Recommended
More Related Content
Similar to 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
Similar to 04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24 (20)
Recently uploaded
Recently uploaded (20)
04 zxr10 bc-en-acl principle and configuration (acl principle)-1-ppt-201105 24
- 2. Objectives Understand the basic function of ACL Know when and how to use ACL
- 3. Contents ACL conception and function ACL types ACL working principle ACL rule
- 4. FDDI 172.16.0.0 172.17.0.0 Token Ring Internet Why Use Access Lists? Manage IP traffic as network access grows Filter packets as they pass through the router
- 5. Access List Applications Permit or deny packets moving through the router Permit or deny telnet access to or from the router Without access lists all packets could be transmitted onto all parts of your network telnet access (IP) Transmission of packets on an interface
- 6. ACL Configuration Procedure Define trigger condition Define packet matching rules Bind to interface or service Packet outgoing interfacePacket incoming interface ACL process permit? Source IP、 Destination IP protocol
- 7. Contents ACL conception and function ACL types ACL working principle ACL rule
- 8. Dest Address Source Address Protocol Port number Segment Header (TCP Header) Data Packet Header (IP Header ) Frame Header (e.g. HDLC) Use ACL to check data Deny Permit ACL Types and Matching Conditions Standard ACL Use source address as filtering standard Can generally restrict a kind of protocol Extend ACL Use five elements to filter packets Can restrict a concrete protocol accurately
- 9. ACL Types and Matching Conditions
- 10. IPv6 ACL Command Structure Command structure for standard ACL Command structure for extend ACL
- 11. Contents ACL conception and function ACL types ACL working principle ACL rule
- 12. Inbound Interface Packets N Y Packet Discard Bucket Choose Interface NAccess List ? Routing Table Entry ? Y Outbound Interface Packets S0 Outbound Access Lists
- 13. Outbound Interface Packets N Y Packet Discard Bucket Choose Interface Routing Table Entry ? N Packets Test Access List Statements Permit ? Y Outbound Access Lists Access List ? Y S0 E0 Inbound Interface Packets
- 14. Notify Sender Outbound Access Lists If no access list statement matches then discard the packet N Y Packet Discard Bucket Choose Interface Routing Table Entry ? N Y Test Access List Statements Permit ? Y Access List ? Discard Packet N Outbound Interface Packets Packets S0 E0 Inbound Interface Packets
- 15. Contents ACL conception and function ACL types ACL working principle ACL rule
- 16. A List of Tests: Deny or Permit Packets to Interface(s) in the access group Packet Discard Bucket Y Interface(s) Destination Deny Deny Y Match First Rule ? Permit
- 17. A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Deny Y Match First Rule ? Permit N Deny Permit Match Next Rule(s) ? YY
- 18. A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Deny Y Match First Rule ? Permit N Deny Permit Match Next Rule(s) ? Deny Match Last Rule ? YY N YY Permit
- 19. A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Packet Discard Bucket Y Interface(s) Destination Deny Y Match First Rule ? Permit N Deny Permit Match Next Rule(s) ? Deny Match Last Rule ? YY N YY Permit Implicit Deny If no match deny all Deny N
- 20. ACL Rule Conclusion Q:How to arrange the sequence of rules when configuring ACL ACL matching execute from top to bottom, if one statement match the packets, it will execute the corresponding rule (permit or deny) and then jump out of ACL. There is an implicit rule “Deny all” at the end of each ACL. ACL can be applied to inbound or outbound direction of a concrete IP interface ACL can be applied to a specific system service (e.g. Telnet service on device) Before applying ACL, we should create it We can set only one ACL for a specific protocol on one direction of an interface at one time
- 21. Where to apply ACL? Standard ACL: near the destination Extend ACL: near the source E0 E0 E1 S0 To0 S1 S0 S1 E0 E0Token Ring BB AA DD PC_A PC_B
- 22. Content Review ACL conception and usage ACL working principle ACL types ACL rule
- 23. Questions Where to place standard ACL in the network? Where to place extend ACL? What will be done to the packet if there are no matches in the ACL? How to arrange the sequence of rules when configuring ACL? What will happen if a data packet pass an interface that no ACL is defined?