Operating principles Access Control List, classification ACL
Part 2: How it works ACL Wildcard Masking (continue)
Part 3: Configure the basic ACL types (continue)
What is the ACL?
A List of commands to manage access (input and output) of user on the device with actions allowed (allow) or prohibited (deny)
Mechanism of action, characteristics ACL
-Mechanism filtering Packet based on packet header parameters such as source IP, destination IP, source port, destination port, state …
– The command in ACL list in order from top to bottom, if there is one rule match in List ACL, then to the exit without performing ACL rules below.
For example, a list of ACL follows:
Note:We see the statement 5 (deny all) always matches all packets, (do not configure this command, but the default is on the list, do not display the access list, but we will see if use the command Show Access-list)
+ Therefore in order to perform on it, from top to down command, if no packet match rule, the statement end of List will apply, (it means that the packet is discarded).
+ So we need to have at least one command with access is allows (allow) in the ACL list
+ ACL has many applications, and interfaces need to be set up, line protocol or service supports ACL and must set out the direction to or direction.
– Each interface, line, protocol, or service may be used to support one or more ACL.
Classification ACL basic:
1. Standard ACL:
Standard ACL ACL consists of simple commands. Are numbered from 1-99 if the number ACL (ACL named by number).
Standard ACL only source address in the IP packet header, so they operate at Layer 3 of the OSI model or the internet layer in the TCP / IP.
Example: Indiagramswe want to deny all the PCs in the LAN access SERVER, we have used the standard ACL and should put on the router closest to the destination. In the diagram, we set ACLs on routers 0 because it not affect the packet want to network other.
2. Extended ACL:
Extended ACL is the extended ACL statement, filter based on criteria such as port number (application), source-destination IP address, protocol and options. Therefore extended ACL activity in layer 3 and layer 4 OSI model.
Extended ACLs are numbered from 100 to 199
Extended ACL filtering base source / destination IP Address, we should put it near the source ACL to avoid loss of network bandwidth required when the packet “wandering” before being denied.
In the figure above, suppose if we want to deny the computers in LAN access services to the TELNET Server in the DMZ, we should be set ACLs on the router 1.
Thanks for you!
Lượt xem (899)