04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
TRANSCRIPT
![Page 1: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/1.jpg)
ACL Principle
V1.1
![Page 2: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/2.jpg)
Objectives
Understand the basic function of ACLKnow when and how to use ACL
![Page 3: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/3.jpg)
Contents
ACL conception and functionACL typesACL working principleACL rule
![Page 4: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/4.jpg)
FDDI
172.16.0.0
172.17.0.0
TokenRing
Internet
Why Use Access Lists?
Manage IP traffic as network access growsFilter packets as they pass through the router
![Page 5: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/5.jpg)
Access List Applications
Permit or deny packets moving through the routerPermit or deny telnet access to or from the routerWithout access lists all packets could be transmitted onto all parts of your network
telnet access (IP)
Transmission of packets on an interface
![Page 6: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/6.jpg)
ACL Configuration Procedure
Define trigger condition Define packet matching rules Bind to interface or service
Packet outgoing interfacePacket incoming
interface
ACL process
permit?Source IP、
Destination IP
protocol
![Page 7: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/7.jpg)
Contents
ACL conception and functionACL typesACL working principleACL rule
![Page 8: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/8.jpg)
Dest Address
Source AddressProtocol
Port number
Segment Header(TCP Header) Data
Packet Header(IP Header )
Frame Header(e.g. HDLC)
Use ACL to checkdata
Deny Permit
ACL Types and Matching Conditions
Standard ACLUse source address as filtering standardCan generally restrict a kind of protocol
Extend ACLUse five elements to filter packetsCan restrict a concrete protocol accurately
![Page 9: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/9.jpg)
ACL Types and Matching Conditions
![Page 10: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/10.jpg)
IPv6 ACL Command Structure
Command structure for standard ACL
Command structure for extend ACL
![Page 11: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/11.jpg)
Contents
ACL conception and functionACL typesACL working principleACL rule
![Page 12: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/12.jpg)
Inbound InterfacePackets
N
Y
Packet Discard Bucket
ChooseInterface
NAccessList
?
RoutingTable Entry
?
Y
Outbound Interface
Packets
S0
Outbound Access Lists
![Page 13: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/13.jpg)
Outbound Interface
Packets
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
? N Packets
TestAccess ListStatements
Permit ?
Y
Outbound Access Lists
AccessList
?
Y
S0
E0
Inbound InterfacePackets
![Page 14: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/14.jpg)
Notify Sender
Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
? N
Y
TestAccess ListStatements
Permit ?
YAccess
List ?
Discard PacketN
Outbound Interface
Packets
Packets
S0
E0
Inbound InterfacePackets
![Page 15: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/15.jpg)
Contents
ACL conception and functionACL typesACL working principleACL rule
![Page 16: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/16.jpg)
A List of Tests: Deny or Permit
Packets to Interface(s)in the access group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
![Page 17: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/17.jpg)
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
YY
![Page 18: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/18.jpg)
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
DenyMatchLastRule
?
YY
N
YY Permit
![Page 19: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/19.jpg)
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
DenyMatchLastRule
?
YY
N
YY Permit
Implicit Deny
If no matchdeny allDeny
N
![Page 20: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/20.jpg)
ACL Rule ConclusionQ:How to arrange the sequence of rules when configuring ACL
ACL matching execute from top to bottom, if one statement match the packets, it will execute the corresponding rule (permit or deny) and then jump out of ACL. There is an implicit rule “Deny all” at the end of each ACL.ACL can be applied to inbound or outbound direction of a concrete IP interface ACL can be applied to a specific system service (e.g. Telnet service on device)Before applying ACL, we should create itWe can set only one ACL for a specific protocol on one directionof an interface at one time
![Page 21: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/21.jpg)
Where to apply ACL?
Standard ACL: near the destination Extend ACL: near the source
E0
E0
E1
S0
To0
S1S0
S1E0
E0TokenRing
BB
AA
DD
PC_A
PC_B
![Page 22: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/22.jpg)
Content Review
ACL conception and usageACL working principleACL typesACL rule
![Page 23: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/23.jpg)
Questions
Where to place standard ACL in the network? Where to place extend ACL?What will be done to the packet if there are no matches in the ACL?How to arrange the sequence of rules when configuring ACL?What will happen if a data packet pass an interface that no ACL is defined?
![Page 24: 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24](https://reader030.vdocument.in/reader030/viewer/2022011722/58ed821f1a28abb70b8b4647/html5/thumbnails/24.jpg)