Shulou(Shulou.com)05/31 Report--

This article is about filtering ping and filtering telnet ACL is how, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, say no more, follow the editor to have a look.

People who often use TCP/IP networks are sure to use the ping and traceroute commands (tracert for Windows systems), which are based on the ICMP protocol. ICMP, along with other protocols, publishes error reports for the network and provides information about what happens when using other protocols.

We know that ICMP provides a lot of information about other network services and applications, and we can also use ICMP to obtain information on the enterprise network, so as a network manager, we do not want to disclose this information. However, without ICMP, the network manager will not work, at least not properly. Filtering ICMP is more difficult than filtering TCP and UDP, because most ICMP messages are generated in response to other programs.

Normally, the ICMP messages we use are:

⑴ echo-request: loop test request for ping

⑵ echo-reply: loop test response for ping

⑶ packet-too-big: some programs are used to detect MTU on the destination address path

⑷ time to live (TTL) ttl-exceeded: tracerouter tests the lifetime of network messages

⑸ destination host unreachable: notifies the session that the destination is unreachable.

Look at the following topology diagram:

If only R0 is allowed to ping R1, and R1 is not allowed to ping ro, we can configure it this way.

R0 (config) # access-list 101 permit icmp host 12.1.1.2 host 12.1.1.1 echo-reply

Packets returned from 12.1.1.2 to 12.1.1.1 are allowed, meaning that packets returning 12.1.1.1 from 12.1.1.2 are allowed, while proactive ping packets from 12.1.1.2 are not allowed.

R0 (config) # interface e0Let0

R0 (config-if) # ip access-group 101in-enter the interface and enable ACL 101s

There are two ways to filter telnet. According to the principle of telnet port connection, we find that when establishing a telnet connection, the local machine is a port greater than 1024 that corresponds to the other party's port 23. We can write like this.

R0 (config) # access-list 100 permit tcp host 12.1.1.2 eq 23 host 12.1.1.1 gt 1024

Only port 23 of 12.1.1.2 is allowed to access ports of 12.1.1.1 greater than 1024, so the port number of TCP is flexibly applied, so that R0 can TELNET into R1, but R1 cannot TELNET into R0.

R0 (config) # interface e0Let0

R0 (config-if) # ip access-group 100 in

In this case, ping is also banned.

Or you can do that.

R1 (config) # access-list 12 permit 12.1.1.1 0 0.0.0.0

R1 (config) # line vty 0 4

R1 (config-line) # access-class 12 in

Reject 12.1.1.2 on R0, in which case there is no problem with ping.

This is how ACL filters ping and telnet. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.