ACL（7/27,66min）

ACL（Access Control List） Access control list （ It's a technology, not a protocol ）

（ACL/ Packet filtering firewall is the first generation firewall technology ）

ACL Rules can be defined to allow or deny traffic .

ACL You can define the filtering conditions and the actions to be performed after matching the conditions according to the requirements （ Such as VPN）. 

ACL working principle ：

ACL Consisting of one or more rules ;

Each rule must select an action ： Allow or reject

Every rule must have one ID Serial number （ Default =5, interval =5, You can also customize it , Such as rule 3,rule 4, The smaller the better ）

As long as one rule matches the message , Stop looking , be called Hit rules ;

Find all rules , If there are no rules that meet the conditions , be called Miss rule ;

ACL After creation , It must be application It will take effect only in an interface or other technology ;

When applying to the interface, you must select the direction ： Inbound or outbound （ namely inbound And outbound, Relative equipment judgment ）

Cannot filter by Equipment itself Data generated

acl number 3000

        rule 0 deny tcp destiantion-port eq 445

        rule 1 deny udp destination-port eq 445

Use ACL prohibit 445 port （ Prevent blackmail virus ）

When specifying rules, be sure to be fine first and then coarse

ACL type ：

It is divided into digital type ACL And named ACL

name ACL Default to advanced ACL（ The number defaults from 3999 Decline ）, It can also be followed by numbers

[Huawei]acl name defend 3000

[Huawei-acl-adv-defend]rule 1 permit ?
  <1-255>  Protocol number
  gre      GRE tunneling(47)
  icmp     Internet Control Message Protocol(1)
  igmp     Internet Group Management Protocol(2)
  ip       Any IP protocol
  ipinip   IP in IP tunneling(4)
  ospf     OSPF routing protocol(89)
  tcp      Transmission Control Protocol (6)
  udp      User Datagram Protocol (17)

Positive mask 、 Unmask 、 Wildcards are different ：

rule deny so 1.1.1.1 2 1.23.44.5

Wildcard mask ,0 Represents the bit to be checked ,1 Represents bits that do not need to be checked .

Take an example to calculate ：

192.168.16.0 The wildcard is 0.0.15.255, How to calculate its address range ？

wildcard 0.0.15.255 Binary system

00000000.00000000.00001111.11111111

192.168.16.0 Binary system

11000000.10101000.00010000.00000000

The parts marked in red should be strictly matched , Then the black part can 1 can 0, That is, it can be extremely

11000000.10101000.00011111.11111111, Convert to dot decimal

192.168.31.255, Then the address range represented by this wildcard is

192.168.16.0-192.168.31.255

ACL To configure ：

ACL Suggestions on the direction of interface call ：

Consider performance resources 、 Consumption of link bandwidth