In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
IP-ACL (layer 3 ACL for layer 3 traffic)
Standard ACL:
Can only match the source IP address of an IP packet
Extended ACL:
(source IP destination IP) transport layer protocol capable of simultaneously matching IP packets
Expand ACL to match traffic, more accurately: determine the only 5 tuples of traffic: source IP, destination IP, source port, destination port, transport layer protocol. For data, which can be represented by "transport layer protocol + port number", it means that the data belongs to the "application layer". When a router looks up the routing table, there is a longest matching principle. The longer the match, the more accurate the address.
Experiment name: the principle and Application of extended ACL
Lab Topology:
Lab requirements:
R1 can ping to R4
Loopback 0 of R1 cannot telnet R4
The steps of the experiment:
1. Ensure network interconnection
# configure the device port address based on the topology diagram
# configure static routes to ensure interconnection of network segments
& write one by one
& default route: 0.0.0.0 0.0.0.0-> 0.0.0.0Universe 0, indicating all networks.
2 、 Configure ACL policy if you want to grab a traffic, you must know a traffic configuration command: (R2) ip access-list extended Deny-telnet 10 deny tcp 10.10.1.0 0.0.255 10.0.255 10.4.0 0.0.255 eq telnet 20 deny tcp 10.10.1.0 0.0.0.255 192.168.34.0 0.0.0.255 eq telnet 30 permit ip any any
!
Or
Ip access-list extended Deny-telnet 10 deny tcp 10.10.1.1 0.0.0.0 10.10.4.4 0.0.0.0 eq telnet 20 deny tcp 10.10.1.1 0.0.0.0 192.168.34.4 0.0.0.0 eq telnet 30 permit ip 0.0.0.0 255.255. 255.255 0.0.0.0 255.255.255.2553 、 Call ACL policy R2: interface fas0/1 ip access-group Deny-telnet in 4, Verify ACL policy R2: show ip access-list show ip interface fas0/1 R1: telnet 10.10.4.4 / source-interface loopback 0-> no telnet 192.168.34.4 / source-interface loopback 0-> all types of traffic between all other no addresses It all works.
Note:
ACL does not work on traffic initiated by local devices, only on traversing traffic
=
ISP (internet service provider)
EMS
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
