当前位置:网站首页>ACL and NAT

ACL and NAT

2022-07-21 14:10:00 stars293

1.ACL Overview and background

ACL:access  list Access control list

  • In order to ensure the security of financial data , R & D departments are not allowed to access the financial server , But there is no limit to the president's office . Realization way :

    stay Interface 1 In the same direction ACL, The R & D department is forbidden to access the message of financial server through .Interface 2 There is no need to deploy ACL, Messages from the president's office accessing the financial server are allowed to pass through by default .

  • Protect the security of Intranet environment , prevent Internet Virus invasion . Realization way :

    stay Interface 3 In the same direction ACL, Block the port that the virus often uses .

    White list : Reject all by default , Let's play one. Can communicate with one Within oneself
    Business of the Department
    The blacklist : Open all by default , Add a , Cannot communicate with one
2.ACL working principle
ACL Is a set of rules , It is applied to an interface of the router . For routers ,ACL There are two directions :

entrance
An entry refers to a packet that has reached the router interface , Will be processed by the router .
exit
Exit means that it has been processed by the router , Packets leaving the router .
3.ACL species
basic ACL(2000~2999): Only match IP Address
senior ACL(3000~3999): Can match source IP, The goal is IP, Source port , Target port and other three-tier and four tier fields and protocols
On the second floor ACL(4000~4999): According to the source of the packet MAC Address , The goal is MAC Address ,802.1q priority , Layer 2 protocol

[Huawei] acl number 2000   ### establish acl 2000 
[Huawei-acl-basic-2000]rule 5 deny source 192.168.1.1 0
# The rejection source address is 192.168.1.1 Of traffic ,0 Represents only this one ,5 Is the serial number of this rule ( Not to add )[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192. 168.2.254 24
[Huawei -GigabitEthernet0/0/1]traffic-filter outbound acl 2000
### Interface out direction call acl 2000,outbound Represents the direction ,inbound Represents the direction of entry [Huawei-GigabitEthernet0/0/1]undo sh  

[Huawei]acl number 2001   ### Get into acl 2001 list
[Huawei-acl-basic-2001]rule permit source 192.168.1.0 0.0.0.255
###permit On behalf of the allowed ,source On behalf of the source , The mask part is unmasked
[Huawei-acl-basic-2001]rule deny source any perhaps rule deny
### Deny all access ,any On behalf of all 0.0.0.0 255.255.255.255
[Huawei] interface GigabitEthernet 0/0/1  ### Enter the exit interface
[Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24 
[Huawei -Gigabi tEthernet0/0/1]traffic-filter outbound acl 2001

[Huawei]aclnumber 3000   ### Refuse tcp For advanced control , therefore 3000 rise
[Huawei-acl-adv-3000]rule deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.3.1 0   ### Refuse Ping
[Huawei-acl-adv-3000]rule permit tcp source 192.168.1.3 0 destination 192.168.3.1 0 destination-port eq 80
###destination Represents the destination address ,destination- port Represents the destination port number ,80 You can use www Instead of
### Configuration stops , No further execution
[Huawei-acl-adv-3000] rule deny tcp source any destination 192.168.3.1 0 destination-port eq 80  

[Huawei-acl-adv-3000]rule deny tcp source 192.168.10.0 0.0.0.255 destination 12.0.0.2 destination-port eq 21   
### Reject source address 192.168.10.0 Segment access FTP The server 12.0.0.2
[Huawei-acl-adv-3000]dis this   ### View the current ACL Whether the configuration is successful

[Huawei]interface g0/0/0
[Huawei -GigabitEthernet0/0/1]ip address 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]traffic- filter inbound acl 3000   ### Apply in the direction of interface entry acl 

[Huawei-GigabitEthernet0/0/1]undo traffic- filter inbound   ### Cancel on interface acl Application  

[Huawei] display acl 3000   ### Show acl To configure  

[Huawei]acl number 3000
[Huawei-acl-adv-3000]dis this   ### View rule sequence number
[Huawei-acl-adv-3000]undo rule 5  ### Delete one acl sentence  

[Huawei]undo acl number 3000  ### Delete the whole ACL    

 

  senior acl

 

 

acl 2000
# New table , Set your Filter conditions into This form
rule permit | deny source Matching conditions (ip The earth
site ) Wildcard Mask ( Used to control the matching range )
Wildcard Mask
Sure 0 1 Interspersed with
utilize ip Address + Wildcards match traffic
Mask 、 Unmask -----0 and 1 Must be continuous , Wildcard Mask -----0 and 1 It can be discontinuous
Subnet mask It has to be continuous 1
Unmask It has to be continuous 0
Wildcard Mask 0 and 1 It can be discontinuous
# wildcard : According to the reference ip Address , wildcard “1” The corresponding bit can
change ,“0” The corresponding bit is immutable ,0/1 It can be interspersed with
Case study 1----- Reject source IP by 192.168.10.1 Data packets of
acl 2000
rule deny source 192.168.10.1 0.0.0.0
Case study 2------ Reject source IP by 192.168.10.0/24 All the numbers of
According to package
acl 2000
rule deny source 192.168.10.0 0.0.0.255
原网站

版权声明
本文为[stars293]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/202/202207201919415638.html

边栏推荐

猜你喜欢

随机推荐