04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24

ACL Principle

V1.1

Objectives

Understand the basic function of ACLKnow when and how to use ACL

Contents

ACL conception and functionACL typesACL working principleACL rule

FDDI

172.16.0.0

172.17.0.0

TokenRing

Internet

Why Use Access Lists?

Manage IP traffic as network access growsFilter packets as they pass through the router

Access List Applications

Permit or deny packets moving through the routerPermit or deny telnet access to or from the routerWithout access lists all packets could be transmitted onto all parts of your network

telnet access (IP)

Transmission of packets on an interface

ACL Configuration Procedure

Define trigger condition Define packet matching rules Bind to interface or service

Packet outgoing interfacePacket incoming

interface

ACL process

permit?Source IP、

Destination IP

protocol

Contents


Dest Address

Source AddressProtocol

Port number

Segment Header(TCP Header) Data

Packet Header(IP Header )

Frame Header(e.g. HDLC)

Use ACL to checkdata

Deny Permit

ACL Types and Matching Conditions

Standard ACLUse source address as filtering standardCan generally restrict a kind of protocol

Extend ACLUse five elements to filter packetsCan restrict a concrete protocol accurately

ACL Types and Matching Conditions

IPv6 ACL Command Structure

Command structure for standard ACL

Command structure for extend ACL

Contents


Inbound InterfacePackets

N

Y

Packet Discard Bucket

ChooseInterface

NAccessList

?

RoutingTable Entry

?

Y

Outbound Interface

Packets

S0

Outbound Access Lists

Outbound Interface

Packets

N

Y


ChooseInterface

RoutingTable Entry

? N Packets

TestAccess ListStatements

Permit ?

Y


AccessList

?

Y

S0

E0


Notify Sender


If no access list statement matches then discard the packet

N

Y


ChooseInterface

RoutingTable Entry

? N

Y

TestAccess ListStatements

Permit ?

YAccess

List ?

Discard PacketN

Outbound Interface

Packets

Packets

S0

E0


Contents


A List of Tests: Deny or Permit

Packets to Interface(s)in the access group


Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstRule

?

Permit


Packets to Interface(s)in the Access Group


Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstRule

?

Permit

N

Deny PermitMatchNext

Rule(s)?

YY




Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstRule

?

Permit

N


Rule(s)?

DenyMatchLastRule

?

YY

N

YY Permit




Y

Interface(s)

Destination

Deny

Y

MatchFirstRule

?

Permit

N


Rule(s)?

DenyMatchLastRule

?

YY

N

YY Permit

Implicit Deny

If no matchdeny allDeny

N

ACL Rule ConclusionQ：How to arrange the sequence of rules when configuring ACL

ACL matching execute from top to bottom, if one statement match the packets, it will execute the corresponding rule (permit or deny) and then jump out of ACL. There is an implicit rule “Deny all” at the end of each ACL.ACL can be applied to inbound or outbound direction of a concrete IP interface ACL can be applied to a specific system service (e.g. Telnet service on device)Before applying ACL, we should create itWe can set only one ACL for a specific protocol on one directionof an interface at one time

Where to apply ACL？

Standard ACL： near the destination Extend ACL： near the source

E0

E0

E1

S0

To0

S1S0

S1E0

E0TokenRing

BB

AA

DD

PC_A

PC_B

Content Review

ACL conception and usageACL working principleACL typesACL rule

Questions

Where to place standard ACL in the network? Where to place extend ACL?What will be done to the packet if there are no matches in the ACL?How to arrange the sequence of rules when configuring ACL?What will happen if a data packet pass an interface that no ACL is defined?

Engineering

04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24