ACL (access control list): access control list (used for routing, packet filtering firewall to establish three-tier exchange)
A, ACL classification
1, standard access control list
(1) can filter based on the source IP address
(2) the kind of access control list is a list of 1 to 99
2, extended access control list
(1) the source IP, destination IP, based on the designated protocol , port, filter data flag
(2) the kind of access control list is a list of 100 to 199
3, the name ACL - access standard and extended access comprising
(1) a list of the kind used in the standard and extended allow list " name in place of table No. "
Second, the filter parameters
1, the access control list based on Layer (based on IP) four (based on port, protocol) filter
2, the application firewall, filtering based on seven
Three, ACL role
1, ACL packet filtering based on man-defined rules
Fourth, the white list blacklist
Match Flowchart:
Matching rules: all top-down, one by one match, the default is implicitly denied all
5, configuration
1, the standard access control list configuration
(1) Create an ACL
access - list access-list-number {permit | deny} source 【source-wildcard】
access-list 1 deny any: to reject all
access-list-number: list number (1-99)
Source [Source-wildcard]: inverted source IP + subnet mask
(2) deleting the ACL
no access - list access-list-number
(3) Apply the ACL port
ip access-group access-list-number { in | out }
(4) Canceled ACL application in port
no ip access-group access-list-number { in | out }
TIP: ACL access control lists in most ports from one end of the square near the limit
2, extended access control lists
(1) Create an ACL
access - list access-list-number {permit | deny} protocol { source source-wildcard destination destination-wildcard } 【 operator operan】
protocol: Protocol name (TCP, UDP, ICMP ........)
Source-wildcard Where do you want Where do you want-wildcard: Source IP, mask anti-Mart and Target IP, mask inverted
operator operan: port or name of the service (80 / www services)
(2) delete ACL
no access - list access-list-numbe
(3) Apply the ACL port
ip access-group access-list-number { in | out }
(4) to cancel the ACL on the interface
no ip access-group access-list-number { in | out }
TIP: ip contains all protocol
any any: source IP, destination IP
Expansion:
1, NAT address conversion: convert a private network to a public network address
2, a special form of
PAT: multiple interconnects are converted to a public address (port multiplexer)
role: to alleviate the depletion of IP address resources improve the utilization of IP addresses.