Shulou(Shulou.com)06/01 Report--

ACL: access control list---Access control list

Role: control data access, interoperability;

Achieve:

1. define rules

2. Define actions: permit; deny

Category:

1. Standard ACL: only source IP addresses of interest;

2. Extended ACL: Focus on the source IP address and destination IP address, and can also focus on the content behind the IP header;

Indicates:

1.id indicates different ACL by different numbers;

2. Name--to facilitate ACL configuration and management;

Configuration:

1. Create ACL;

access-list {ID} permit/deny x.x.x.x wildcard-bits

ID range: 1-99, indicating standard ACL

ID range: 100-199, indicating extended ACL

x.x: represents an IP network range or an IP address

wildcard-bits: Wildcards #0 and 1 are allowed to cross; #0 in wildcards indicates matching bits;#1 in wildcards indicates unmatched bits;

Example: access-list 1 permit 192.168.1.0 0.0.0.255

First, analyze the ACL type.

2. Second, analyze ACL matching conditions-first analyze "wildcard", pay attention to the bit in IP address corresponding to 0 in wildcard-extract the bit corresponding to wildcard 0 in source IP address, -compare the extracted bit with ACL conditions; if they are the same, it means matching success, execute "action"; if they are different, it means matching failure, continue to find the next entry/matching conditions

3. Finally confirm "processing action"-permit, allow-deny, refuse

2. Call ACL:

#Make sure you are on the right equipment,

#On the right port,

#In the right direction

interface fas0/0

ip access-group 1 in

3. Verification and testing

PC-1

ping 192.168.1.254 --> not OK

Note:

After any ACL, there is an implicit deny any ;

When there are multiple entries in an ACL, each condition is checked and trained according to the sequence number from small to large.

Standard ACL: should be invoked close to the target;

Extended ACL: should be invoked close to the source;

Common ACL configurations at work-named ACL:

Create ACL-

GW(config)# ip access-list standard Deny-Ping

GW(config-std-nacl)# 10 deny 192.168.1.2 0.0.0.0

GW(config-std-nacl)# 20 permit any

GW(config-std-nacl)#exit

Call ACL-

GW(config)#interface fas0/0

GW(config-if)#ip access-group Deny-Ping in

To match more precise traffic, we use Extended ACL:

Create ACL-

ip access-list extended notPing

10 deny icmp host 192.168.1.2 host 192.168.1.254

20 permit ip any any

Call ACL-

interface fas0/0

ip access-group notPing in

Verification--

ping

show ip access-list

show ip interface fas0/0

In order to calm the soul, a man must do two things a day that he does not like.

NAT - network address translation

- Role: convert private addresses into public addresses to achieve Internet access;

- Implementation: on the edge devices of the network, i.e. gateway devices/protective walls.

- Type:

1. static Nat

- The correspondence between private and public addresses is manually configured;

- Private address: Public address = 1:1

- No saving of IP addresses;

2. dynamic Nat

- Private address and public address correspondence entries, data traffic triggered

@ Normal Dynamic NAT

- Private address: Public address = 1:1

@PAT/PNAT/NPAT : port address translation

- address translation entries in PAT, which are automatically formed based on data flows;

- Private address: Public address = N: 1

192.168.1.1:port ---- 100.1.1.1:port1

192.168.1.2:port ---- 100.1.1.1:port2

- Configuration (static NAT):

1. Determine network boundaries: intranet and extranet

interface gi0/0 //Define this port as an intranet link

ip nat inside

interface gi0/1 //Define this port as an external network link

ip nat outside

2. Configure address translation entries

ip nat inside source static 192.168.1.1 100.1.1.1

3. Verification and testing

show ip nat translation //View NAT translation table

ping x.x.x.x

debug ip nat //View packet address translation process

- Configure PAT:

1. Determine network boundaries: intranet and extranet

interface gi0/0

ip nat inside

interface gi0/1

ip nat outside

2. Determine the flow of interest

access-list 1 permit host 192.168.1.2

or

access-list 1 permit 192.168.1.0 0.0.0.255

3. Configure conversion entries

ip nat inside source list 1 interface gi0/1

4. Verification and testing

Application of NAT: Port Mapping

Configuration:

1. Configure IP address and default gateway of switch

interface vlan 1

no shutdown

ip address 192.168.1.3 255.255.255.0

exit

ip default-gateway 192.168.1.254

2. Configure "static NAT" entries on border devices

ip nat inside source static tcp 192.168.1.3 23

100.1.1.1 2000

3. Verification and testing

show ip nat translation

PC-3:

telnet 100.1.1.1 2000

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.