Home > Enterprise >  The ACL configuration
The ACL configuration

Time:09-20

Configure the DHCP service
1, global IP DHCP pool name (define address pool)
2, the network 192.168.1.0 255.255.255.0 (dynamically assigned IP addresses)
3, the default - the router 192.168.1.254 gateway address (dynamic allocation)
4, DNS server 202.106.0.20 (dynamic allocation of DNS server address)
5, global: IP DHCP excluded - address 192.168.1.1 (reserve the IP address of the statically allocated)

A, summary of access control list
1, the access control list (ACL) :
Read the third layer, layer 4 header information
According to predefined rules for packet filtering
2, the treatment process of the access control list
If it matches the first rule is no longer to check, the router will determine the packet allows or refusing to through,
If it does not match the first rule in order to check, until there is any one rule matching,
If finally no one rule matching, according to the rules of the default router will discard the packets,
3, the type of access control list:
1) standard access control list
Based on the source IP address filtering packet
List number is 1 ~ 99
2) extended access control list
Based on the source IP address, destination IP address, protocol is specified, the port to filter packets such as
List number is 100-199
Second, the standard access control list
1, the standard access control list to create
Global: access - the list 1 deny 192.168.1.1 0.0.0.0
Global: access - the list 1 permit 192.168.1.0 0.0.0.255
The wildcard mask: also called radix-minus-one complement, expressed in a binary number 0 and 1, if a is 1, suggests that this one does not need to match the operation, if 0 indicates that need strict matching,

Implicit reject statements:
Access - the list 1 deny 0.0.0.0 255.255.255.255
2, apply the ACL to interface
Interface mode: IP access - group list in or out

Note: access to the list 1 deny 192.168.1.1 0.0.0.0 or written as
Access - the list 1 deny host 192.168.1.1
Access - the list 1 deny 0.0.0.0 255.255.255.255 or written as
Access - the list 1 deny any
3, remove the established access control list
Global: no access number list - a list
Cancel the ACL on 4, interface
Interface mode: no IP access - group list in or out
5, check the access control list
Privileges: show access lists -

Three, extended access control list
1,
According to source IP address, destination IP address, protocol specified, port to filter packets, such as
2. The extended access control list (no. : 100-199
3, eq is equal to, lt is less than, gt is more than
4, extended access control list case:
Example 1: global: IP access list 101 permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
(allowing 192.168.1.0 network access all 192.168.2.0 network service)
Global: access - 101 deny IP list any any
(reject all)
Example 2: : global access - the list 101 deny TCP 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 80
(refuse 192.168.1.0 network segment access 192.168.2.2 TCP port 80)
Global: IP access list 101 permit any any (allows access to all)

5, remove extended ACL
Global: no access number list - a list
Note: extension and standard acls cannot delete a single ACL statements, can only remove the ACL,
6, extended ACL should be applied on the closest to the source address of the router,

A, NAT (network address translation)
1, the function: through private internal network IP address translation into the world's only public IP address, make internal network can be connected to the external network, such as the Internet,
2, advantages:
Save the public legal IP address
Address overlap
Security
3, the disadvantage of NAT
Delay increase
The complexity of configuring and maintaining
Does not support some of the applications, can be avoid by static NAT mapping
4, NAT implementations
1) static conversion
IP address is one to one corresponding relationship, and it is constant, with the aid of static transformation, some AD hoc in the internal network can realize the external network server access,
Static NAT configuration:
Configuration interface IP and routing
Global:
Ip NAT inside source static 192.168.1.1 61.159.62.131
On the internal and external interfaces enable NAT:
Enter exit configuration: IP NAT outside
Enter the inlet configuration: IP NAT inside
Port mapping:
IP NAT inside source static TCP 192.168.1.6 80 61.159.62.133 80

2) port multiplexing (PAT)
By changing the outgoing packets source IP address and source port and port transformation, internal network of all hosts can share a legitimate IP address of Internet access, save IP,
PAT configuration:
Global: IP NAT inside source list 1 interface f0/1 overload

5, NAT difference between two kinds of implementation:
Static transformation corresponding relationship of one to one and the same, and there is no public IP, saving only hides the real address of host,
Port multiplexing can make all the external network hosts share a legitimate internal IP address, to maximize the IP address resource saving,
Two, see the NAT translation entry
Privileges: the show IP NAT translations according to the current existing conversion
Three, removal of NAT translation entry
1, privilege: the clear IP NAT translation * remove NAT translation entry to all of the entry
Note: the static NAT entry will not be cleared
Four, showing each transformation packet
Privileges: the debug IP NAT
S source address
D said the destination address
192.168.1.2 instead - & gt; 61.159.62.130 said converts 192.168.1.2 instead 61.159.62.130

Page link:https//www.codepudding.com/Enterprise/14406.html

Prev:[is] confluence was sending test success, but the page changes, attention can not receive the mail
Next:Perform bat file error, urgent urgent
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding