How to use the inbound and outbound when the switch invokes the ACL?

Enterprise 2023-07-12 02:45:08 views: null

We know that after a simple ACL (Access Control List) is configured, it is usually called on a physical interface or a vlanif virtual interface, but we often do not understand when to use inbound and when to use outbound. The following is my own simple understand.

 

1: Call under the physical interface

[CORE1]acl 3001
[CORE1-acl-adv-3001]rule deny ip source 192.168.10.253 0 destination 192.168.10.
252 0
[CORE1-acl-adv-3001]quit 

[CORE1]interface GigabitEthernet 0/0/2
[CORE1-GigabitEthernet0/0/2]display  this 
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
 traffic-filter outbound acl 3000
#
[CORE1-GigabitEthernet0/0/2]traffic-filter inbound acl 3001
[CORE1-GigabitEthernet0/0/2]

We always need to combine the source address and destination address to analyze, first look at the ACL, the network segment of ip soure 192.168.10.0, if it is called on the G0/0/2 interface, it is the inbound direction, that is, inbound. Because the source address is consistent with the interface of my terminal, my data needs to access other ports through the interface.

What about the outbound direction? What if I want to call it under G0/0/3?

 Now we change the strategy, and then call in the outbound direction under G0/0/3, the result is also possible.

Why is this so?

Summarize

Although we have changed the port, changed the inbound or outbound, but the strategy has not changed. This is the root cause, that is to say, to judge the direction of traffic in and out, we always look at it in combination with the source address and destination address.

The ACL is like this:
 rule 5 deny ip source 192.168.10.253 0 destination 192.168.10.252 0 

Under G 0/0/2, the terminal of port 2 is also the source address, so my terminal is filtered through my 2 interface, so it is inbound.

Under G0/0/3, I changed the outbound direction, but the rule is still the source address, which is the access destination, that is, only when the outbound direction is accessed, the source address or the destination address will be filtered. In fact, it is still the same as inbound.

Only when 10.253 accesses 10.252, the G2 port is the direction of data entry, but the G3 port is the direction of output, so use outbound.

 

Two: call under vlanif

 

Calling under vlanif is actually the same as calling a physical port. When different vlans are isolated from each other,

To give a simple example, there are two VLANs, 10 and 20, if the addresses are 10.1 and 20.1 respectively

The rule is, rule deny ip sou 10.1 dest 20.1

Calling under vlan10 is inbound

On the contrary, if we want to achieve the same purpose and the rules remain unchanged, we call outbound under vlan20.

You see, it is also a combination of source and purpose,

Called under vlan10, the source address is also 10.1, so it is inbound

Called under vlan20, the source address is still 10.1, so it is outbound (because only the source is 10.1 and the destination 20.1 is on the side of vlan20, it is considered as the outbound direction)

achievement

With the following rules, we still judge based on the source address and purpose

One: When the source and destination addresses of calling acl are all in the same network segment, and only source or destination is only in the ACL, as follows.

rule 5 deny ip source 192.168.10.0 0.0.0.255 

rule 10 deny ip destination 192.168.10.0 0.0.0.255

At this time, no matter which interface or vlanif is called, both inbound and outbound can implement access control

Two: When the source and destination are not in the same network segment, and only in the ACL, there is only source or only destination, for example

 rule 5 deny ip source 192.168.10.0 0.0.0.255

//If the call is under the vlan or interface to which the 10 network segment belongs, then it is inbound

//If the call is on another network segment, it is outbound
 rule 10 deny ip destination 192.168.20.0 0.0.0.255

//If the call is under the vlan or interface to which the 20 network segment belongs, then it is outbound

//If the call is on any other network segment, it is inbound

Three: For the acl rule containing the source address and destination address, we can judge the direction of the call according to its in and out direction.

 

Guess you like

Origin blog.csdn.net/NeverGUM/article/details/105400087
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com