ACL introduction
Inter-information communication and communication between internal and external networks are indispensable business requirements in the enterprise network. However, in order to ensure the security of the internal network, security policies are required to ensure that unauthorized users can only access specific network resources. Access for control purposes. In short, ACLs can filter traffic on the network and are a network technology that controls access.
The definition of ACL is also based on each protocol. If the router interface is configured to support three protocols (IP, AppleTalk, and IPX), then the user must define three ACLs to control the packets for each of the three protocols.
The role of ACL
ACLs can limit network traffic and improve network performance. For example, an ACL can specify the priority of a packet based on the protocol of the packet.
ACLs provide a means of controlling traffic. For example, an ACL can limit or simplify the length of routing update information, thereby limiting traffic through a network segment of the router.
ACL is the basic means of providing secure access to the network. The ACL allows Host A to access the Human Resources network and reject Host B access.
The ACL can determine at the router port which type of traffic is being forwarded or blocked. For example, users can allow E-mail traffic to be routed and reject all Telnet traffic.
For example, if a department requires only the WWW function, it can be implemented by ACL. For example, for the confidentiality of a department, it is not allowed to access the external network, and the external network is not allowed to access it.
ACL 3p principle
With the 3P principle in mind, you remember the general rules for applying ACLs on routers. You can configure an ACL for each protocol (per protocol), per direction, per interface (per interface):
An ACL for each protocol To control traffic on an interface, the corresponding ACL must be defined for each protocol enabled on the interface.
One ACL in each direction An ACL can only control traffic in one direction on the interface. To control inbound traffic and outbound traffic, you must define two ACLs separately.
One ACL per interface An ACL can only control traffic on one interface (such as Fast Ethernet 0/0).
The writing of ACLs can be quite complex and challenging. Each interface can be defined for multiple protocols and directions. The router in the example has two interfaces configured for IP, AppleTalk, and IPX. The router may require 12 different ACLs—the number of protocols (3) multiplied by the number of directions (2) and multiplied by the number of ports (2).
ACL execution process
Which ACL is executed by a port, which needs to be judged according to the order in which the conditional statements are executed in the list. If the header of a packet matches a conditional statement in the table, the subsequent statement will be ignored and will not be checked.
The packet is only compared to the next conditional statement in the ACL for comparison if it does not match the first decision condition. If it matches (assuming it is allowed to be sent), the data is sent to the destination interface immediately, whether it is the first or last statement. If all ACL statements are detected and there are still no matching statement exits, the packet will be considered rejected and discarded. It should be noted here that the ACL cannot control the data packets generated by this router.
If the device uses a TCAM, such as the aute U3052 switch, then all ACLs are executed in parallel. For example, if a port has multiple ACL rules set, it does not match one by one, but one ACL is executed at a time.
ACL classification
There are currently two main types of ACLs: standard ACLs and extended ACLs. Others include standard MAC ACLs, time-controlled ACLs, Ethernet protocol ACLs, and IPv6 ACLs.
The standard ACL uses numbers from 1 to 99 and between 1300 and 1999 as the table number. The extended ACL uses numbers between 100 and 199 and between 2000 and 2699 as the table number.
A standard ACL can block all traffic from a certain network, or allow all traffic from a particular network, or reject all traffic from a certain protocol cluster (such as IP).
Extended ACLs provide a broader range of control than standard ACLs. For example, if a network administrator wants to "allow external Web traffic to pass and reject incoming FTP and Telnet traffic," he can use extended ACLs to achieve the goal. Standard ACLs cannot be controlled so accurately.
The table number is used in both the standard and extended access control lists, and a string of letters or numbers is used in the named access control list instead of the number used previously. Using a named access control list can be used to delete a particular control entry, which allows us to easily modify it during use. When using a named access control list, the router's IOS is required to be in the 11.2 or later version, and multiple ACLs cannot be named with the same name. Different types of ACLs cannot use the same name.
As the network evolved and user requirements changed, Cisco (CISCO) routers added a new time-based access list starting with IOS 12.0. Through it, you can control the forwarding of network packets according to different times of the day, or according to different dates in a week, or a combination of the two. This time-based access list is to add a valid time range to the original standard access list and extended access list to control the network more reasonably and effectively. First define a time range and then apply it based on the original various access lists.
In the design of time-based access lists, use the time-range command to specify the name of the time range, and then use the absolute command, or one or more periodic commands to define the time range. [2]
Place the ACL correctly
ACLs control traffic by filtering packets and dropping packets that do not want to reach the destination. However, whether the network can effectively reduce unnecessary traffic depends on where the network administrator places the ACL.
Assume that in a network environment running TCP/IP, the network only wants to deny access from the network connected to the T0 interface of RouterA to the network connected to the E1 interface of RouterD, that is, access from network 1 to network 2 is prohibited.
Based on the prevailing guidelines for reducing unnecessary traffic, the network administrator should place the ACL as close as possible to the source of the rejected traffic, Router A. If the network administrator uses the standard ACL to limit the network traffic, the standard ACL can only check the source IP address. Therefore, the actual implementation is as follows: Any packet matching the source IP address and the network 1 will be discarded, that is, the network 1 is Access to Network 2, Network 3, and Network 4 will be blocked. It can be seen that this ACL control method cannot achieve the purpose of the network administrator. Similarly, placing the ACL on RouterB and RouterC has the same problem. Only when the ACL is placed on RouterD (E0 interface) connected to the target network, the network can accurately achieve the network administrator's target. This leads to a conclusion: The standard ACL should be as close as possible to the destination.
If the network administrator uses the extended ACL to perform the above control, the ACL can be placed on RouterA because the extended ACL can control the source address (network 1) and the destination address (network 2). Thus, from network 1 to network 2 The packets that are accessed are discarded on RouterA and are not transmitted to RouterB, RouterC, and RouterD, thus reducing unnecessary network traffic. Therefore, we can come to another conclusion: the extended ACL should be as close as possible to the source. ACL's main command command description access-list defines the access control list parameter ip access-group assigns an access control list to an interface ip access-list extended defines an extended access control list Remark comment an access control list show ip access-list display Configured access control list
The specification to follow when defining an ACL
(1) The list number of the ACL indicates which protocol the ACL is. Various protocols have their own ACLs, and the ACLs of each protocol are divided into standard ACLs and extended ACLs. These ACLs are distinguished by the ACL list number. If you use the wrong list number when using an access ACL, an error will occur.
(2) The configuration of an ACL is per protocol, per interface, and per direction. Each protocol on an interface of a router can be configured with two ACLs in the inbound and outbound directions. That is to say, if both IP and IPX protocol stacks are enabled on the router, one interface of the router can be configured with IP and IPX protocols, and each protocol enters and exits in two directions, for a total of four ACLs.
(3) The order of the ACL statements determines the order in which the packets are controlled. The order in which the description statements are placed in the ACL is important. When the router determines whether a certain packet is forwarded or blocked, it will check the datagram according to the judgment conditions of each description statement according to the order of each description statement in the ACL, and once it finds a matching condition, it ends. The comparison process no longer checks other conditional judgment statements.
(4) The most restrictive statement should be placed in the first line of the ACL statement. Put the most restrictive statement in the first line of the ACL statement or in the position near the front of the statement, and put the statement "all allowed" or "all rejected" on the last line or near the last line to prevent the occurrence of such a The case where the rejected (dropped) packet is dropped (rejected).
(5) New entries can only be added to the end of the ACL, which means that it is not possible to change the functionality of an existing access control list. If it must be changed, only the existing ACL is deleted first, then a new ACL is created, and the new ACL is applied to the corresponding interface.
(6) Before applying an ACL to an interface, you must first establish an ACL. First create an ACL in global mode and apply it to the outbound or inbound direction of the interface. It is not possible to apply a non-existing ACL on the interface.
(7) ACL statements cannot be deleted one by one, and only the entire ACL can be deleted at one time.
(8) At the end of the ACL, there is an implicit "all reject" command, so there must be at least one "allowed" statement in the ACL.
(9) ACL can only filter data traffic passing through the router, and cannot filter packets sent by this router.
(10) Before the router is selected, the ACL applied in the direction in which the interface enters functions.
(11) After the router selection decision, the ACL applied in the direction in which the interface leaves is active.
ACL Conference (Annual Meeting of the Association for Computational Linguistics)
The ACL Conference is the highest level academic conference in the field of natural language processing and computational linguistics, sponsored by the Society of Computational Linguistics, annually. Dialogue Discipline (Discourse) Review (Eval) Information Extraction (IE) Information Retrieval (IR) Language Generation (LanguageGen) Language Resource (LanguageRes) Machine Translation (MT) Multimodal (Phonology) / Morphology ( Phon/ Morph) Automatic Q&A (Semantics) Sentiment Speech (Stat ML) Summarisation Syntax and many other aspects.
ACL FAQ
1) What is the meaning of "the last statement of ACL is an implicit refusal statement"?
An implicit deny statement is automatically inserted at the end of each ACL, and although it is not visible in the ACL, it still works. The implicit deny statement blocks all traffic in case unwanted traffic accidentally enters the network.
2) Why didn't it take effect after configuring the ACL?
After you create an access control list, you must apply it to an interface to take effect. The object controlled by the ACL is the traffic to and from the interface.
Breathable Floor Protector,Carpet Floor Protectors,Adhesive Floor Protector,Baby Floor Protection
Suzhou Surface Protective New Material Technology Co.,Ltd , https://www.surfaceprotective.com