Professional Documents
Culture Documents
HC110110027 Access Control Lists
HC110110027 Access Control Lists
age 2 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Objectives
Upon completion of this section, you will be able to:
Describe the applications for ACL in the enterprise network.
Explain the decision making behavior of Access Control Lists.
Successfully implement Basic and Advanced Access Control Lists.
age 3 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Filtering Restricted Traffic
.1 192.168.1.0/24 .2
G0/0/0
G0/0/1 Server A
.1 192.168.2.0/24 .2
age 4 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Filtering Interesting Traffic
.1 192.168.1.0/24 .2
Data Data
No Match
G0/0/0
Match
.1 192.168.2.0/24 .2 Data Encrypted Data
age 5 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
ACL Types
age 6 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
ACL Rule Management
acl 2000
rule 5 deny source 192.168.1.0 0.0.0.255
If no match
172.16.1.0/24
Rules are used to manage the decision process for each ACL.
age 7 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Basic ACL
Host A
200.10.10.1/24
RTA
192.168.1.1/24
G0/0/0
Host B
192.168.2.1/24
[RTA]acl 2000
[RTA-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[RTA-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[RTA]interface GigabitEthernet 0/0/0
[RTA-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
age 8 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Configuration Validation
age 9 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Advanced ACL
Host A
FTP Server
172.16.10.1/24
RTA
192.168.1.1/24
G0/0/1
Host B Private Server
172.16.10.2/24
192.168.2.1/24
[RTA]acl 3000
[RTA-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255
destination 172.16.10.1 0.0.0.0 destination-port eq 21
[RTA-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255
destination 172.16.10.2 0.0.0.0
[RTA-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
age 10 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Configuration Validation
Advanced ACL rules defined in the range of 3000-3999 add complexity due
to the number of parameters used for filtering.
age 11 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
ACL Application - NAT
Host A
age 12 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Summary
The advanced access control list is capable of filtering traffic based on which
attributes?
Once an ACL rule is matched to a condition, what action is taken?
age 13 Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com