In addition to the need to configure switch access security in network security, it is also necessary to control the traffic in the network. For network administrators, how to implement secure access to the network between departments, so that some departments can be accessed between some departments and others can not be accessed between them? ACL technology will filter packets based on the source address in the packet, which can effectively control user access to the network.
What is ACL?
Access Control List (ACL) is a packet filtering-based access control technology that filters packets on an interface according to set conditions, allowing them to pass or discard them. Access control lists are widely used in routers and Layer 3 switches. With the help of access control lists, user access to the network can be effectively controlled, thus maximizing network security.
ACL (Access Control List) is a collection of rule statements. The so-called rules are judgment statements describing the conditions for message matching, which can be the source address, destination address, port number, etc. ACL is essentially a message filter, and the rules are the filter cartridge. Based on these rules for message matching, the device can filter out a specific message and allow or block the message to pass according to the processing policy of the service module applying the ACL.
Functions of ACLs
1. ACLs can limit network traffic and improve network performance.
For example, ACLs can specify that packets of this type have a higher priority based on their protocol and can be preemptively processed by network devices under equal circumstances.
2. ACLs provide a means to control traffic flow.
For example, ACLs can limit or simplify the length of routing update information, thereby limiting the amount of traffic passing through a particular network segment of a router.
3. ACLs are the basic means of providing secure access to the network.
For example, ACLs allow Host A to access the HR network and deny Host B access.
4. ACLs can determine at the router port which type of communication traffic is forwarded or blocked.
For example, a user can allow E-mail traffic to be routed and deny all Telnet traffic. For example, if a department requires that only WWW can be used for this function, it can be achieved by ACL. Another example is that for the confidentiality of a department, it is not allowed to access the external network, and it is not allowed to access it from the external network.
Classification of ACLs
With the development of ACL technology, the variety of ACLs is becoming richer and richer. According to their different rules and usage scenarios, the commonly used ones can be divided into the following categories.
1. Basic ACLs
Basic ACL rules only contain source IP addresses, which consume less CPU on the device and can be used for simple deployment, but the use scenarios are limited and cannot provide strong security.
2. Advanced ACLs
Compared with basic ACLs, advanced ACLs provide higher scalability and allow for more granular matching of traffic. By configuring advanced ACLs, sources or targets of specific hosts or entire network segments can be blocked. In addition, protocol information (IP, ICMP, TCP, UDP) can be used to filter the corresponding traffic.
3. Layer 2 ACLs
Layer 2 ACLs are required to control the access rights of specific endpoints in a company’s internal network, which can control traffic based on layer 2 information such as source MAC address, destination MAC address, 802.1p priority, and layer 2 protocol type.
4. User ACL
User ACL is an advanced ACL that allows you to control the traffic of different user groups by adding the configuration items of user groups.
How to configure ACL?
The standard ACL consists of two steps: creating an ACL and applying an ACL. creating an ACL means defining one or more ACL statements as needed, which together constitute the ACL rules. After creating an ACL you must apply it to a port in order for it to work.
Each ACL defined must be named so that it can be invoked in subsequent applications. ACLs can be named either by number or by string. ACLs named with a number are called numbered ACLs, and ACLs named with a string are called named ACLs. The following describes the configuration commands for numbered standard ACLs.
1. Creating Numbered Standard ACLs
The command format for creating numbered standard ACL rules is as follows.
- router(config)#access-list access-list number {permit/deny}source {source mask}
where, access-list number is the access control list serial number, the IP standard access control list serial number is 1 ~ 99, 1300 ~ 1999; permit is to allow packets that meet the conditions to pass; deny is to prohibit packets that meet the conditions to pass; source is the source IP address of the packet to be filtered; source mask is the wildcard mask is a wildcard code, 1 means no check bit, 0 means must match bit.
Tip: Use the no access-list access-list number command to delete the specified access control list, such as to delete the defined ACL 10, use the command router(config)#no access-list 1.
For configuration convenience, source has two simplified statements, any and host, which do not require a wildcard mask. any is equivalent to the wildcard mask 255.255.255.255 and host is equivalent to the wildcard mask 0.0.0.0. For example, any host address 192.168.1.1 can be used as well as any. 255.255.255.255.255, you can also use any. host address 192.168.1.10 can use both 192.168.1.10.0.0.0.0, you can also use host 192.168.1.10.
2. Applying Numbered Standard ACLs
Applying a numbered standard ACL is applying an ACL that has been defined to a port. Only one ACL can be applied to each port in each direction (inbound direction IN or outbound direction OUT)
The command format for applying a numbered standard ACL is as follows.
- router(config-if)#ip access-group access-list-number {in | out}
where access-list-number is the number of the IP access control list (1 to 99, 1300 to 1999); in is to filter the packets entering the port; out is to filter the packets output from the port.
Tip: Use the no ip access-group [access-list-number] {in | out} command to disassociate the access control list from the port, such as the router(config-if)#no ip access-group 2 out command to disassociate ACL2 from the port.
3. Viewing Numbered Standard ACL Information
The command format to view the configured ACL information is as follows.
- router#show access-lists [access-list-number]
Where, access-list-number is the number of IP access control list (1 to 99, 1300 to 1999), if the number is omitted, it means that all ACL configuration information of the switch is displayed.
Applications of ACL
ACLs can be used in a variety of applications, the most common of which are as follows.
1. filtering routing information passed between neighboring devices.
2. Controlling switch access to prevent illegal access to the device, such as controlling access to the Console interface, Telnet, or SSH.
3. Controlling traffic and network access across network devices.
4. Protect the router by restricting access to certain services on the router, such as HTTP, SNMP, and NIP.
5. Define flows of interest for DDR and IPSeC VPN.
6. Ability to implement QoS (Quality of Service) features in IOS in a variety of ways.
7. Extended applications in other security technologies, such as TCP interception and IOS firewalls.
