Shulou(Shulou.com)06/02 Report--

Review: the scale of network IP is getting larger and larger and the waste is more and more serious. IP address space is limited-public address | Private address (NAT)-subnetting-IPv6 private network: private address-Communication private address is not eligible to circulate in Internet Go out, but it cannot be returned that when the enterprise data packet goes out, it does not carry the internal private address, but the public network IP address bought by itself. The IP address will never change during data transmission (by default). In the process of data transmission, the MAC address changes at any time, and every time it passes through a network segment, it will change. NAT: translates the source IP address in the private network packet into the purchased public network IP address. When NAT works, it relies on a core worksheet: NAT translation table. Private address 1-public address 1-NAT:network address translation static NAT: on the border device, manually create the NAT translation entry; private: public = 1:1 dynamic NAT: on the border device, the NAT translation entry formed by the device based on packet trigger without human intervention. If an NAT translation entry is not used for a period of time, it will be automatically deleted in the NAT translation table;-basic dynamic NAT private: public = 1:1-P-NAT (port multiplexing) Private: public = NNAT 1 problem: private network active ping public network, can be connected; otherwise, it will not work. Reason: in routing table NAT table out NAT advanced applications: Port mapping ip nat inside source static tcp 192.168.1.1 23 100.1.1.1 10011 ACL:access control list, access control list-function: match traffic of interest. -implementation: # Rule # Action (allow / deny) # event-indicates: # ID # name-Type: # Standard ACL/ basic ACL ID name # extended ACL/ Advanced ACL ID name ACL configuration idea: 0. Ensure the connectivity of the original data (determined based on the needs of the existing network) Before ACL was implemented, PC-1 and PC-2 were interoperable. 1. Check the existing ACL [R1] display acl [2000] | all 2, create ACL [R1] acl 2000 [match-order {config} | {auto}] [R1-acl-basic-2000] rule [id] deny source 192.168.10.1 0.0.0.0 3, call ACL [R1] interface gi0/0/0 [R1-gi0/0/0] tranffic-filter inbound acl 20004, verify, test, Save display acl 2000 / / View the configuration entry information for ACL Display traffic-filter applied-record / / View the call information of ACL; display traffic-filter statistics interface GigabitEthernet 0 inbound 0 inbound / / View the usage information of ACL called on a specific port; ping x.x.x.x save

Experimental topology diagram:

PC-1-> PC-2 # study clearly the forwarding path (round trip) of traffic & kill the traffic & kill the traffic back # study the traffic itself (characteristics + structure) L2 + L3 + ICMP + FCS ip-acl L3 source-ip + destination-ip Basic ACL-focus only on the source-ip in the IP header Advanced ACL-you can focus on both source and destination, and you can also focus on the content behind the IP header, such as TCP/UDP

=

Delete ACL:1, correct deletion posture # first remove the ACL calling relationship Interface gi0/0/0 undo traffic-filter inbound # secondly delete the ACL entry itself undo acl 2000 # the final result of deletion 2, when calling a non-existent ACL, it allows all 5. Basic ACL/ standard ACL, which is strongly recommended to be called "close to the target device"; layer 3 ACL basic ACL numeric ACL naming ACL advanced ACL numeric ACL naming ACL layer 2 ACL 1, named ACL needs to be specified when creating 2. In ACL, if you do not write source or destination, it means all sources or destinations. 3. In the process of configuring ACL, if you enter source or destination directly, enter directly represents "all"; = R2:PC1-PC2 is not available, all other interconnection 1. Create ACL [R2] acl 3000 [R2-acl-advance-3000] rule 5 deny ip source 192.168.20.1 0.0.0.0 destination 192.168.10.1 0.0.0.02, call ACL [R2] interface gi0/0/0 [R2-gi0/0/0] traffic-filter inbound acl 3000 3, verify, test, Save display acl 3000 display traffic-filter applied-record PC2: ping 192.168.10.1 No ping 192.168.10.3, yes PC4/5: ping x.x.x.x, yes save R2:PC4/5 interworking with other hosts in the network All other traffic is blocked. 1. Create ACL [R2] acl name Only-PC4-5 advance [R2-acl-advance-Only-PC4-5] rule permit ip source 192.168.20.4 0.0.0.0 [R2-acl-advance-Only-PC4-5] rule permit ip source 192.168.20.5 0.0.0.0 [R2-acl-advance-Only-PC4-5] rule 100deny ip 2, Call ACL [R2] interface gi0/0/0 [R1-gi0/0/0] traffic-filter inbound acl name Only-PC4-53, verify, test, save = = small experiment configuration requirements: 1. Any type of traffic between PC-1 and PC-2 cannot be interconnected. 2. PC-3 can ping 192.168.30.88 (server-2), but cannot ping www.ntd1711.com. 3. Any type of traffic between PC-4 and PC-3 cannot be intercommunicated. 4. Client-1 can ping www.ntd1711.com, but cannot open the web function (that is, www.ntd1711.com) in Server-2 through its own browser: if you want to control traffic, you must first understand the encapsulation of traffic and the protocol used; if you want to control traffic, you must first know the forwarding path and direction of traffic. Acl access console list access control list basic acl 2000-2999 Advanced acl 3000-3999 acl 3000 rule, starting from 5, each 5, execute the in/out interface to enter the interface from small to large Traffic-filter in/out acl 3000 create acl acl number 3369 rule 5 deny icmp source 192.168.1.1 0 destination 192.168.20.2 20 interface GigabitEthernet0/0/0 call acl ip address 192.168.1.254 255.255.255.0 traffic-filter inbound acl 3369 A pile of queries [R1] display acl all query acl list [R1] display traffic-filter applied-record query traffic filtering should be Record the in direction traffic information on the [R1] display traffic-filter statistics interface G0 inbound query interface = Telnet management aaa authentication: AAA- authentication (Authentication), A system developed by Authorization and Accounting Cisco to provide network security. The transport layer protocol and port number are configured in: it is recommended that you in/out on the port on the device on the traffic forwarding path closest to the destination address.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.