Detailed explanation of access control list (ACL) configuration: precise control of network traffic
2025.04.22
Access Control List (ACL) is like a "gatekeeper" on a router, deciding which data can pass and which must be blocked. It is a way to accurately control network traffic with rules, and is widely used in enterprise networks, security policies, and border protection.
1. The role and types of ACL
ACL is a set of rules that checks each packet entering or leaving the router in sequence. Each rule can be judged based on multiple dimensions such as source address, destination address, protocol type, port, etc.
Common types include:
Standard ACL: only matches the source IP address, with coarse control and a number range of 2000-2999.
Extended ACL: matches the source address + destination address + protocol type + port number, with finer control and a number range of 3000-3999.
2. ACL matching principle
The router matches ACL rules one by one from top to bottom;
Once a match is successful, it stops searching;
If no rule matches, the default behavior is to discard (equivalent to an implicit deny all);
ACL must be bound to the direction of the interface (in/out), otherwise the setting will not take effect.
3. Hands-on experiment
The network topology diagram is as follows:
1. Configure basic IP addresses
After the configuration is completed, PC3 on the external network can ping PC1 on the internal network normally.
2. Block specific IPs through ACL
Goal: Block 192.168.10.10 from accessing the internal network, and allow other IPs to access
Test results:
PC3 (192.168.10.10) cannot access the intranet;
But PC4 can still access it normally.
3. View ACL application and rules
4. Extend ACL example (control by port)
Goal: Only allow 192.168.1.100 to access the Web service (TCP port 80), and prohibit all others
Description:
rule permit tcp: allows web requests from a specific host;
destination-port eq 80: precisely specifies the web connection port;
rule deny ip: blocks all other communication behaviors.
5. Named ACL Example
Named ACLs are easier to maintain and identify later, and are recommended for use in complex scenarios.
IV. Summary
Access Control List (ACL) is an extremely important security line of defense in the network. It can help us:
Accurately limit access sources and services;
Prevent illegal intrusion;
Precisely manage data traffic.
When configuring ACL, please remember three elements: comply with the order of rules, bind the direction, and test and verify. Mastering these will make the network security line of defense much more stable!