Professional Documents
Culture Documents
25.security Basics - ACL Principles
25.security Basics - ACL Principles
Course Objectives
Subnet1
192.168.1.0/24
GW
Subnet2
192.168.2.0/24
ACL Overview
• ACL, which is short for access control list, is a sequential collection of permit and deny
conditions that apply to an IP packet.
• ACL can only match and distinguish packets instead of filtering packets. A special
mechanism is required to filter packets matching ACL rules. For example, you can run the
traffic-filter command on a switch interface to invoke ACL to filter traffic. ACL itself is just
a matching tool.
• ACL can match not only packets but also routes.
• ACL is widely used and can be invoked in various applications and commands.
ACL Applications
• ACL can match traffic against elements in an IP data packet, such as the source and
destination IP addresses, source and destination port numbers, and protocol type.
ACL can also match against the number of routes.
• By number
• By name
• Basic ACL
A basic ACL matches traffic against only the source IP address in the IP header.
Source IP
• Advanced ACL
An advanced ACL matches traffic against elements such as the source and
destination IP addresses, source and destination port numbers, and protocol type.
Source IP
Source port
Destination
number
IP
Destination
Protocol
port number
type
acl xxx
Rule 5 (permit/deny) matching criteria
192.168.1.1/24
acl 2000
192.168.1.2/24
rule 1 permit source 192.168.1.1 0.0.0.0 192.168.1.1/24
192.168.1.3/24
rule 2 permit source 192.168.1.2 0.0.0.0 192.168.1.2/24
192.168.1.4/24
rule 3 permit source 192.168.1.3 0.0.0.0 192.168.1.3/24
192.168.1.5/24
rule 4 deny 0.0.0.0 255.255.255.255
……
• 0: Matching is required.
• 1: Matching is not required.
192.168.1.0 1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0
0.0.0.255 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
In this example, the IP address of the last octet in the subnet 192.168.1.0/24 needs to
be matched, such as 192.168.1.1, 192.168.1.3, 192.168.1.5, and the like.
192.168.1 1
192.168.1 0 0 0 0 0 0 0 1
192.168.1 3
192.168.1 0 0 0 0 0 0 1 1
192.168.1 5
192.168.1 0 0 0 0 0 1 0 1
……
PC1
192.168.1.1/24
Gateway 1.254 GE0/0/0 GE0/0/1 Server
192.168.1.254 10.1.1.254 10.1.1.1/24
Gateway 1.254
PC2 GW
192.168.1.2/24
Gateway 1.254
Requirements:
• Initially, both PC1 and PC2 can access the server.
• Apply ACL on the gateway interface so that PC2 cannot access the server while other
users on the same network segment can access the server.
Basic ACL Configuration Example
• Gateway configuration:
[GW] acl 2000
[GW-acl-basic-2000] rule 5 deny source 192.168.1.2 0
#The preceding command equals to rule deny source 192.168.1.2 0.0.0.0.
[GW-acl-basic-2000] rule 10 permit
[GW-acl-basic-2000] quit
[GW] interface GigabitEthernet0/0/0
[GW-GigabitEthernet0/0/0] traffic-filter inbound acl 2000
Rule permit indicates "permit any". In actual situations, when ACL is invoked by the
interface-based command traffic filter, the traffic that is not matched against the
ACL rule is permitted by default. Therefore, rule permit is an optional configuration
in this example. However, after this rule is configured, the display acl command
output shows the number of packets that are permitted by the ACL rule.
Advanced ACL Configuration Example
Server1
PC1 10.1.1.1
192.168.1.1/24 Gateway 1.254
Gateway 1.254 GE0/0/0 GE0/0/1
192.168.1.254 10.1.1.254
Server2
PC2 GW
10.1.1.2
192.168.1.2/24
Gateway 1.254
Gateway 1.254
Requirements:
Initially, both PC1 and PC2 can access Server1 and Server2.
Apply ACL on the gateway interface to prohibit PC2 from accessing Server2.
Advanced ACL Configuration Example
• Gateway configuration:
[GW] acl 3000
[GW-acl-adv-3000] rule deny ip source 192.168.1.2 0 destination 10.1.1.2 0
[GW-acl-adv-3000] rule permit ip
[GW-acl-adv-3000] quit
[GW] interface GigabitEthernet0/0/0
[GW-GigabitEthernet0/0/0] traffic-filter inbound acl 3000
ACL Configuration: Meanings of Operators