当前位置:网站首页>Hcia-r & s self use notes (24) ACL
Hcia-r & s self use notes (24) ACL
2022-07-29 05:39:00 【Master basket ladle Xiao Lu】
ACL(7/27,66min)
ACL(Access Control List) Access control list ( It's a technology, not a protocol )
(ACL/ Packet filtering firewall is the first generation firewall technology )
ACL Rules can be defined to allow or deny traffic .
ACL You can define the filtering conditions and the actions to be performed after matching the conditions according to the requirements ( Such as VPN).
ACL working principle :
ACL Consisting of one or more rules ;
Each rule must select an action : Allow or reject
Every rule must have one ID Serial number ( Default =5, interval =5, You can also customize it , Such as rule 3,rule 4, The smaller the better )
As long as one rule matches the message , Stop looking , be called Hit rules ;
Find all rules , If there are no rules that meet the conditions , be called Miss rule ;
ACL After creation , It must be application It will take effect only in an interface or other technology ;
When applying to the interface, you must select the direction : Inbound or outbound ( namely inbound And outbound, Relative equipment judgment )
Cannot filter by Equipment itself Data generated
acl number 3000
rule 0 deny tcp destiantion-port eq 445
rule 1 deny udp destination-port eq 445Use ACL prohibit 445 port ( Prevent blackmail virus )
When specifying rules, be sure to be fine first and then coarse
ACL type :
It is divided into digital type ACL And named ACL
| classification | Serial number range | Parameters |
| basic ACL | 2000-2999 | Source IP Address (NAT、 Routing strategy ) |
| senior ACL | 3000-3999 | Source 、 Objective IP Address and source 、 Destination port |
| On the second floor ACL | 4000-4999 | Source 、 Objective MAC Address 、 Ethernet frame protocol type, etc |
name ACL Default to advanced ACL( The number defaults from 3999 Decline ), It can also be followed by numbers
[Huawei]acl name defend 3000[Huawei-acl-adv-defend]rule 1 permit ?
<1-255> Protocol number
gre GRE tunneling(47)
icmp Internet Control Message Protocol(1)
igmp Internet Group Management Protocol(2)
ip Any IP protocol
ipinip IP in IP tunneling(4)
ospf OSPF routing protocol(89)
tcp Transmission Control Protocol (6)
udp User Datagram Protocol (17)Positive mask 、 Unmask 、 Wildcards are different :
rule deny so 1.1.1.1 2 1.23.44.5
| name | The rules | effect | give an example | remarks |
| Mask | Successive 1 and 0 | IP Address | 255.255.255.0 | 1 Corresponding network bit ,0 Corresponding host bit |
| Unmask | Successive 0 and 1 | Routing protocol | 0.0.0.255 | 0 Must match ,1 No need to match |
| wildcard | Any of the 0 and 1 | ACL | 0.0.255.0 | 0 Must match ,1 No need to match |
Wildcard mask ,0 Represents the bit to be checked ,1 Represents bits that do not need to be checked .
| give an example | remarks |
| 192.168.0.1 0.0.0.0/0 | Match a host address |
| 192.168.0.0 0.0.0.255 | Match a network segment |
| 192.168.0.1 0.0.0.254 | Match the odd addresses in the network segment |
| 192.168.0.0 0.0.0.254 | Match the even address in the network segment |
| any = x.x.x.x 255.255.255.255 | Match all addresses |
Take an example to calculate :
192.168.16.0 The wildcard is 0.0.15.255, How to calculate its address range ?
wildcard 0.0.15.255 Binary system
00000000.00000000.00001111.11111111
192.168.16.0 Binary system
11000000.10101000.00010000.00000000
The parts marked in red should be strictly matched , Then the black part can 1 can 0, That is, it can be extremely
11000000.10101000.00011111.11111111, Convert to dot decimal
192.168.31.255, Then the address range represented by this wildcard is
192.168.16.0-192.168.31.255
ACL To configure :
| command | remarks |
| acl 2000 | Create a basic ACL |
rule 5 deny/permit source 192.168.1.0 0.0.0.255 | To configure ACL The rule of : Reject or allow the source address to be 192.168.1.0/24 Of traffic |
| acl 3000 | Create an advanced ACL |
rule 5 deny/permit tcp source 192.168.1.0 0.0.0.255 destination 8.8.8.8 0 destination-port eq 80 | To configure ACL The rule of : Reject or allow the source address to be 192.168.1.0/24 To 8.8.8.8 Of HTTP Traffic |
| traffic-filter inbound/outbound acl 2000 | Call... On the interface ACL Filter flow |
| display acl 2000 | verification ACL |
| display traffic-filter applied-record | View all on the device ACL Call status of ( Different devices have different support for this command ) |
ACL Suggestions on the direction of interface call :
Consider performance resources 、 Consumption of link bandwidth
边栏推荐
- ClickHouse学习(九)clickhouse整合mysql
- ClickHouse学习(五)集群操作
- Niuke network programming problem - [wy22 Fibonacci series] and [replace spaces] detailed explanation
- End of document
- Database operation day 6
- 浅谈范式
- Dynamic sorting of DOM object element blocks in applets
- Occt learning 002 - environment construction
- Longest string without duplicate characters
- Do students in the science class really understand the future career planning?
猜你喜欢
随机推荐
ClickHouse学习(十一)clickhouseAPI操作
Side effects and sequence points
rem与px与em异同点
JS deep copy - Notes
【C语言系列】— 把同学弄糊涂的 “常量” 与 “变量”
[sword finger offer] - explain the library function ATOI and simulate the realization of ATOI function
2022 mathematical modeling competition summer training lecture - optimization method: goal planning
全局components组件注册
ClickHouse学习(十)监控运行指标
组件传参与生命周期
科班同学真的了解未来的职业规划吗?
Detailed installation and use tutorial of MySQL (nanny installation with pictures and texts)
Basic use of redis
·Let's introduce ourselves to the way of programming·
表格与表单相关知识点总结
Clickhouse learning (IV) SQL operation
How does the MD editor of CSDN input superscripts and subscripts? The input method of formula and non formula is different
字符类型转换
用sql-client.sh生成的job在cancle过后 如何实现断点续传?
[C language series] - three methods to simulate the implementation of strlen library functions