.0 network 22.214.171.124 0.0.0.0 network 10.0.13.0 0.0.0.255 AR2: # interface GigabitEthernet0/0/0 ip address 10.0.23.1 255.255.255.0 # interface GigabitEthernet0/0/1 # interface NULL0 # ospf 1 area 0.0.0.0 network 10.0.23.0 0.0.0.255 AR3: # interface GigabitEthernet0/0/0 ip address 10.0.13.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 10.0.23.254 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.0.34.1 255.255.255.0 # interface NULL0 # interface LoopBack0 ip address 126.96.36.199 255.255.255.255 # ospf 1 area 0.0.0.0 network 188.8.131.52 0.0.0.0 network 10.0.13.0 0.0.0.255 network 10.0.23.0 0.0.0.255 network 10.0.34.0 0.0.0.255 AR4: # interface GigabitEthernet0/0/0 ip address 10.0.34.254 255.255.255.0 # interface GigabitEthernet0/0/1 # interface NULL0 # interface LoopBack0 ip address 184.108.40.206 255.255.255.255 # interface LoopBack1 ip address 220.127.116.11 255.255.255.255 # ospf 1 area 0.0.0.0 network 18.104.22.168 0.0.0.0 network 10.0.34.0 0.0.0.255 network 22.214.171.124 0.0.0.0
After all configurations are completed, we can check whether the whole network interworking is realized and check the routing table:
It can be observed that the whole network interworking is realized, and AR1 also learns the routing information of relevant network segments;
Configure Telnet on AR4:
After configuration, try Telnet connection R1 to R4;
We can find that as long as it is a device reachable by routing and has a Telnet password, it can log in successfully and normally;
To configure an advanced access control list:
According to the design requirements, the loopback interface of R1 can only be accessed by Telnet through 126.96.36.199 on R4, but not through 188.8.131.52;
If you can only log in to the device by accessing the loopback port 0 address of R4, that is, matching the source address and destination address of the packet at the same time, you can't filter through the standard ACL. Because the ACL can only filter by matching the source address, you need to use the advanced ACL.
Use the ACL command on R4 to create an advanced ACL 3000;
It can be observed that when the rule ID is not specified, the default step size is 5, and the first rule ID is 5.
Call ACL 3000 under VTY and use the inbound parameter, that is, call it in the data input direction of R4.
After configuration, try to access 184.108.40.206 on R1 using the loopback address
It can be observed that the filtering has been realized at this time, and R1 cannot access 220.127.116.11 using the loopback address
At this time, the advanced ACL can also match the source, destination port, protocol number and other information, which is very powerful.
End of experiment;
Remarks: if there is any error, please understand!
This article is my study notes, for reference only! If repeated!!! Please contact me!