当前位置:网站首页>Data communication foundation ACL access control list
Data communication foundation ACL access control list
2022-07-05 15:37:00 【GALi_ two hundred and thirty-three】
ACL Access control list
Access control list ACL(Access Control List) A series of permit or deny The sentences make up 、 A list of ordered rules , It realizes the classification of messages by matching the relevant information of messages ;
ACL It can only be used for message matching and distinguishing , It cannot realize the filtering function of messages , in the light of ACL The filtering function of the matched message , Specific mechanisms are needed to implement ( For example, it is used on the interface of the switch traffic-filter Command invocation ACL To filter messages ),ACL Just a matching tool ;
ACL In addition to being able to match messages , It can also be used to match routes ;
ACL It is a very widely used basic tool , Can be called by various applications or commands .
ACL Application
matching IP Traffic ( Source based 、 Objective IP Address 、 Protocol type 、 Port number and other elements )
stay Traffic-filter In the called
stay NAT In the called
Called in routing policy
stay IPSec VPN In the called
Called in the policy deployment of firewall
stay QoS In the called
ACL Can match one IP Source in packet IP Address 、 Purpose IP Address 、 Protocol type 、 Basic tools for elements such as source and destination ports ;ACL It can also be used to match routing entries .
identification ACL
Use digital identification ACL.
Use the name to identify ACL.
Type of list | Scope of digital identification |
---|---|
Basic ACL | 2000-2999 |
Advanced ACL | 3000-3999 |
ACL The classification of
Basic access control list
- Only to IP The source in the head IP Address matching .
Advanced access control list
- Be able to target the source of the packet 、 Purpose IP Address 、 Protocol type 、 Source destination port number and other elements .
ACL Match order
Basic configuration
• Use numbers to create a basic ACL, And enter ACL View :
[Huawei] acl num
[Huawei-acl-basic-num]
basic ACL The range of numbers is 2000~2999.
• Create a rule (rule):
[Huawei-acl-basic-num] rule 5 {permit/deny} source src-address wildcard
notes : In a ACL You can create one or more rule, This is also ACL List in name (List) The origin of . Every one of them rule There is one. ID, The ID It can be automatically assigned by the system , It can also be allocated manually ,rule Press ID Order from small to large .
Wildcard( wildcard )
Wildcard is a 32 The value of the bit length , Used to indicate IP In the address , Which bits need to be strictly matched , It doesn't matter which bits .
Wildcards are usually expressed in dotted decimal form similar to netmask , But the meaning is completely different from netmask .
Network mask | wildcard |
---|---|
for example 255.255.255.0 | for example 0.0.0.255 |
Used to indicate IP In the address , Which bits are part of the network , What is the host part . | Used to indicate IP In the address , Which bits need to be strictly matched , It doesn't matter which bits . |
In the netmask 1 The bit of represents the network part . | Wildcards are 1 The bit of indicates that no match is required . |
In the netmask 0 The bit of indicates the host part . | Wildcards are 0 The bit representation of must be strictly matched . |
special wildcard
Example : matching 192.168.1.0/24 The last one in this subnet 8 Bit group based IP Address , for example 192.168.1.1、192.168.1.3、192.168.1.5 etc. .
basic ACL To configure
The experimental requirements :
In the initial case PC1 And PC2 Can access Server.
Now in GW Application on the interface of ACL, bring PC2 cannot access Server, Other users in the same network segment can access Server.
[GW]acl 2000
[GW-acl-basic-2000]rule deny source 192.168.1.2 0
[GW-acl-basic-2000]rule permit
[GW-acl-basic-2000]quit
[GW]interface GigabitEthernet 0/0/0
# traffic-filter be based on acl Packet filtering
[GW-GigabitEthernet0/0/0]traffic-filter inbound acl 2000
Rule permit The meaning of this rule is to match all , That is to say “permit any” It means . In fact, I was deceived ACL By interface level commands traffic-filter Invocation time , Has not been ACL Of rule The matched traffic is released by default , So in this case ,rule permit It's optional . But configure this rule after , stay display acl Is to be able to explicitly see being ACL The number of messages released by this rule .
192.168.1.2 Traffic will be rejected , By this IP You can release
senior ACL To configure
Use numbers to create an advanced ACL, And enter ACL View :
[Huawei] acl num
[Huawei-acl-adv-num]
# senior ACL The range of numbers is 3000~3999.
according to IP Configure advanced ACL The rules :
[Huawei-acl-adv-num] rule 5 {permit/deny} ip source src-address wildcard destination dst-address wildcard
except IP agreement , senior ACL According to IP Match the upper layer protocol information carried , for example TCP、UDP、ICMP wait .
After configuration ,PC2 Will not be able to Telnet Server2, But it can. ping through Server2, In addition, other flows are allowed .
because ensp in PC Out-of-service Telnet, So they all use routers instead
[GW]acl 3000
[GW-acl-adv-3000]rule 5 deny tcp source 192.168.1.2 0 destination 10.1.1.2 0 des
tination-port eq 23 # eq 23 Or you could write it as eq telnet
[GW-acl-adv-3000]rule 10 permit ip # Allow others ip Flow through ( Optional )
[GW-acl-adv-3000]quit
[GW]int GigabitEthernet 0/0/0
[GW-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
pc1 Sure telnet Server2
pc2 You can't Telnet Server2, But it can ping through
Add :
Operators and syntax | meaning |
---|---|
equalportnumber | Equal to port number portnumber |
greater-thanportnumber | Greater than port number portnumber |
less-thanportnumber | Less than port number portnumber |
not-equalportnumber | Not equal to port number portnumber |
rangeportnumber1 portnumber2 | Between port number portnumber1 and portnumber2 Between |
establish acl name
Create a base with a name ACL:
[GW] acl name xxx basic
Create advanced with name ACL:
[GW] acl name xxx advance
边栏推荐
- Huiyuan, 30, is going to have a new owner
- First PR notes
- Common MySQL interview questions
- Cartoon: programmers don't repair computers!
- Can I pass the PMP Exam in 20 days?
- Codasip为RISC-V处理器系列增加Veridify安全启动功能
- DVWA range clearance tutorial
- Anti shake and throttling
- 【簡記】解决IDE golang 代碼飄紅報錯
- Good article inventory
猜你喜欢
Bugku cyberpunk
qt creater断点调试程序详解
【 note 】 résoudre l'erreur de code IDE golang
Huawei Hubble incarnation hard technology IPO harvester
Creation and optimization of MySQL index
数据库学习——数据库安全性
MySQL giant pit: update updates should be judged with caution by affecting the number of rows!!!
lvgl 显示图片示例
【簡記】解决IDE golang 代碼飄紅報錯
Optional parameters in the for loop
随机推荐
【 note 】 résoudre l'erreur de code IDE golang
keep-alive
复现Thinkphp 2.x 任意代码执行漏洞
Value series solution report
lv_ font_ Conv offline conversion
Ctfshow web entry command execution
Ctfshow web entry explosion
Noi / 1.5 06: element maximum span value of integer sequence
Summary of the third class
Array sorting num ranking merge in ascending order
The difference between abstract classes and interfaces in PHP (PHP interview theory question)
Common MySQL interview questions (1) (written MySQL interview questions)
I'm fat, huh
Linear DP (basic questions have been updated)
JS knowledge points-01
可转债打新在哪里操作开户是更安全可靠的呢
Object. defineProperty() - VS - new Proxy()
Bubble sort, insert sort
OSI seven layer model
mapper. Comments in XML files