当前位置:网站首页>NewH3C——ACL
NewH3C——ACL
2022-07-04 08:14:00 【AiY..】
One 、ACL Concept
1、acl Definition : Access control list ; Used for data flow matching and filtering
2、 function :
- Access control :ACL+Packet-filter
- Route control :ACL+Route-policy
- flow control :ACL+QOS
Two 、ACL Packet filtering
1、 Definition : Check the incoming and outgoing packets one by one , Discard or allow to pass ( By default, H3C equipment allows )
Be careful : Packet filtering must be configured in a certain direction of the interface to take effect ; Only one packet filtering policy can be configured in one direction of an interface
2、 Direction of packet filtering
- Into the direction (inbount): Only filter packets that enter from the outside
- Exit direction (outbount): Only the packets sent from inside are filtered
3、 Workflow of packet filtering ACL The workflow of is sequence matching , So assign a small range of rules to a top order
A word description :
1. When the packet arrives at the interface, check whether it is applied ACL, If yes, enter matching , Otherwise release
2. according to ACL The number matches the first rule , If matching, further check the rule action , Otherwise, match with the next rule ( Release if the action allows ; Action rejection is discarded )
3. Continue matching , If it matches, check the rule action , Otherwise, match with the next one
4. All the rules don't match , Check default actions
Package filtering workflow considerations
- If the default action is allow , At least one rejection rule is required ; If the default action is reject , At least one permission rule is required
- Without affecting the actual effect , Try to configure packet filtering in the incoming direction of the interface closest to the source address ( If placed in the out direction , The router has to be screened , Delay time )
4、ACL classification
(1) basic ACL:
For packets only source address Match ; For large-scale batch processing
Number 2000-2999
(2) senior ACL
Match the five tuples of the packet ( Source IP, Purpose IP, Source port , Destination port , agreement )
Number 3000-3999
3、 ... and 、ACL The experiment of
1、 The experimental requirements :
To configure ACL Achieve the following effect
192.168.1.0/24 The network segment is not allowed to access 192.168.2.0/24 Network segment , Basic ACL Realization PC1 You can visit SERVER1 Of TELNET service , But not accessible FTP service PC2 You can visit SERVER1 Of FTP service , But not accessible
TELNET service
192.168.2.0/24 The network segment is not allowed to access SERVER1, It is required to pass advanced ACL Realization
2、 The experimental steps
1、 To configure IP Address part
A little
2、R1,R2,R3 On the configuration RIP Make the routes of the whole network interconnected
3、 stay SERVER1 Configuration on TELNET and FTP Service part
4、 To configure ACL part
analysis :
demand i, requirement 192.168.1.0/24 The network segment is not allowed to access 192.168.2.0/24 Network segment , Only basic ACL Realization . basic ACL Filter source only IP Address , Only in R2 Of g0/2 The interface is configured with directional packet filtering to realize . If it is configured in other locations along the two network segments , Will affect 192.168.1.0/24 Normal communication between network segment and other network segments
demand ii,PC1 You can visit SERVER1 Of TELNET service , But not accessible FTP service . Since you want to filter the specified services , You can only use advanced ACL, senior ACL Will not cause false filtering , So you can configure the input direction of the interface closest to the source address , That is to say R1 Of g0/1 The entry direction of the interface . in addition , because H3C Of ACL The default action for packet filtering is to allow , Therefore, no special configuration is required to allow PC1 visit SERVER1 Of TELNET, Just configure access denied FTP The rules can be
demand iii,PC2 You can visit SERVER1 Of FTP service , But not accessible TELNET service . Empathy , Only advanced ACL, Configure in R1 Of g0/1 The entry direction of the interface . And you only need to configure access denial TELNET The rules can be
Because of demand i And demand ii It is configured in the same direction of the same router and the same interface , So write the rules into the same ACL that will do
demand iv:192.168.2.0/24 The network segment is not allowed to access SERVER1, It is required to pass advanced ACL Realization . senior ACL Will not cause false filtering , So you can configure the input direction of the interface closest to the source address , That is to say R2 Of g0/2 The entry direction of the interface . in addition , There is no clear description of what services are not allowed to access , All are not allowed to access , So advanced ACL The protocol in needs to be specified as IP agreement
step 1: Create basic ACL, send 192.168.1.0/24 The network segment cannot be accessed 192.168.2.0/24 Network segment , And in R2 Of g0/2 Configure packet filtering in the outgoing direction of the interface
[R2]acl basic 2000
[R2-acl-ipv4-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[R2]interface g0/2
[R2-GigabitEthernet0/2]packet-filter 2000 outbound
step 2: Create advanced ACL, send PC1 You can visit SERVER1 Of TELNET service , But not accessible FTP service ;PC2 You can visit SERVER1 Of FTP service , But not accessible TELNET service , And in R1 Of g0/1 Configure packet filtering in the input direction of the interface
[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.1 0 destination 192.168.3.1 0 destination-port range 20 21
[R1-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.2 0 destination 192.168.3.1 0 destination-port eq 23
[R1]interface g0/1
[R1-GigabitEthernet0/1]packet-filter 3000 inbound
step 3: Create advanced ACL, send PC3 Cannot access SERVER1, And in R2 Of g0/2 Configure packet filtering in the input direction of the interface
[R2]acl advanced 3000
[R2-acl-ipv4-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.1 0
[R2]interface g0/2
[R2-GigabitEthernet0/2]packet-filter 3000 inbound
5、 Effect test
step 1:PC1 and PC2 No way Ping through PC3
[PC1]ping 192.168.2.3
Ping 192.168.2.3 (192.168.2.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
step 2:PC1 Can be connected SERVER1 Of TELNET, But you can't connect FTP
<PC1>telnet 192.168.3.1
Trying 192.168.3.1 ...
Press CTRL+K to abort
Connected to 192.168.3.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login:
<PC1>ftp 192.168.3.1
Press CTRL+C to abort.
step 3:PC2 Can be connected SERVER1 Of FTP, But you can't connect TELNET
<PC2>ftp 192.168.3.1
Press CTRL+C to abort.
Connected to 192.168.3.1 (192.168.3.1).
220 FTP service ready.
User (192.168.3.1:(none)):
<PC2>telnet 192.168.3.1
Trying 192.168.3.1 ...
Press CTRL+K to abort
Connected to 192.168.3.1 ...
step 4:PC3 You can't Ping through SERVER1
[PC3]ping 192.168.3.1
Ping 192.168.3.1 (192.168.2.3): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
边栏推荐
- @Role of requestparam annotation
- Preliminary study on temporal database incluxdb 2.2
- 运动【跑步 01】一个程序员的半马挑战:跑前准备+跑中调整+跑后恢复(经验分享)
- Ecole bio rushes to the scientific innovation board: the annual revenue is 330million. Honghui fund and Temasek are shareholders
- Scanf read in data type symbol table
- 力扣今日题-1200. 最小绝对差
- Introduction to neural network (Part 2)
- ZABBIX monitoring system deployment
- Use preg_ Match extracts the string into the array between: & | people PHP
- How to improve your system architecture?
猜你喜欢
【Go基础】1 - Go Go Go
Common components of flask
The second session of the question swiping and punching activity -- solving the switching problem with recursion as the background (I)
yolov5 xml数据集转换为VOC数据集
Moher College phpmailer remote command execution vulnerability tracing
ZABBIX monitoring system custom monitoring content
Unity text superscript square representation +text judge whether the text is empty
SQL注入测试工具之Sqli-labs下载安装重置数据库报错解决办法之一(#0{main}thrown in D:\Software\phpstudy_pro\WWW\sqli-labs-……)
Project 1 household accounting software (goal + demand description + code explanation + basic fund and revenue and expenditure details record + realization of keyboard access)
【性能測試】一文讀懂Jmeter
随机推荐
@Role of requestparam annotation
L2-013 red alarm (C language) and relevant knowledge of parallel search
Activiti common operation data table relationship
【性能测试】一文读懂Jmeter
L1-026 I love gplt (5 points)
Linear algebra 1.1
zabbix監控系統自定義監控內容
SQL注入测试工具之Sqli-labs下载安装重置数据库报错解决办法之一(#0{main}thrown in D:\Software\phpstudy_pro\WWW\sqli-labs-……)
Azure ad domain service (II) configure azure file share disk sharing for machines in the domain service
The second session of the question swiping and punching activity -- solving the switching problem with recursion as the background (I)
Li Kou today's question -1200 Minimum absolute difference
R language ggplot2 visualization: ggplot2 visualization grouping box diagram, place the legend and title of the visualization image on the top left of the image and align them to the left, in which th
Difference between static method and non static method (advantages / disadvantages)
ZABBIX monitoring system custom monitoring content
PHP session variable passed from form - PHP
JVM中堆概念
zabbix监控系统部署
How to use C language code to realize the addition and subtraction of complex numbers and output structure
The right way to capture assertion failures in NUnit - C #
OKR vs. KPI 一次搞清楚这两大概念!