【 Weak current College 】 CiscoACL principle and configure detailed solution---Power By 【 China power house network 】

What is ACL?　　access control list for ACL, access control lists use packet filtering on the router technology, read the third and fourth layer header information such as the source address, destination address, source port, destination port, etc., according to predefined rules for packet filtering, thus the purpose of achieving access control. The technology early on in the router only support in recent years has expanded to a three-layer switches, some of the latest two-layer switches also began providing ACL support.　　Access control list using the principles of due to ACL configuration commands are flexible, functional and very powerful, so we cannot simply through a small example of the full picture of all of the configuration of the ACL. In the example before we introduced the ACL settings set out principles for the convenience of our readers better digestion ACL knowledge.　　1, minimum privilege principle only to the managed object to complete the task must have minimum permissions. That is controlled by the general rule is the intersection of all rules, only satisfy some condition is not allowed by the rules.　　2, closest to the managed object principles all network layers of access control. That is when the check is a top-down rules in the ACL section of the test, if found eligible will immediately forward, rather than continue to detect the following ACL statement.　　3, the default drop principle in CISCO Routing and switching equipment in default to the last sentence added for ACL DENY ANY ANY, also is to drop all packets that do not meet the conditions. Pay particular attention to this point, although we can modify this default, but not before we must instead. Because the ACL is to use packet filtering technologies, filtering of grounds just third-and fourth-tier part of the information in the header, this technique has some inherent limitations, such as unrecognized to specific people, unable to identify the level of permissions within the application.Therefore, in order to achieve the end-to-end access control purposes, require and system-level and application-level access control. Standard access list: ACL access control list, divided into many different occasions, apply different kinds of ACL.　　One of the most simple is the standard access control list, standard access control list is through the use of the IP packet's source IP address filtering, use access control lists, 1 to 99 to create appropriate ACL standard access control list format ACL access control list, divided into many different occasions, apply different kinds of ACL.　　One of the most simple is the standard access control list, he is using the IP packet's source IP address filtering, use access control lists, 1 to 99 to create appropriate ACL.　　Standard access control list is the most simple ACL. Its specific format: access-list ACL, permit | deny host IP addresses for example: 192.168.1.1 access-list 10 deny host "command is everything from 192.168.1.1 address packet drop. Of course we can also use the network segment to represent, on a network segment for filtering.　　Command: access-list 10 deny 192.168.1.0 0.0.0.255 through the above configuration will come from 192.168.1.0/24 to all computers in the filter drop packets. Why behind subnet mask represents 0.0.0.255?　　this is because the provisions in the CISCO ACL in uses reverse their Ma represents a subnet mask, the mask 0.0.0.255 reverse on behalf of his subnet mask is 255.255.255.0. Tip: for standard access control list, the default command is the HOST, i.e. access-list 10 deny 192.168.1.1 is the denial of 192.168.1.1 this host packet communication, you can save us enter host command. Standard access control list instance a we use as shown in the network structure.　　Routers connect two segments, namely 172.16.4.0/24, 172.16.3.0/24. In 172.16.4.0/24 segment one server provides the IP address of the WWW service, as 172.16.4.13. Example 1: ban 172.16.4.0/24 segment in addition to the accessthis computer 172.16.4.13 172.16.3.0/24 computers.　　172.16.4.13 can access 172.16.3.0/24.　　Router configuration command access-list 1 permit host setting ACLs to allow 172.16.4.13 172.16.4.13 packets to pass.　　Access-list 1 deny any setting ACL, blocking all other IP addresses for the transmission of communications.　　Int e 1 enter E1 port. Ip access-group 1 1 declared in the ACL. After setting only allows E1 port from 172.16.4.13 the IP address of the packet transfer out. From other IP address of the packet is unable to transmit via E1.
Small Tip: as CISCO added a default DENY ANY of the statements in each ACL, so the above access-list 1 deny any this command can be omitted. In addition, the router is connected network do not often you can also use the E0 port ip access-group 1 out command to declare, proclaim the results and the last two sentences command effect.　　Standard access control list instance second configuration tasks: ban on this computer 172.16.4.13 172.16.3.0/24 access to the network segment, and 172.16.4.0/24 in other computers can access。　　Router configuration commands: access-list 1 deny host 172.16.4.13 set ACL packets to prohibit 172.16.4.13 access-list 1 permit any adopted setting ACLs to allow other addresses of computers to communicate int e 1 enter E1 port IP access-group 1 ACL1, in the same logic can be used after entering the E0 port ip access-group 1 out to complete the Declaration. After you finish configuring additional IP addresses except 172.16.4.13 can communicate through a router normal, transmit data packets. Summary: the standard ACL uses very few resources, the router is one of the most fundamental and most simple access control list format.　　Broader application, often require a low level of control. If you want more complex control packet transport requires the use of extended access control list, he can satisfy our requirements to the port level. Extended access control list: we standards mentioned above, the access controllist is based on IP address filtering is the most simple ACL. So if we want to filter the light to the port?, or want to packet destination addresses are filtered. At this time is necessary to use the extended access control list.　　Use the extended IP access list can effectively allow users to access a physical LAN but does not allow him to use a particular service (e.g., WWW, FTP, etc.). Extended access control list using ACL number 100 to 199. Extended access control list format just we referred to the standard access control list, he is based on IP address filtering is the most simple ACL. So if we want to filter the light to the port?, or want to packet destination addresses are filtered. At this time is necessary to use the extended access control list.　　Use the extended IP access list can effectively allow users to access a physical LAN but does not allow him to use a particular service (e.g., WWW, FTP, etc.).　　Extended access control list using ACL number 100 to 199.　　Extended access control list format: extended access control list is an advanced ACL, configuration commands specific format: access-list ACL number [permit | deny] [Agreement] [define filtering source host range] [define filtering source port] [define filtering purposes host access] [define filtering objectives port] for example: access-list 101 deny tcp any host 192.168.1.1 eq www this command all the address 192.168.1.1 host access Web services (WWW) TCP connection packet drop. Tip: also in extended access control list or you can define a filter on a network segment, and, of course, and standard access control list require we use reverse mask definition IP address subnet mask. Extended access control list for instance we use as shown in the network structure.　　Routers connect two segments, namely 172.16.4.0/24, 172.16.3.0/24. In 172.16.4.0/24 segment one of the servers to provide WWW services, IP addresses to ban 172.16.4.13 configuration tasks: 172.16.3.0 computer access 172.16.4.0 computer,including the servers, but only you can access the WWW service on 172.16.4.13, while other services will not be able to access.　　Router configuration commands: access-list 101 permit tcp any 172.16.4.13 0.0.0.0 eq www settings allow source address ACL101 as arbitrary IP, destination address for host-port 80 172.16.4.13 that the WWW service. Because CISCO default add DENY ANY commands, so this ACL write only one sentence.　　Int e 1 enter E1 port IP access-group 101 out will be declared out to set ACL101 after 172.16.3.0 computer cannot access the computer, 172.16.4.0 even when the server is turned on, the FTP service 172.16.4.13 cannot access, but you can access is the WWW service 172.16.4.13. While 172.16.4.0 computer access 172.16.3.0 computer does not have any problems.　　Extended ACL have a maximum of benefit that you can protect your server, for example, many servers in order to better provide services that are exposed to the public Internet, in order to ensure service delivery all ports are open to the outside world, very easy to hackers and viruses, by extending the ACL can be in addition to the service port other than the ports are blocked off, reducing the chance of being attacked. If this case is only open to people outside the port 80. Summary: extended ACL function is very powerful, he can control the source IP, destination IP, source port, destination port, etc., can achieve very granular control, extended ACL not only read the IP header source/destination address, also read the fourth layer header source port and destination port IP.　　But he has a weakness, it is not hardware accelerated ACL, extended ACL can consume a large amount of router CPU resources. So when using the medium range router should minimize the number of entries extended ACL, be reduced to standard ACL or more extended ACL-is the most effective way. Based on the name of the access control list whether standard access control list or extended access control list has one drawback is thatwhen setting up the ACL rules found a problem, hopeModify or delete words can only be full ACL information is deleted. That is to modify or delete a will affect the entire ACL list.　　This is a shortcoming affecting our work, we have a heavy burden.　　However we can use name-based access control lists to solve this problem.　　First, based on the name of the access control list format: ip access-list [standard | extended] [ACL name] for example: ip access-list standard softer on the establishment of a softer standard access control list. Second, based on the name of the access control list to use it: when we have created a list based on the name of the access you can enter to be configured in the ACL.　　For example we add three ACL rules permit 1.1.1.1 0.0.0.0 0.0.0.0 permit permit 2.2.2.2 3.3.3.3 0.0.0.0 if we find the second command should be 2.2.2.2 2.2.2.1 instead, if you are using is not based on the name of the access control list, use no permit 2.2.2.2 0.0.0.0 after entire ACL information will be deleted.　　It is because of the use of a name-based access control lists, we use no permit 2.2.2.2 0.0.0.0 after the first and third directive remain. Summary: If you set the ACL rules more words, you should use name-based access control list management, so that you can alleviate a lot of work later maintenance, easy for us to adjust the ACL rules at any time.　　The access control list in reverse: we use the access control list in addition to the rational management of network access outside there is a more important aspect, that is, protection against viruses, we can usually common ports used by virus filtering, will use these ports of the packet is discarded. So you can effectively protect against virus attacks. But even then the science of the access control list rules may also be because of an unknown viruses and invalid, after all the ports used by an unknown virus is incalculable, and with the increase in the number of virus protection will result in an access control list rules, to a certain extent, affected the speed of network access. At this point we can use a reverse control list to solve the above problems. Reverse the access control list for the purpose and format a, flip the access control list uses reverse ACL access control list is an advanced application.　　He can be effective protection against viruses. By configuring reverse ACL can guarantee AB two segments of A computer can PING each other, PING-B and B cannot PING A pass.　　Very popular some Word is transmitted data can be divided into two processes, beginning with the source host to the destination host to send connection request and data, and is designed to host both sides, and build a good connection to send data to the source host. Reverse ACL control is the connection request mentioned above.　　Second, the reverse of an access control list format reverse the access control list format is very simple, as long as the configured extended access lists last plus can be established. We pass the instance as we explain. We use as shown in the network structure.　　Routers connect two segments, namely 172.16.4.0/24, 172.16.3.0/24.　　In 172.16.4.0/24 segment computers are servers, we use reverse ACL settings protect the server from the network segment from 172.16.3.0 this virus attacks. Configuration example: prevents viruses from 172.16.3.0/24 this segment to 172.16.4.0/24 the server segment.　　Router configuration commands: access-list 101 permit tcp 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255 established definition ACL101, allow all network segments from 172.16.3.0 172.16.4.0 computer access to computers in a network segment, if the TCP connection has been established. When the TCP connection is not established, is not allowed to access 172.16.4.0 172.16.3.0.　　Int e 1 enter E1 port IP access-group 101 out will be declared out to set ACL101 after virus does not easily propagated from 172.16.3.0 172.16.4.0 Server area. Because the virus to spread to all active TCP connections, because the router uses the reverse ACL prohibited 172.16.3.0 segments of active TCP connections, the virus does not spread. Small Tip: verify whether reverse ACL smooth configuration of a simple way is to take a stand 172.16.4.0 Server PING computers in 172.16.3.0, if you can ping a pass, then the computer with 172.16.3.0 PING172.16.4.0 Server, PING does not succeed in general description of the ACL configuration. Through the above configuration reverse ACL a question 172.16.3.0 computer cannot access the server of the service, if the diagram 172.16.4.13 provides the WWW service can not be normal access. The solution is ESTABLISHED that the head and then add an extended ACL rules, for example: access-list 101 permit tcp 172.16.3.0 0.0.0.255 eq www 172.16.4.13 0.0.0.0 so according to the "closest to the original managed objectsThe "i.e. check ACL rules is to use top-down in the ACL section of the test, if found eligible will immediately forward, rather than continue to detect the following ACL statement. 172.16.3.0 computer can properly access the server of the WWW service, and the following ESTABLISHED anti-virus command can also be a normal effect.
My organization is using this reverse ACL manner to the antivirus, running over a year now the effect is pretty good, but also very stable. Time-based access control lists: above we introduced the standard ACL and extended ACL, we number master the two access control lists can cope with most filter network packets.　　But the actual work will always be those who made this or that demanding requirements, then we also need to learn some advanced techniques on the ACL.　　Time-based access control list is one of belonging to the advanced skills.　　Configuration example: the ACL based on entry into force of the time we need to configure two commands: 1. define the time period and time range.　　2. configuration of the ACL itself, detailed rule to the ACL. 3, declares the ACL, the ACLs will be set to the corresponding port.Introduction to the network environment: we use as shown in the network structure.　　Routers connect two segments, namely 172.16.4.0/24, 172.16.3.0/24.　　In 172.16.4.0/24 segment one server provides FTP service with IP address, 172.16.4.13. Configuration tasks are only allowed in a segment of users 172.16.3.0 weekend access to FTP resources on 172.16.4.13, work time cannot download the FTP resources.　　Router configuration commands: time-range defined time period name softer as softer periodic weekend 00: 00 to 23: 59 to define the time span for the weekly Saturday (6 days) of 0 points to 23: 59 min.　　Of course you can use the define periodic days or weekdays with day of the week defined specific weekday.　　Access-list 101 deny tcp any 172.16.4.13 0.0.0.0 eq ftp time-range softer setting ACL, the prohibition in the time period within Access 172.16.4.13 softer of the FTP service.　　Access-list 101 permit ip any any setting ACLs to allow other time periods and other conditions of access.　　Int e 1 enter E1 port.　　Ip access-group ACL101 101 out announcements. Comparison based on the time of the ACL for a time period of administration, through the above settings the user can only 172.16.3.0 weekend access server provides FTP resources, normally not accessible.　　Access control list traffic records network administrator is able to reasonable network management company, saying the battlefield to the battle, so a valid record ACL flow information can immediately understand the network traffic and the spread of the virus.　　Following this article as we briefly describes how to save the access control list of the flow of information that is extending the ACL rule finally coupled with the LOG command. Implementation: log 192.168.1.1 as routers specify a log server address, the address 192.168.1.1 access-list 101 permit tcp any 172.16.4.13 0.0.0.0 eq www log monitoring in wish extended ACL last plus LOG command, which will meet the conditions of information saved to the specified logserver 192.168.1.1. Tip: If the last extended ACL plus log-input, not only will save flow information, packet through port information is also saved. Use the LOG records satisfy the access control list regulations of the data flow can complete query corporate network where the flow is large, where there is a virus. Simple sentence command completes the many professional tools to complete the work.