Shulou(Shulou.com)06/01 Report--

PoE powered switch

It refers to the switch that can provide network power to the remote receiving terminal through the network cable, including two functions of network switch and PoE power supply. It is a common power supply equipment in the PoE power supply system. The port supports output power up to 15.4W, in line with the IEEE802.3af standard, and the port supports output power up to 30W, which meets the IEEE802.3at standard. It supplies power to the standard POE terminal equipment through the network cable power supply, eliminating additional power wiring. The port output power of the POE switch that conforms to the IEEE802.3aT standard can reach 15-60W.

The working process of poe power supply

When POE power supply devices are deployed in a network, the working process of POE Power over Ethernet is as follows.

Detection: at first, the POE device outputs a small voltage on the port until it detects that the cable terminal is connected to a power-receiving device that supports the IEEE802.3af standard.

PD end device classification: when the receiving end device PD is detected, the POE device may classify the PD device and evaluate the power loss required for this PD device.

Start power supply: during a start-up period of configurable time (usually less than 15 μ s), the PSE device begins to supply power to the PD device from a low voltage until a 48V DC power supply is provided.

Power supply: provide stable and reliable 48V DC power for PD equipment to meet the PD equipment power consumption of no more than 15.4W.

Power off: if the PD device is disconnected from the network, the PSE will quickly (usually within the 300~400ms) stop supplying power to the PD device and repeat the detection process to see if the end of the cable is connected to the PD device.

A complete POE system includes two parts: power supply end equipment (PSE, Power Sourcing Equipment) and power receiving end equipment (PD, Power Device). A PSE device is a device that powers Ethernet client devices and is also the manager of the entire POE Power over Ethernet process. The PD device is the PSE load that receives power, that is, the client of the POE system.

OSI

OSI (Open System Interconnection), the reference model of open systems interconnection, logically divides the network protocol into seven layers. Each layer has related and corresponding physical devices, such as conventional routers are layer 3 switching devices and conventional switches are layer 2 switching devices.

The OSI seven-layer model is a framework design method. The main purpose of establishing the seven-layer model is to solve the compatibility problems encountered in the interconnection of heterogeneous networks, and its main function is to help different types of hosts to achieve data transmission. Its greatest advantage is that it clearly distinguishes the three concepts of service, interface and protocol, and enables reliable communication between different systems and different networks through seven hierarchical structural models.

Chinese name

Open system Interconnection reference Model

Foreign name

Open System Interconnection

English abbreviation

OSI

Classify

Open system Interconnection reference Model

Catalogue

Advantages of the model

The main purpose of establishing the seven-layer model is to solve the compatibility problems encountered in the interconnection of heterogeneous networks. Its greatest advantage is that it clearly distinguishes the three concepts of service, interface and protocol: the service describes what functions a certain layer provides for the upper layer, and the interface describes how the upper layer uses the services of the lower layer. and the protocol involves how to implement the services at this layer. In this way, there is a strong independence between the layers, and there is no limit to what kind of protocol each entity in the interconnection network uses, as long as the same service is provided upward and the interface of the adjacent layer is not changed. The division of the seven layers of the network is also to enable different functional modules (different levels) of the network to share different responsibilities, thus bringing the following benefits:

● reduces the complexity of the problem. Once a network failure occurs, it can quickly locate the fault level, making it easy to find and correct errors.

● defines standard interfaces in each layer, so that different network devices with the same peer layer can interoperate with each other, and each layer is relatively independent. A high-level protocol can run on a variety of lower-layer protocols.

● can effectively stimulate network technology innovation, because each update can be carried out in a small area, without major surgery on the whole network.

Physical layer

The lowest or first layer of the Physical Layer,OSI reference model. This layer includes physical networking media, such as cable connectors. The protocol of the physical layer generates and detects the voltage in order to send and receive signals carrying data. Inserting the network interface card into the PC establishes the foundation of computer networking. Although the physical layer does not provide error correction services, it can set the data transmission rate and monitor the data error rate.

In order to transmit information, users have to use some physical media, such as twisted pair, coaxial cable, etc., but the specific physical media is not within the 7 layers of OSI. Some people regard physical media as layer 0, and the task of the physical layer is to provide a physical connection for its upper layer, as well as their mechanical, electrical, functional and procedural characteristics. Such as the type of cable and connector specified, the voltage to transmit the signal, and so on. At this layer, the data is not organized, but is treated only as the original bit stream or electrical voltage, in bit.

@ network card, network cable, hub, repeater, modem-physical layer.

Data link layer

The second layer of the Datalink Layer,OSI reference model, which controls communication between the network layer and the physical layer. Its main function is how to transmit data reliably on unreliable physical lines. In order to ensure transmission, the data received from the network layer is divided into specific frames that can be transmitted by the physical layer. A frame is a structural packet used to move data, which includes not only the original data, but also the physical addresses of the sender and receiver, as well as error detection and control information. The address determines where the frame will be sent, while error correction and control information ensures that the frame arrives error-free. If the receiving point detects an error in the transmitted data when transmitting the data, it will notify the sender to resend the frame.

The function of the data link layer is independent of the network and its nodes and the type of physical layer used, and does not care whether Word, Excel, or Internet is running. Some connected devices, such as switches, work at the data link layer because they decode the frame and use the frame information to send data to the correct receiver.

On the basis of the bit stream service provided by the physical layer, the data link layer establishes the data link between the adjacent nodes, provides the error-free transmission of the data frame on the channel through error control, and carries on the action series on each circuit.

The data link layer provides reliable transmission over unreliable physical media. The functions of this layer include: physical address addressing, data framing, flow control, data error detection, retransmission and so on.

Representatives of data link layer protocols include: SDLC, HDLC, PPP, STP, frame Relay and so on.

Bridge, switch-data link.

Network layer

Layer 3 of the Network Layer,OSI reference model. Its main function is to translate the network address into the corresponding physical address and determine how to route the data from the sender to the receiver.

The network layer determines the best path from node An in one network to node B in another network by comprehensively considering transmission priority, network congestion, quality of service and the cost of optional routes. Because the network layer processes and intelligently guides data transmission, the router connects each segment of the network, so the router belongs to the network layer. In a network, "routing" guides the transmission of data based on addressing schemes, usage patterns, and accessibility.

The network layer is responsible for establishing the routes they use between the source and destination machines. This layer itself does not have any error detection and correction mechanism, so the network layer must rely on reliable transmission services provided by DLL between end-to-end.

The network layer is used to establish communication between computer systems on the local LAN network segment. It can do so because it has its own routing address structure, which is separate and independent from the second layer machine address. This protocol is called a routing or routable protocol. Routable protocols include IP, IPX of Novell and AppleTalk. The routing protocol is to determine the protocol used in the final path, such as RIP, OSPF, IS-IS, BGP and so on.

The network layer is optional and can only be used when two computer systems are on different network segments separated by routers, or when communication applications require services, features, or capabilities provided by a network layer or transport layer. For example, when two hosts are directly connected to the same LAN segment, the communication between them can only use the communication mechanism of LAN (that is, the first or second layers of the OSI reference model).

Router-Network layer.

Transport layer

Layer 4 of the Transport Layer,OSI reference model. The transmission protocol performs flow control at the same time or specifies an appropriate transmission rate based on the speed at which the receiver can receive the data. In addition, the transport layer forcibly divides longer packets according to the maximum size that the network can handle. For example, Ethernet cannot receive packets larger than 1500 bytes (Byte). The transmission layer of the sender node divides the data into smaller data slices, and arranges a sequence number for each data slice, so that when the data reaches the transmission layer of the receiver node, it can be reorganized in the correct order.

One service that works at the transport layer is TCP (Transmission Control Protocol) in the TCP/IP protocol suite, and the other is SPX (sequential packet switching) in the IPX/SPX protocol set.

The gateway works at layer 4 and above.

Session layer

Layer 5 of the Session Layer,OSI reference model. Responsible for establishing, maintaining and terminating communication between two nodes in the network. The functions of the session layer include establishing a communication link, keeping the communication link open during the session, synchronizing the dialogue between the two nodes, determining whether the communication is interrupted and deciding where to resend when the communication is interrupted.

You may often hear people refer to the session layer as the "traffic police" of network communication. When you dial up to your ISP (Internet service provider) to request a connection to the Internet, the session layer on the ISP server negotiates a connection to you and the session layer on your PC client. If your phone line accidentally falls off from the wall Jack, the session layer on your terminal will detect a disconnection and restart the connection. The session layer sets the communication period by determining the priority of node communication and the length of communication time.

Presentation layer

The sixth layer in the Presentation Layer,OSI reference model. For the translator between the application and the network, at the presentation layer, the data is formatted according to a scheme that the network can understand; this format also varies depending on the type of network used.

The presentation layer manages data decryption and encryption, such as the processing of system passwords. For example, when you query your bank account on Internet, you use a secure connection. Your account data is encrypted before it is sent, and at the other end of the network, the presentation layer decrypts the data received. In addition, the presentation layer protocol decodes and encodes picture and file format information.

Application layer

The highest layer in the Application Layer,OSI reference model, the seventh layer. The application layer, also known as the application entity (AE), consists of several specific application service elements (SASE) and one or more common application service elements (CASE). Each SASE provides specific application services, such as document Transport access and Management (FTAM), Electronic message processing (MHS), Virtual Terminal Protocol (VAP), etc. CASE provides a set of common application services, such as contact Control Service element (ACSE), reliable Transportation Service element (RTSE) and remote Operation Service element (ROSE). It is mainly responsible for providing interfaces to the software so that the program can use network services. The term "application layer" does not refer to a particular application running on the network. The services provided by the application layer include file transfer, file management, and e-mail information processing.

Summary of the model simplified version:

Physical layer: mainly defines physical equipment standards, such as the interface type of network cable, the interface type of optical fiber, the transmission rate of various transmission media, and so on. Its main function is to transmit bit stream (that is, from 1, 0 to current strength for transmission, and then to 1, 0 after arriving at the destination, that is, what we often call digital-to-analog conversion and analog-to-digital conversion). The data on this layer is called bits.

Data Link layer: defines how to format data for transmission and how to control access to physical media. This layer also usually provides error detection and correction to ensure reliable data transmission. The transmission unit of the data link layer is a frame.

3. Network layer: provides connectivity and path selection between two host systems in different geographically located networks. The development of Internet has greatly increased the number of users accessing information from various sites in the world, and the network layer is the layer that manages this connection. The network layer groups the frames provided by the data link layer into packets, so the transmission unit of the network layer is the packet.

4. Transport layer: some protocols and port numbers for transmitting data (WWW port 80, etc.) are defined, such as: TCP (transmission control protocol, low transmission efficiency, strong reliability, used for transmitting data with high reliability and large amount of data), UDP (user Datagram protocol, opposite to TCP, used to transmit data with low reliability and small amount of data, such as QQ chat data is transmitted in this way). Mainly, the data received from the lower layer is segmented and transmitted, and then reorganized when it reaches the destination address. This layer of data is often called segment. The transmission unit of the transport layer is a message.

5. Session layer: a path for data transmission is established through the transport layer (port number: transmission port and receiving port). Mainly initiates a session or accepts session requests between your systems (devices need to know each other. It can be IP, MAC or hostname).

6. Presentation layer: ensures that the information sent by the application layer of one system can be read by the application layer of another system. For example, the PC program communicates with another computer, one of which uses the extended binary Decimal Interchange Code (EBCDIC) and the other uses the American Information Interchange Standard Code (ASCII) to represent the same characters. If necessary, the presentation layer converts between multiple data formats by using a common format.

7. Application layer: the OSI layer that is closest to the user. This layer provides network services for users' applications, such as email, file transfer, and terminal emulation.

TCP/IP protocol

The TCP/IP reference model is the reference model used by ARPANET, the grandfather of the computer network, and his successor, the Internet. ARPANET is a research network sponsored by DoD (U.S.Department of Defense) of the U.S. Department of Defense. Gradually it connected hundreds of universities and government departments through leased telephone lines. With the emergence of wireless networks and satellites, existing protocols have problems when they are connected to them, so a new reference architecture is needed. After the emergence of its two main protocols, this architecture was called the TCP/IP reference Model (TCP/IP reference model).

Four-layer protocol

TCP/IP is a group of communication protocols used to realize network interconnection. TCP/IP is the core of Internet network architecture. The reference model based on TCP/IP divides the protocol into four layers: network access layer, Internet layer, transport layer (host to host), and application layer.

1. Application layer

The application layer corresponds to the high level of the OSI reference model and provides users with various services they need, such as FTP, Telnet, DNS, SMTP and so on.

two。 Transport layer

The transport layer corresponds to the transport layer of the OSI reference model, which provides end-to-end communication function for the application layer entities, ensuring the sequential transmission of data packets and the integrity of data. This layer defines two main protocols: transmission Control Protocol (TCP) and user Datagram Protocol (UDP).

TCP protocol provides a reliable data transmission service connected by "three-way handshake", while UDP protocol provides unreliable (not unreliable) and connectionless data transmission service.

3. Internet layer

The Internet layer corresponds to the network layer of the OSI reference model, which mainly solves the problem of host-to-host communication. It contains protocols that design the logical transmission of packets over the entire network. Pay attention to re-give the host an IP address to complete the addressing of the host, it is also responsible for the routing of packets in a variety of networks. There are three main protocols in this layer: Internet Protocol (IP), Internet Group Management Protocol (IGMP) and Internet Control message Protocol (ICMP).

IP protocol is the most important protocol in the Internet layer. It provides a reliable and connectionless Datagram delivery service.

4. Network access layer (that is, host-network layer)

The network access layer corresponds to the physical layer and the data link layer in the OSI reference model. It monitors the exchange of data between the host and the network. In fact, TCP/IP itself does not define the protocol of this layer, but each network participating in the interconnection uses its own physical layer and data link layer protocol, and then connects with the network access layer of TCP/IP. The address Resolution Protocol (ARP) works at this layer, the data link layer of the OSI reference model.

The models have something in common.

(1) both OSI reference model and TCP/IP reference model adopt the concept of hierarchical structure.

(2) both connection-oriented and connectionless communication service mechanisms can be provided.

Differences

(1) OSI adopts a seven-tier model, while TCP/IP has a four-tier structure.

(2) there is no real definition of the network interface layer of the TCP/IP reference model, but only some conceptual descriptions. The OSI reference model is not only divided into two layers, but also the functions of each layer are very detailed, and even a media access sublayer is divided in the data link layer to solve the problem of shared media in the local area network.

(3) the OSI model is designed before the development of the protocol and is universal. TCP/IP is a protocol set and then a model, which is not suitable for non-TCP/IP networks.

(4) the functions of the transport layer of the OSI reference model and the TCP/IP reference model are basically similar, both are responsible for providing real end-to-end communication services for users, but also shield the implementation details of the underlying network to the high level. The difference is that the transport layer of the TCP/IP reference model is based on the network interconnection layer, while the network interconnection layer only provides connectionless network services, so the connection-oriented function is completely implemented in the TCP protocol. Of course, the TCP/IP transport layer also provides connectionless services, such as UDP On the contrary, the transport layer of the OSI reference model is based on the network layer, which provides both connection-oriented services and connectionless services, but the transport layer only provides connection-oriented services.

(5) the OSI reference model has high abstract ability and is suitable for describing all kinds of networks, while TCP/IP developed the TCP/IP model only after having the protocol.

(6) the concept of the OSI reference model is clear, but it is too complex, while the TCP/IP reference model is not clear about the difference between service, interface and protocol, and the function description and implementation details are mixed.

(7) the network interface layer of the TCP/IP reference model is not a real layer; the disadvantage of the OSI reference model is that there are too many layers, the division significance is not great, but the complexity is increased.

(8) although the OSI reference model is optimistic, the technology is not mature and it is difficult to implement because it does not grasp the right time. On the contrary, although the TCP/IP reference model has many unsatisfactory places, it is still relatively successful.

Routing protocol

Routers provide a mechanism for heterogeneous network interconnection to send packets from one network to another. Routing is the path information that guides the sending of IP packets. Routing protocols are the rules and standards agreed upon in advance in the process of routing guidance IP packets.

Principle

Routing protocols support routable protocols by sharing routing information between routers. Routing information is passed between neighboring routers to ensure that all routers know the path to other routers. In short, the routing protocol creates a routing table and describes the network topology; the routing protocol works with the router to perform routing and packet forwarding functions.

Action

Routing protocols mainly run on routers, routing protocols are used to determine the arrival path, including RIP,IGRP (Cisco Private Protocol), EIGRP (Cisco Private Protocol), OSPF,IS-IS,BGP. Play a map navigation, responsible for finding the way. It works at the network layer.

Routing protocols are mainly protocols running on routers, which are mainly used for path selection.

Gateway

Gateway (Gateway) is also called inter-network connector and protocol converter. The gateway implements network interconnection above the network layer and is the most complex network interconnection device, which is only used for network interconnection with two different high-level protocols. Gateways can be used for both WAN interconnection and local area network interconnection. A gateway is a computer system or device that acts as an important task of transformation. Used between two systems with different communication protocols, data formats or languages, or even with completely different architectures, the gateway is a translator. Unlike the bridge which simply conveys information, the gateway needs to repackage the received information to meet the needs of the destination system. The same layer-- the application layer.

Routing (network engineering terminology)

Concept

1. Routing means that the router receives a packet from an interface, according to the data

The process of directing the destination address of a packet and forwarding it to another interface. Routing is usually compared to bridging, and to careless people, they seem to accomplish the same thing. The main difference between them is that bridging occurs at layer 2 (data link layer) of the OSI reference model, while routing occurs at layer 3 (network layer). This difference enables the two to use different information in the process of transmitting information, thus accomplishing their tasks in different ways.

The topic of routing has long appeared in the computer world, but it was not until the mid-1980s that it achieved commercial success. The main reason is that the network in the 1970s was generally very simple, and it was only later that the large-scale network was more common.

2. Engineering terminology. Refers to the condition of the road, including road width, depth, direction and other information.

Principle algorithm

Routing consists of two basic actions:

1. Determine the best path

2. Transmit information through the network

In the process of routing, the latter is also called (data) exchange. Switching is relatively simple, while choosing a path is complex.

Path selection

Metric is a metric used by routing algorithms to determine the best path to a destination, such as path length. In order to help routing, the routing algorithm initializes and maintains a routing table containing path information, which varies according to the routing algorithm used.

The routing algorithm populates the routing table based on a lot of information. The destination / next-hop address pair tells the router that the best way to reach this destination is to send a packet to the router that represents the "next hop". When the router receives a packet, it checks its destination address and tries to associate this address with its "next hop". The following table is an example of a destination / next-hop routing table.

The routing table can also include other information. The routing table compares the metric to determine the best path, depending on the routing algorithm used. Routers communicate with each other and maintain their routing table by exchanging routing information. Routing update information usually contains all or part of the routing table. By analyzing the routing update information from other routers, the router can establish a network topology diagram. Another message sent between routers is link status broadcast information, which notifies other router senders of the link status, and the link information is used to establish a complete topology diagram so that the router can determine the best path.

Exchange algorithm

The switching algorithm is relatively simple and is the same for most routing protocols. In most cases, a host decides to send data to another host. After obtaining the address of the router in some way, the source host sends a packet to the physical (MAC) address of the router, whose protocol address is directed to the destination host.

After looking at the destination protocol address of the packet, the router determines whether it knows how to forward the packet and usually discards it if it does not know how to forward it. If the router knows how to forward it, it changes the destination physical address to the physical address of the next hop and sends it to it. The next hop may be the final destination host, and if not, usually another router, it will perform the same steps. When a packet flows through the network, its physical address changes, but its protocol address remains the same.

ISO defines the terms used to describe the layering of this process. In this term, a network device that does not have the ability to forward packets is called an end system (ES--end system), and a network device that does so is called an intermediary system (IS--intermediate system). The IS is further divided into an intra-domain IS (intradomain IS) that can communicate within a routing domain and an inter-domain IS (interdomain IS) that can communicate both within a routing domain and between domains. Routing domain is generally considered to be a part of the network under unified management, which obeys a specific set of management rules, also known as autonomous system (autonomous system). In some protocols, intra-domain routing protocols can still be used to exchange data within and between intervals.

Access list (access list)

The lists maintained by routers and switches are used to control access to services entering and leaving the router or switch, such as organizing packets of an IP address from a specific port on the router or switch.

An access list is essentially a series of conditions for classifying packets

classification

There are two basic types of access-list (access list): standard access list and extended access list. The main difference between the two is that the former is packet filtering based on source address, while the latter is packet filtering based on destination address, source address, network protocol and their ports.

(1) format of standard IP access list

-the format of the standard IP access list is as follows:

-access-list [list number] [permit | deny] [source address]

-[address] [wildcard mask] [log]

-the keywords and parameters of the standard IP access list are explained below. First, there must be a hyphen "-" between the keywords access and list; second, the range of list number is between 0x99, which indicates that the access-list statement is a normal standard IP access list statement. Because for Cisco IOS, the number between 0x99 indicates that the access list is related to the IP protocol, the list number parameter has dual functions: (1) define the operation protocol of the access list; (2) notify IOS to treat the same list number parameter as the same entity when processing the access-list statement. As discussed later in this article, extended IP access lists are also characterized by list number (numbers ranging from 100 to 199). Therefore, when using an access list, you need to add the following important rule: when you need to create an access list, you need to select the appropriate list number parameter.

-(2) allow / deny packets to pass

-in the standard IP access list, use the deny statement to make packets that match the access list items pass through the interface, while the Permit statement can filter out packets that match the access list items on the interface. Source address represents the IP address of the host, and the host can be specified using a combination of different masks.

-to better understand the role of IP addresses and wildcard masks, here's an example. Suppose your company has a branch office whose IP address is 192.46.28.0 of Class C. In your company, each branch office needs to access the Internet through a router at the headquarters. To do this, you can use a wildcard mask of 0.0.0.255. Because the last set of numbers for class C IP addresses represents hosts, setting them all to 1 allows headquarters to access every host on the network. Therefore, the access-list statement in your standard IP access list is as follows:

-access-list 1 permit 192.46.28.0 0.0.0.255

-Note that the wildcard mask is a complement to the subnet mask. Therefore, if you are a network master, you can first determine the subnet mask and then convert it into an applicable wildcard mask. Here, you can add rule 5 of the access list.

-(3) specify an address

-if you want to specify a specific host, you can add a wildcard mask of 0.0.0.0. For example, to allow a packet from IP address 192.46.27.7 to pass, you can use the following statement:

-Access-list 1 permit 192.46.27.7 0.0.0.0

-in the Cisco access list, users can use the keyword "host" in addition to using the wildcard mask 0.0.0.0 above to specify a specific host. For example, to allow a packet from IP address 192.46.27.7 to pass, you can use the following statement:

-Access-list 1 permit host 192.46.27.7

-in addition to using the keyword "host" to represent the wildcard mask 0.0.0.0, the keyword "any" can be used as an abbreviation for the source address and represents the wildcard mask 0.0.0.0 255.255.255.255. For example, if you want to deny packets from a site with an IP address of 192.46.27.8, you can add the following statement to the access list:

-Access-list 1 deny host 192.46.27.8

-Access-list 1 permit any

-note the order of the above two access list statements. The first statement filters out packets from the source address 192.46.27.8, and the second statement allows packets from any source address to pass through the interface where the access list acts. If you change the order of the above statements, the access list will not be able to prevent packets from the source address 192.46.27.8 from passing through the interface. Because the access list executes statements from top to bottom. This way, if the first statement is:

-Access-list 1 permit any

If so, packets from any source address will pass through the interface.

-(4) the secret of refusal

-by default, access lists always block or deny the passage of all packets unless permission is explicitly specified, that is, there is actually an implicit "deny any" statement at the end of each access list. Suppose we use the standard IP access list created earlier, and from the router's point of view, the actual content of this statement is as follows:

-access-list 1 deny host 192.46.27.8

-access-list 1 permit any

-access-list 1 deny any

In the above example, because the second statement in the access list explicitly allows any packet to pass, the implied deny statement does not work, but this is not always the case. For example, if you want packets from the source addresses of 192.46.27.8 and 192.46.27.12 to pass through the interface of the router while blocking all other packets, the code for the access list is as follows:

-access-list 1 permit host 192.46.27.8

-access-list 1 permit host 192.46.27.12

-Note, because all access lists automatically include the statement at the end.

-incidentally, discuss the parameter "log" of the standard IP access list, which acts as a log. Once the access list acts on an interface, statements that include the keyword "log" record packets that meet the "permit" and "deny" conditions in the access list. The first packet that passes through the interface and matches the access list statement immediately generates a log message. Subsequent packets either display the log on the console or record the log in memory, depending on how the log is recorded. You can choose the logging method through the console command of Cisco IOS.

Extended IP access list

-extended IP access list adds a lot of functionality and flexibility in packet filtering. In addition to filtering based on source and destination addresses, it can also be filtered based on protocol, source and destination ports, and even using a variety of options. These options allow you to read and compare information from certain domains in the packet. The common format of the extended IP access list is as follows:

-access-list [list number] [permit | deny]

-[protocol | protocol key word]

-[source address source-wildcard mask] [source port]

-[destination address destination-wildcard mask]

-[destination port] [log options]

-similar to the standard IP access list, "list number" marks the type of access list. The number 100 to 199 is used to identify 100 unique extended IP access lists. "protocol" determines which protocols need to be filtered, including IP, TCP, UDP, ICMP, and so on.

-if we look back at how packets are formed, we can see why protocols affect packet filtering, although sometimes this can have side effects. Figure 2 shows the formation of the packet. Note that application data usually has a prefix added at the transport layer, which can be the header of the TCP protocol or the UDP protocol, thus adding a port flag indicating the application. When the data flows into the protocol stack, the network layer adds a header of the IP protocol that contains address information.

Because the IP header transmits TCP, UDP, routing protocols, and ICMP protocols, the level of the IP protocol is more important than other protocols in the access list statements. However, in some applications, you may need to change this situation, and you need to filter based on some non-IP protocol

Examples

-for better illustration, the following two statements for extended IP access lists are listed to illustrate. Suppose we want to block traffic from the TCP protocol from accessing the server with IP address 192.78.46.8, while allowing traffic from other protocols to access the server. So does the following access list statement meet this requirement?

-access-list 101permit host 192.78.46.8

-access-list 101deny host 192.78.46.12

-the answer is no. The first statement allows all IP traffic, including TCP traffic, to pass through the specified host address. In this way, the second statement will have no effect. However, the goal can be achieved by changing the order of the above two statements.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.