How to set up the access control mechanism of Lei Ke router

believe that every network management in the setting up the router, will involve access control aspects, today we will be Lei Ke router to introduce this aspect of content, this is the emphasis on context-based access control.

Typically, routing can only check packets on the network layer or transport layer, and CBAC can intelligently filter TCP and UDP based on the application layer Sessi ON,CBAC can open a temporary channel in firewall access-list to a connection originating from the internal network, Check both inside and outside in two directions of sessions.

1, the packet reached the external interface of the firewall.

2, the packet by the interface outbound access-list check whether pass, not through the packet is discarded in this, do not go through the following steps.

3. Packets checked by Access list are checked by the CBAC to determine and record the packet connection status information, which is recorded in a newly generated status list that provides a quick channel for the next connection.

4. If CBAC does not define a check for Telnet application, the packet can be sent directly from the interface.

5. Based on the status information obtained in the third step, Cbac inserts a temporarily created access list entry in S0 's inbound access list, which is defined to allow incoming packets from the outside to enter;

6. The next external inbound packet arrives at S0, which is part of a previously sent Telnet session connection, checked by the access list at the S0 port, and then entered from the temporary channel set up in step fifth.

7, is allowed to enter the packet after CBAC inspection, while the list of connection status updated as needed, based on updated status information, inbound access list temporary channel is also modified to allow only the current legally connected packets into.

8. All incoming and outgoing s0 packets belonging to the current connection are checked to update the status list and access list to modify the temporary channel on demand, while the packet is allowed to pass through the S0 port.

9, the current connection is terminated or timed out, the Connection status list entry is deleted, and the temporary open access list entry is also deleted.

The configuration to port must allow all required applications to pass, including applications that wish to be CBAC checked, but all applications requiring CBAC inspection must be prohibited.