ACL (access control list) basic chapter - Super interesting learning network

ACL, yes Access Control List Abbreviation , The Chinese name is “ Access control list ”. It consists of a series of conditional rules （ That is, the judgment statement describing the matching condition of the message ） form , These conditional rules can be the source address of the message 、 Destination address 、 Port number, etc , It is an instruction list applied to various software and hardware interfaces of network devices .

One 、 Usage scenario of access control list ：

* Filter

according to ACL Filter incoming and outgoing messages according to the matching conditions in . For example ,ACL It is actually a message filter ,ACL The rule is the filter element of the filter . What kind of filter element should be installed （ That is to configure corresponding according to message characteristics ACL The rules ）,ACL What kind of message can be filtered out .

* classification

according to ACL The conditions in identify the flow , For further special treatment of the equipment .

Two 、 Type of access control list ：

* standard

- Check the source address

- Normally allowed 、 What is rejected is the entire agreement

* Expand

- Check the source and destination addresses

- Normally allowed 、 What is rejected is a specific agreement

3、 ... and 、 Application of access control list ：

* Into the direction

-ACL Application in the direction of equipment interface When the interface receives a packet , First, according to the... Applied to the interface ACL Match conditions , If allowed, forward according to the routing table , If rejected, discard it directly .

summary ： Match first and then route .

* Exit direction

-ACL It is applied in the outgoing direction of the device interface The message is routed through the routing table and then transferred to the outgoing interface , According to the outgoing direction of the application on the interface ACL Match conditions , Is allowed permit Or reject deny, If allowed , Just forward the data according to the routing table , If it is rejected, the packet is directly discarded .

summary ： Route first and then match .

ACL The order in which instructions are placed is important , Whether it's Cisco IOS It's Huawei VRP perhaps H3C Of Comware, This is the ACL The order of the instructions in checks whether the data packets meet an instruction condition in turn , When it is detected that an instruction meets the conditions, the actions specified in the instruction will be executed , And the following command conditions will not be detected .

The device defaults to ACL Instruction mechanism , Each group ACL There is an implied clause at the end deny Instructions for all messages . in other words , When received packets and ACL When all the details do not match , This hidden instruction will be triggered , Discard the message directly .

Four 、 How to identify ACL

* Standard No IPV4 list （1-99,1300-1999）, Can only be set according to the source address IP Message filtering conditions .

Router(config)#access-list 10  permit 192.168.0.0 0.0.255.255
Router(config)#access-list 10  deny 172.16.0.0 0.0.255.255
Router(config)#do sh run | i access
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 deny   172.16.0.0 0.0.255.255

* Extension number IPV4 list （100-199,2000-2699）, According to the source and destination address 、TCP/IP Agreement number and TCP/UDP Source destination port condition settings IP Message filtering conditions .

Router(config)#access-list 100 permit tcp 192.168.0.0 0.0.255.255 100.100.100.0 0.0.0.255 eq 8080
Router(config)#access-list 100 deny udp 172.16.0.0 0.0.0.255 eq 1000 100.100.100.0 0.0.0.255 eq 1234
Router(config)#do sh run | i access
access-list 100 permit tcp 192.168.0.0 0.0.255.255 100.100.100.0 0.0.0.255 eq 8080
access-list 100 deny udp 172.16.0.0 0.0.0.255 eq 1000 100.100.100.0 0.0.0.255 eq 1234

* name ACL Use alphanumeric strings （ name ） identification IP standard ACL And extend ACL.

standard ：

ip access-list standard XXXX
permit 192.168.0.0 0.0.255.255
permit 172.16.0.0 0.0.255.255

Expand ：

ip access-list extended YYYY
permit tcp 192.168.0.0 0.0.255.255 eq 8080 172.168.0.0 0.0.255.255 eq 8080
deny   udp 172.16.0.0 0.0.255.255 eq 8080 192.168.0.0 0.0.255.255 eq 8080

View directly in privileged mode ACL Detail item number

Router#sh access-lists
Standard IP access list XXXX
    10 permit 192.168.0.0, wildcard bits 0.0.255.255
    20 permit 172.16.0.0, wildcard bits 0.0.255.255
Extended IP access list YYYY
    10 permit tcp 192.168.0.0 0.0.255.255 eq 8080 172.168.0.0 0.0.255.255 eq 8080
    20 deny udp 172.16.0.0 0.0.255.255 eq 8080 192.168.0.0 0.0.255.255 eq 8080

It is generally recommended to use alphanumeric strings in practical use （ name ） To create a configuration ACL, Because in this way, the later stage can be based on ACL Naming is easy to identify ACL Use of , For example, we use F0/0 Interface input direction ACL You can call it “F0_0_inbound”

In addition to ACL Under the configuration plane , We can use ACL The number of is inserted between the front and back numbers , Such as items 10 And entries 20 Add an entry in the middle 15, You can also directly no entry Directly delete any specified entry . And in the basic numbering ACL The specified entry information cannot be deleted in , Only the whole ACL Delete reconfiguration .

PS： Huawei ACL The user experience of is much better than that of Cisco .

The popular science over.

ACL Access control list
https://zhuanlan.zhihu.com/p/39191464
https://blog.csdn.net/ningmeng_bumeng/article/details/78614362
https://blog.csdn.net/weixin_43205333/article/details/86562151