ACL (Access Control List) Principle and Application

1. ACL Introduction

Communication between information points and between internal and external networks are both essential business requirements in enterprise networks. However, in order to ensure the security of the intranet, security policies are needed to ensure that unauthorized users can only access specific network resources, thereby achieving the purpose of access control.

In short, ACL (Access Control List) is a network technology that can filter traffic in the network and control access.

[[272314]]

In fact, the essence of ACL is to describe a collection of several characteristics of an IP data packet or Ethernet data frame.

Then, the traffic in the network (consisting of a large number of data packets) is matched according to these sets, and "allowed" or "forbidden" according to the policy.

effect:

• ACL can limit network traffic and improve network performance.
• ACL provides a means to control communication traffic.
• ACL is a basic means of providing network security access.
• ACLs can determine which types of traffic are forwarded or blocked at router ports.

2. Classification of ACL (based on IP)

1. Standard ACL

Standard ACL can only match source IP addresses. There are three matching methods in the application:

• any, refers to any address
• , specify an IP segment
• src_range, specifies the IP address range

Configuration commands:

 ip access-list standard < name > //Standard ACL, name is the name  
 {permit | deny} any  
 {permit | deny} < network >   <net-mask>​​    
 {permit | deny} src_range < start-ip >   < end-ip >  

2. Extended ACL

Extended ACL can match multiple entries. Common items include source and destination IP, source and destination port numbers, and IP protocol number (type), etc., which can be used to meet the needs of most applications.

In a condition, the order of these items is as follows: protocol number, source IP address, source port number, destination IP address, destination port number.

Configuration commands:

 ip access- list extended <name>    
 
 {permit|deny} {ip|icmp |tcp| udp} {any |network |src_range} [src_port] {any | network | src_range} [dst_port]

3. ACL matching rules

Which ACL is executed on a port is determined by the execution order of the conditional statements in the list.

If the header of a data packet matches a conditional statement in the table, the following statements will be ignored and no longer checked. Only when the data packet does not match the first condition will it be sent to the next conditional statement in the ACL for comparison.

If a match is found (assuming that sending is allowed), the data will be immediately sent to the destination interface regardless of whether it is the first or last statement.

If all ACL judgment statements are checked and there is still no matching statement exit, the data packet will be regarded as rejected and discarded (implicit rejection: deny any).

Please note that ACL cannot control the data packets generated by itself.

4. Calling ACL

Different modules will play different roles when called, which is the fundamental reason why ACL is widely used. Common modules that call ACL are:

• Packet filtering: ip access-group
• Network Address Translation: NAT
• Policy-based Routing: PBR
• IP Quality of Service: QoS
• Dynamic routing filtering: RIP/OSPF, etc.

The more commonly used one is access-group, and its calling method requires two factors to be determined:

• Specific configuration interface selection: The general principle is to use the port that is closer to the host to be controlled.
• Direction selection: There are two directions: in and out. An interface can only have two directions at the same time.

Call an ACL entry. Configuration command:

 interface fastethernet  
 ip access- group <name> in |out

V. Experiment

Experiment 1:

Use extended ACL to achieve the situation where the PC cannot ping the router, but the router can ping the PC

 ip access-list extended test  
 F0/0  
 deny icmp 192.168.1.254 255.255.255.0 8  
 interface fastethernet 0/0  
 ip access-group test in

Experiment 2:

In a certain network, all users are prohibited from pinging, telnet, or http accessing a server (dns

Server, ip is 192.168.1.253), but it needs to provide normal services

 ip access-list extended test  
 deny icmp any 192.168.1.253 255.255.255.255  
 deny tcp any 192.168.1.253 255.255.255.255 eq 23  
 deny tcp any 192.168.1.253 255.255.255.255 eq 80  
 permit ip any any

Experiment 3:

In a certain network, except for normal web access and email sending and receiving, all other applications are prohibited

 ip access-list extended test
 permit tcp any any eq 80
 permit tcp any any eq 25
 permit tcp any any eq 110
 deny ip any any (implicit entry)