I. Example of On-campus Resource Access Control System
The on-campus resource access control system may allow users to directly access resources without logging in, just as some on-campus users can access resources without logging in to the system. There is also a new version of VPN that is opened to facilitate access to intranet and library resources on the external network. It does not require the installation of clients and plug-ins, supports direct use on computers and mobile phones, and recommends the use of specific browsers for a better experience. This is a special access control situation for a specific environment (on-campus resource access). This method is based on the policy setting of on-campus resource sharing, and the purpose is to facilitate on-campus users to obtain resources.
II. Working principle of ACL (Access Control List)
1. Based on packet filtering technology
- ACL uses packet filtering technology to read the information in the 3rd and 4th layer packet headers of the OSI seven-layer model on the router, such as source address, destination address, source port, destination port, etc.
- According to pre-defined rules, the packet is filtered to achieve the purpose of access control.
2. Rule set and interface application
- ACL is a set of rules that are applied to a certain interface of a router. For a router interface, the access control list has two directions: outgoing (data packets that have been processed by the router and are leaving the router) and incoming (data packets that have arrived at the router interface and will be processed by the router).
- If an ACL is applied to a certain interface of a router, the router applies this set of rules to the data packets for sequential matching, and filters the data packets by stopping if a match occurs and using the default rule if a match does not occur.
3. Standard access control list
- Allow or deny data packets based on the source IP address of the data packet. The access control list number of the standard access control list is 1 - 99.
- For example, the syntax for creating an ACL to allow all hosts in the 192.168.1.0 network segment is: Router(config)#access-list1permit192.168.1.00.0.0.255; creating an ACL to allow a certain host is Router(config)#access-list1permithost10.0.0.1; creating a default ACL to deny access to all hosts is Router(config)#access-list1denyany, where the keyword host can specify a host address without writing the subnet inverse, and any can represent all hosts.
4. Extended Access Control List
- Allow or deny data packets based on the source IP address, destination IP address, specified protocol, port, and flags of the data packet. The access control list number of the extended access control list is 100-199.
- The syntax for creating an extended ACL is as follows (it includes access-list-number to specify the access control list number, protocol to specify the type of protocol, such as IP, TCP, UDP, ICMP, etc., source and destination to indicate the source address and destination address respectively, source-wildcard and destination-wildcard are the subnet inverse codes).
In general, access control systems determine which users or data packets can access specific resources or through specific network interfaces by setting rules. These rules can be based on a variety of factors, from simple IP addresses to complex combinations of multiple network parameters such as protocols and ports.
