04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
TRANSCRIPT
ACL Principle
V1.1
Objectives
Understand the basic function of ACLKnow when and how to use ACL
Contents
ACL conception and functionACL typesACL working principleACL rule
FDDI
172.16.0.0
172.17.0.0
TokenRing
Internet
Why Use Access Lists?
Manage IP traffic as network access growsFilter packets as they pass through the router
Access List Applications
Permit or deny packets moving through the routerPermit or deny telnet access to or from the routerWithout access lists all packets could be transmitted onto all parts of your network
telnet access (IP)
Transmission of packets on an interface
ACL Configuration Procedure
Define trigger condition Define packet matching rules Bind to interface or service
Packet outgoing interfacePacket incoming
interface
ACL process
permit?Source IP、
Destination IP
protocol
Contents
ACL conception and functionACL typesACL working principleACL rule
Dest Address
Source AddressProtocol
Port number
Segment Header(TCP Header) Data
Packet Header(IP Header )
Frame Header(e.g. HDLC)
Use ACL to checkdata
Deny Permit
ACL Types and Matching Conditions
Standard ACLUse source address as filtering standardCan generally restrict a kind of protocol
Extend ACLUse five elements to filter packetsCan restrict a concrete protocol accurately
ACL Types and Matching Conditions
IPv6 ACL Command Structure
Command structure for standard ACL
Command structure for extend ACL
Contents
ACL conception and functionACL typesACL working principleACL rule
Inbound InterfacePackets
N
Y
Packet Discard Bucket
ChooseInterface
NAccessList
?
RoutingTable Entry
?
Y
Outbound Interface
Packets
S0
Outbound Access Lists
Outbound Interface
Packets
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
? N Packets
TestAccess ListStatements
Permit ?
Y
Outbound Access Lists
AccessList
?
Y
S0
E0
Inbound InterfacePackets
Notify Sender
Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
? N
Y
TestAccess ListStatements
Permit ?
YAccess
List ?
Discard PacketN
Outbound Interface
Packets
Packets
S0
E0
Inbound InterfacePackets
Contents
ACL conception and functionACL typesACL working principleACL rule
A List of Tests: Deny or Permit
Packets to Interface(s)in the access group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
YY
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
DenyMatchLastRule
?
YY
N
YY Permit
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Y
MatchFirstRule
?
Permit
N
Deny PermitMatchNext
Rule(s)?
DenyMatchLastRule
?
YY
N
YY Permit
Implicit Deny
If no matchdeny allDeny
N
ACL Rule ConclusionQ:How to arrange the sequence of rules when configuring ACL
ACL matching execute from top to bottom, if one statement match the packets, it will execute the corresponding rule (permit or deny) and then jump out of ACL. There is an implicit rule “Deny all” at the end of each ACL.ACL can be applied to inbound or outbound direction of a concrete IP interface ACL can be applied to a specific system service (e.g. Telnet service on device)Before applying ACL, we should create itWe can set only one ACL for a specific protocol on one directionof an interface at one time
Where to apply ACL?
Standard ACL: near the destination Extend ACL: near the source
E0
E0
E1
S0
To0
S1S0
S1E0
E0TokenRing
BB
AA
DD
PC_A
PC_B
Content Review
ACL conception and usageACL working principleACL typesACL rule
Questions
Where to place standard ACL in the network? Where to place extend ACL?What will be done to the packet if there are no matches in the ACL?How to arrange the sequence of rules when configuring ACL?What will happen if a data packet pass an interface that no ACL is defined?