Professional Documents
Culture Documents
1 3 1 3
2 2
1 3 1 3
2 2
1 3 1 3
2 2
• Switches and routers forward data according to forwarding rules by default. If some data needs to be
controlled specially, an ACL can be used.
• In this project, PCs of the technical department and financialdepartment can access each other
through the layer-3 switch by default. An ACL can be configured to control the data forwarding.
Layer-3 switch
1 2
Layer-2 switch 24 24 Layer-2 switch
1 3 1 3
2 2
Subnet of the source Subnet mask, Subnet of the destination Subnet mask,
IP address configured in the form IP address configured in the form
of wildcard mask of wildcard mask
Principle and Configuration of ACL
• Common ACL Types
• Extended ACL: The source IP address/destination IP address, protocol (TCP/IP), and protocol
information are matched.
• No.
• User-defined name
• You are advised to define a name for an ACL. For example, if PCs in VLAN 10 are prohibited from accessing
VLAN 30, name the ACL DENY_VLAN10_TO_VLAN30. In this way, the ACL name can clearly reflect the service
requirement on the ACL.
Ruijie(config)#ip access-list standard ?
<1-99> IP standard acl
<1300-1999> IP standard acl (expanded range)
WORD Acl name
• Deny: Data flows that match the ACL statement are denied.
• An wildcard mask is often used to match data of an IP address range. We have caught a glimpse of the wildcard mask
when learning route distribution by OSPF.
Ruijie(config)#ip access-list standard 13
Ruijie(config-std-nacl)#permit 192.168.1.0 0.0.0.255
It indicates the IP address range of 192.168.1.0 to 192.168.1.255.
• In this ACL, "standard" indicates that the ACL is a standard ACL, that is, data matching is performed based on only the source IP
address. This ACL indicates that data with the source IP address in the range of 192.168.1.0 to 192.168.1.255 is permitted.
• The PC with the IP address 192.168.1.2 is allowed to access all PCs in the network segment 192.168.4.0/24.
• Other PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment
192.168.4.0/24.
• PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment 192.168.5.0/24.
• PCs in the network segment 192.168.2.0/24 are not allowed to access the Web service with the IP address 10.5.5.5.
• Configuration ideas:
• Configure an extended ACL as both the source and destination IP addresses need to be controlled.
• Write the ACL according to requirements.
• Requirements:
• The PC with the IP address 192.168.1.2 is allowed to access all PCs in the network segment 192.168.4.0/24.
• Other PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment
192.168.4.0/24.
• PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment 192.168.5.0/24.
• PCs in the network segment 192.168.2.0/24 are not allowed to access the Web service with the IP address 10.5.5.5.
• Configuration:
Ruijie(config)#ip access-list extended safe
Ruijie(config-ext-nacl)#permit ip host 192.168.1.2 192.168.4.0 0.0.0.255
Ruijie(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
Ruijie(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
Ruijie(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 host 10.5.5.5 eq 80
Ruijie(config-ext-nacl)#permit ip any any
Principle and Configuration of ACL
• Configuring Multiple Statements in an ACL
• Each statement in an ACL is called an Access Control Entry (ACE).
• ACEs are matched from top down, that is, ACEs are matched by No. in ascending order.
• Once an ACE is matched (regardless of whether the action is deny or permit), the ACL matching stops.
• If statements are configured in an ACL, there is an implicit default statement of ACL deny ip any any (not displayed) at the end.
Generally, an ACL must end with a permit statement.
• For example, if an ACE that allows a PC with the IP address 192.168.1.2 to access PCs in the network segment 192.168.5.0/24,
this ACE needs to be added between ACE 20 and ACE 30.
Ruijie(config)#ip access-list extended safe
Ruijie(config-ext-nacl)#21 permit ip host 192.168.1.2 192.168.5.0 0.0.0.255
• In: Indicates that ACL matching is performed on data received by this interface.
• Out: Indicates that ACL matching is performed data sent from this interface.
Ruijie(config)#int f0/1
Ruijie(config-FastEthernet 0/1)#ip access-group safe in
• An ACL can be called on a physical port or SVI.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
Principle and Configuration of ACL
• ACL Application
• Requirement: PCs of the technical department need to be prohibited from accessing PCs of the financial department.
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• ACL Application
• Requirement: PCs of the technical department need to be prohibited from accessing PCs of the financial department.
• Configure an extended ACL as both source and destination IP addresses are involved.
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• ACL Application
• Requirement: PCs of the technical department need to be prohibited from accessing PCs of the financial department.
• 3. Call the ACL on an interface (on the interface connected to PCs of the technical department).
SW2(config)#int f0/1
SW2(config-FastEthernet 0/1)#ip access-group safe in
• In this way, PCs of the technical department cannot access PCs of the financial department.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 2 3
2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• ACL Application
• Requirement: PCs of the technical department need to be prohibited from accessing PCs of the financial department.
• 3. Call the ACL on an interface (on the interface connected to PCs of the technical department).
• In this way, PCs of the technical department connected to SW 2 cannot access PCs of the financial department. The security policy needs to
be configured throughout the network. Therefore, complete similar configuration on SW 3.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 2 3 1 2 3
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• Time-based ACL
• Configure an ACE that takes effect only in a specific time range.
• For example, employees are allowed to access only Web pages during office hours (9:00–18:00)
and other applications are prohibited. Any applications are allowed out of office hours.
• Configuration ideas:
• Configuration ideas:
• 2. Define a time range.
• Use the absolute keyword to define an absolute time.
• The following defines the time range from 9:00 to 18:00 on workdays.
Ruijie(config)#time-range WORK_TIME
Ruijie(config-time-range)#periodic ?
Daily Every day of the week
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
Weekdays Monday through Friday
Weekend Saturday and Sunday
Ruijie(config-time-range)#periodic weekdays 9:00 to 18:00
Principle and Configuration of ACL
• Time-based ACL
• Configure an ACE that takes effect only in a specific time range.
• Configuration ideas:
• 3. Associate an ACE in the ACL with the defined time range.
• When the current time is not within the time range defined by WORK_TIME, the two ACEs do not
take effect.
ip access-list extended OA
10 permit tcp any any eq www time-range WORK_TIME
20 deny ip any any time-range WORK_TIME
30 permit ip any any
Principle and Configuration of ACL
• ACL Configuration Position
• After learning, Tom mastered the ACL tool. He simulated the configuration in the company lab and found that the ACL
worked indeed. However, Tom found the following problem: The requirement of prohibiting PCs of the technical
department from accessing PCs of the financial department can be implemented on SW 2, SW 1, and SW 3, and the ACL can
be applied to the inbound and outbound directions. So, there are many configuration methods. Which one is optimal? Or
are all these configuration methods usable?
• Tom discussed with the manager on this problem. The manager then explained the ACL application position to Tom.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• ACL Application Position
• Data flow analysis
• The following uses the access from PC 1 of the technical department to PC 2 of the financial department as an example to
analyze the data flow.
• If PC 1 needs to access PC 2 successfully, its data needs to flow through SW 2, SW 1, and SW 3, and finally reach PC 2.
• Complete access is two-way. Therefore, data of PC 2 must flow through SW 3, SW 1, and SW 2, and finally reach PC 1.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
Principle and Configuration of ACL
• ACL Application Position
• Since many positions are available for ACL configuration, which one is optimal?
• The access from PCs of the technical department to PCs of the financial department can be blocked on any of the three switches,
optimally, the inbound direction on SW 2. The data flow needs to blocked anyway. So, it is unnecessary to waste resources on
forwarding it on other devices.
• Tom felt enlightened. Then, the manager asked Tom a question: If only a standard ACL could be configured, where should the ACL be
applied?
• Tom could not figure out the difference between a standard ACL and an extended ACL.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• ACL Application Position
• The manager told Tom that a standard ACL can match only source IP addresses. If an ACL is configured on SW 2 to block data packets
sourced from PCs of the technical department, PCs of the technical department cannot access each other.
• Therefore, standard ACLs are generally applied to interfaces close to destinations. In this project, the standard ACL can be applied to
the outbound direction of the interfaces connected to PCs of the financial department on SW 2 and SW 3, to block the access from
PCs of the technical department.
• Hearing the manager's words, Tom was shocked that ACLs were complicated and it was not easy to use it skillfully.
Layer-3 switch
SW 1
1 2
Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
Technical Financial Technical Financial
department department department department
192.168.1.0/24 192.168.2.0/24
Principle and Configuration of ACL
• Summary
• In this chapter, Tom mastered the purpose of ACLs and the difference between standard ACLs and extended ACLs.
Tom also mastered the matching basis of ACLs and practiced how to configure ACLs according to requirements. Tom
later learned time-based ACLs and realized the power of ACLs.
• At last, Tom discussed with the manager about the ACL application position. In short, ACLs could be flexibly applied.
• After solving the problems, Tom reported his experience in ACL learning to the manager.
• Exercises
• What is the relationship between ACL application direction on an interface and the interface?
• Attempt to configure ACLs on different devices and in different directions to block PCs of the technical department
from accessing PCs of the financialdepartment.
THANKS
Ruijie Networks Co., Ltd.
Address: Floor 11, East Wing, Zhongyipengao Plaza, No. 29 Fuxing Road, Haidian District, Beijing, China
Post Code: 100036
Tel: (8610) 5171-5996
Fax: (8610) 5171-5872
www.ruijienetworks.com